0003430
ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition
International Organization for Standardization
International or National Standard
For Purchase
ISO/IEC 27002:2022
ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls
2022-02-01
The document as a whole was last reviewed and released on 2023-06-27T00:00:00-0700.
0003430
For Purchase
International Organization for Standardization
International or National Standard
ISO/IEC 27002:2022
ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls
2022-02-01
The document as a whole was last reviewed and released on 2023-06-27T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Acquisition or sale of facilities, technology, and services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain system acquisition contracts. CC ID 14758 | Establish/Maintain Documentation | Preventive | |
| Include security requirements in system acquisition contracts. CC ID 01124 [Information security requirements should be identified, specified and approved when developing or acquiring applications. § 8.26 Control] | Establish/Maintain Documentation | Preventive | |
| Include operational requirements in system acquisition contracts. CC ID 00825 | Establish/Maintain Documentation | Preventive | |
| Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts. CC ID 06890 | Establish/Maintain Documentation | Preventive | |
| Include required service levels in system acquisition contracts. CC ID 11652 | Establish/Maintain Documentation | Preventive | |
| Include security controls in system acquisition contracts. CC ID 01125 | Establish/Maintain Documentation | Preventive | |
| Include the cost effectiveness of security controls in system acquisition contracts. CC ID 11653 | Technical Security | Detective | |
| Obtain system documentation before acquiring products and services. CC ID 01445 | Establish/Maintain Documentation | Preventive | |
| Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309 | Establish/Maintain Documentation | Preventive | |
| Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285 | Communicate | Preventive | |
| Document attempts to obtain system documentation. CC ID 14284 | Process or Activity | Corrective | |
| Obtain user documentation before acquiring products and services. CC ID 14283 | Acquisition/Sale of Assets or Services | Preventive | |
| Include instructions on how to use the security functions in the user documentation. CC ID 14314 | Establish/Maintain Documentation | Preventive | |
| Include security functions in the user documentation. CC ID 14313 | Establish/Maintain Documentation | Preventive | |
| Include user responsibilities for maintaining system security in the user documentation. CC ID 14312 | Establish/Maintain Documentation | Preventive | |
| Include a description of user interactions in the user documentation. CC ID 14311 | Establish/Maintain Documentation | Preventive | |
| Require the information system developer to create a continuous monitoring plan. CC ID 14307 | Establish/Maintain Documentation | Preventive | |
| Provide a Configuration Management plan by the Information System developer for all newly acquired assets. CC ID 01446 | Testing | Detective | |
| Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired assets. CC ID 01447 | Testing | Detective | |
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Establish/Maintain Documentation | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management. § 8.34 Control] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Establish/Maintain Documentation | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and Risk Management | Preventive | |
| Include audit subject matter in the audit program. CC ID 07103 | Establish/Maintain Documentation | Preventive | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Investigate | Preventive | |
| Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Establish/Maintain Documentation | Preventive | |
| Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Establish/Maintain Documentation | Preventive | |
| Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Establish/Maintain Documentation | Preventive | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and Risk Management | Preventive | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Establish/Maintain Documentation | Preventive | |
| Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and Risk Management | Preventive | |
| Include in scope information in the audit program. CC ID 16198 | Establish/Maintain Documentation | Preventive | |
| Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Establish/Maintain Documentation | Preventive | |
| Provide a representation letter in support of the audit assertion. CC ID 07158 | Establish/Maintain Documentation | Preventive | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and Risk Management | Preventive | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Establish/Maintain Documentation | Preventive | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Establish/Maintain Documentation | Preventive | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Establish/Maintain Documentation | Preventive | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Establish/Maintain Documentation | Preventive | |
| Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Establish/Maintain Documentation | Preventive | |
| Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Establish/Maintain Documentation | Preventive | |
| Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Establish/Maintain Documentation | Preventive | |
| Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Establish/Maintain Documentation | Preventive | |
| Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Establish/Maintain Documentation | Preventive | |
| Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Establish/Maintain Documentation | Preventive | |
| Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Establish/Maintain Documentation | Preventive | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Establish/Maintain Documentation | Detective | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Establish/Maintain Documentation | Preventive | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Establish/Maintain Documentation | Preventive | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Establish/Maintain Documentation | Preventive | |
| Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Establish/Maintain Documentation | Preventive | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Establish/Maintain Documentation | Preventive | |
| Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Establish/Maintain Documentation | Preventive | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Establish/Maintain Documentation | Preventive | |
| Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Establish/Maintain Documentation | Preventive | |
| Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Establish/Maintain Documentation | Preventive | |
| Include the in scope procedures in the audit assertion. CC ID 06972 | Establish/Maintain Documentation | Preventive | |
| Include the in scope records produced in the audit assertion. CC ID 06968 | Establish/Maintain Documentation | Preventive | |
| Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Establish/Maintain Documentation | Preventive | |
| Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Establish/Maintain Documentation | Preventive | |
| Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Establish/Maintain Documentation | Preventive | |
| Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Establish/Maintain Documentation | Preventive | |
| Include in scope change controls in the audit assertion. CC ID 06976 | Establish/Maintain Documentation | Preventive | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Establish/Maintain Documentation | Preventive | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Communicate | Preventive | |
| Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Establish/Maintain Documentation | Preventive | |
| Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 | Establish/Maintain Documentation | Preventive | |
| Include the expectations for the audit report in the audit terms. CC ID 07148 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Establish/Maintain Documentation | Preventive | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Establish/Maintain Documentation | Corrective | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management. § 8.34 Control] | Testing | Detective | |
| Include the audit criteria in the audit plan. CC ID 15262 | Establish/Maintain Documentation | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Establish/Maintain Documentation | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Establish/Maintain Documentation | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Communicate | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Establish/Maintain Documentation | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 | Testing | Detective | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Establish/Maintain Documentation | Preventive | |
| Perform a background check during personnel screening. CC ID 11758 [Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. § 6.1 Control] | Human Resources Management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources Management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Establish/Maintain Documentation | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources Management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources Management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Establish/Maintain Documentation | Preventive | |
| Perform a drug test during personnel screening. CC ID 06648 | Testing | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources Management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources Management | Preventive | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Establish/Maintain Documentation | Preventive | |
| Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties. § 6.5 Control] | Communicate | Preventive | |
| Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties. § 6.5 Control] | Human Resources Management | Preventive | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Establish Roles | Preventive | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [Conflicting duties and conflicting areas of responsibility should be segregated. § 5.3 Control] | Testing | Detective | |
| Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Technical Security | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Behavior | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Establish/Maintain Documentation | Preventive | |
| Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 [Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function. § 6.3 Control] | Training | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 [Protection against malware should be implemented and supported by appropriate user awareness. § 8.7 Control] | Training | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 [Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function. § 6.3 Control] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Behavior | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 [Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization. § 5.4 Control Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. § 5.1 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Code of Conduct. CC ID 04897 | Establish/Maintain Documentation | Preventive | |
| Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties. § 6.5 Control The employment contractual agreements should state the personnel's and the organization's responsibilities for information security. § 6.2 Control] | Human Resources Management | Preventive | |
| Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation. § 6.4 Control] | Behavior | Corrective | |
| Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 [A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation. § 6.4 Control] | Communicate | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 | Establish/Maintain Documentation | Preventive | |
| Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 | Establish/Maintain Documentation | Preventive | |
| Review the organization's approach to managing information security, as necessary. CC ID 12005 [The organization's approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur. § 5.35 Control] | Business Processes | Preventive | |
| Establish, implement, and maintain an information classification standard. CC ID 00601 [Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements. § 5.12 Control] | Establish/Maintain Documentation | Preventive | |
| Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Data and Information Management | Preventive | |
| Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Data and Information Management | Preventive | |
| Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Data and Information Management | Preventive | |
| Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Data and Information Management | Preventive | |
| Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Data and Information Management | Preventive | |
| Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Data and Information Management | Preventive | |
| Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Data and Information Management | Preventive | |
| Classify the value of information in the information classification standard. CC ID 11995 | Data and Information Management | Preventive | |
| Classify the legal requirements of information in the information classification standard. CC ID 11994 | Data and Information Management | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [{legal requirement}{statutory requirement}{regulatory requirement} Legal, statutory, regulatory and contractual requirements relevant to information security and the organization's approach to meet these requirements should be identified, documented and kept up to date. § 5.31 Control] | Business Processes | Preventive | |
| Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain an Authority Document list. CC ID 07113 [{legal requirement}{statutory requirement}{regulatory requirement} Legal, statutory, regulatory and contractual requirements relevant to information security and the organization's approach to meet these requirements should be identified, documented and kept up to date. § 5.31 Control] | Establish/Maintain Documentation | Preventive | |
| Map in scope assets and in scope records to external requirements. CC ID 12189 | Establish/Maintain Documentation | Detective | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Communicate | Preventive | |
| Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Establish/Maintain Documentation | Preventive | |
| Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Establish/Maintain Documentation | Preventive | |
| Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Establish/Maintain Documentation | Preventive | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Establish/Maintain Documentation | Preventive | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Establish/Maintain Documentation | Corrective | |
| Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Establish/Maintain Documentation | Preventive | |
| Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Establish/Maintain Documentation | Preventive | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Establish/Maintain Documentation | Preventive | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Establish/Maintain Documentation | Preventive | |
| Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Establish/Maintain Documentation | Detective | |
| Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Establish Roles | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Log Management | Detective | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitor and Evaluate Occurrences | Preventive | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. § 8.16 Control] | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for Denial of Service attacks. CC ID 01222 | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for unauthorized data transfers. CC ID 12971 | Monitor and Evaluate Occurrences | Preventive | |
| Address operational anomalies within the incident management system. CC ID 11633 | Audits and Risk Management | Preventive | |
| Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitor and Evaluate Occurrences | Detective | |
| Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Human Resources Management | Detective | |
| Detect unauthorized access to systems. CC ID 06798 | Monitor and Evaluate Occurrences | Detective | |
| Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitor and Evaluate Occurrences | Detective | |
| Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 | Audits and Risk Management | Preventive | |
| Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitor and Evaluate Occurrences | Detective | |
| Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitor and Evaluate Occurrences | Detective | |
| Monitor systems for unauthorized mobile code. CC ID 10034 | Monitor and Evaluate Occurrences | Preventive | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Log Management | Detective | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 [Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. § 8.15 Control] | Log Management | Detective | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Data and Information Management | Preventive | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. § 8.15 Control] | Log Management | Preventive | |
| Protect the event logs from failure. CC ID 06290 | Log Management | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Data and Information Management | Preventive | |
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Testing | Preventive | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Establish/Maintain Documentation | Corrective | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Establish/Maintain Documentation | Preventive | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Audits and Risk Management | Preventive | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 | Log Management | Detective | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Log Management | Corrective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Log Management | Detective | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Technical Security | Detective | |
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Investigate | Corrective | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Log Management | Preventive | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 | Log Management | Detective | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [The clocks of information processing systems used by the organization should be synchronized to approved time sources. § 8.17 Control] | Configuration | Preventive | |
| Centralize network time servers to as few as practical. CC ID 06308 | Configuration | Preventive | |
| Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 | Communicate | Preventive | |
| Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. § 8.9 Control] | Establish/Maintain Documentation | Detective | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Process or Activity | Detective | |
| Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 | Monitor and Evaluate Occurrences | Detective | |
| Monitor for and report when a software configuration is updated. CC ID 06746 | Monitor and Evaluate Occurrences | Detective | |
| Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 | Monitor and Evaluate Occurrences | Detective | |
| Monitor for firmware updates absent authorization. CC ID 10675 | Monitor and Evaluate Occurrences | Detective | |
| Implement file integrity monitoring. CC ID 01205 | Monitor and Evaluate Occurrences | Detective | |
| Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Technical Security | Detective | |
| Monitor for software configurations updates absent authorization. CC ID 10676 | Monitor and Evaluate Occurrences | Preventive | |
| Allow expected changes during file integrity monitoring. CC ID 12090 | Technical Security | Preventive | |
| Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitor and Evaluate Occurrences | Preventive | |
| Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Establish/Maintain Documentation | Preventive | |
| Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Process or Activity | Preventive | |
| Monitor and evaluate user account activity. CC ID 07066 | Monitor and Evaluate Occurrences | Detective | |
| Develop and maintain a usage profile for each user account. CC ID 07067 | Technical Security | Preventive | |
| Log account usage to determine dormant accounts. CC ID 12118 | Log Management | Detective | |
| Log account usage times. CC ID 07099 | Log Management | Detective | |
| Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 | Monitor and Evaluate Occurrences | Detective | |
| Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 | Monitor and Evaluate Occurrences | Detective | |
| Log account usage durations. CC ID 12117 | Monitor and Evaluate Occurrences | Detective | |
| Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 | Communicate | Detective | |
| Log Internet Protocol addresses used during logon. CC ID 07100 | Log Management | Detective | |
| Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 | Monitor and Evaluate Occurrences | Detective | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Communicate | Detective | |
| Establish, implement, and maintain a testing program. CC ID 00654 | Behavior | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Establish/Maintain Documentation | Preventive | |
| Perform vulnerability scans, as necessary. CC ID 11637 | Technical Security | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [Information about technical vulnerabilities of information systems in use should be obtained, the organization's exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. § 8.8 Control] | Technical Security | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 | Investigate | Detective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 [Information about technical vulnerabilities of information systems in use should be obtained, the organization's exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. § 8.8 Control] | Technical Security | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Technical Security | Detective | |
| Correct or mitigate vulnerabilities. CC ID 12497 [Information about technical vulnerabilities of information systems in use should be obtained, the organization's exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. § 8.8 Control] | Technical Security | Corrective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Technical Security | Corrective | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
| Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 [The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. § 5.22 Control] | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Establish/Maintain Documentation | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 [Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. § 8.15 Control] | Log Management | Preventive | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 [Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. § 8.15 Control] | Log Management | Preventive | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Business Processes | Preventive | |
| Establish, implement, and maintain a Technical Surveillance Countermeasures program. CC ID 11401 | Technical Security | Preventive | |
| Collect threat intelligence, as necessary. CC ID 14064 [Information relating to information security threats should be collected and analysed to produce threat intelligence. § 5.7 Control] | Process or Activity | Detective | |
| Identify and document intelligence collection shortfalls. CC ID 14078 | Investigate | Detective | |
| Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696 | Technical Security | Preventive | |
| Evaluate cyber threat intelligence. CC ID 12747 [Information relating to information security threats should be collected and analysed to produce threat intelligence. § 5.7 Control] | Process or Activity | Detective | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 [Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. § 8.14 Control] | Configuration | Preventive | |
| Establish, implement, and maintain organizational facility continuity plans. CC ID 02224 | Establish/Maintain Documentation | Preventive | |
| Install and maintain redundant power supplies for critical facilities. CC ID 06355 [Information processing facilities should be protected from power failures and other disruptions caused by failures in supporting utilities. § 7.11 Control] | Configuration | Preventive | |
| Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 | Physical and Environmental Protection | Preventive | |
| Install and maintain dedicated power lines to critical facilities. CC ID 06357 | Physical and Environmental Protection | Preventive | |
| Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 | Configuration | Preventive | |
| Install electro-magnetic shielding around all electrical cabling. CC ID 06358 [{power cabling} Cables carrying power, data or supporting information services should be protected from interception, interference or damage. § 7.12 Control] | Physical and Environmental Protection | Preventive | |
| Install electrical grounding equipment. CC ID 06359 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. § 5.30 Control] | Establish/Maintain Documentation | Preventive | |
| Include emergency operating procedures in the continuity plan. CC ID 11694 | Establish/Maintain Documentation | Preventive | |
| Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369 | Establish/Maintain Documentation | Preventive | |
| Define and prioritize critical business functions. CC ID 00736 | Establish/Maintain Documentation | Detective | |
| Review and prioritize the importance of each business unit. CC ID 01165 | Systems Continuity | Preventive | |
| Review and prioritize the importance of each business process. CC ID 11689 | Establish/Maintain Documentation | Preventive | |
| Document the mean time to failure for system components. CC ID 10684 | Systems Continuity | Preventive | |
| Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 | Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 | Systems Continuity | Preventive | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Configuration | Corrective | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 | Establish/Maintain Documentation | Preventive | |
| Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 | Process or Activity | Corrective | |
| Define and prioritize critical business records. CC ID 11687 | Establish/Maintain Documentation | Preventive | |
| Identify all critical business records. CC ID 00737 | Records Management | Detective | |
| Include the protection of personnel in the continuity plan. CC ID 06378 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a critical personnel list. CC ID 00739 | Establish/Maintain Documentation | Detective | |
| Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Human Resources Management | Preventive | |
| Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Behavior | Preventive | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 | Establish/Maintain Documentation | Detective | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 | Establish/Maintain Documentation | Preventive | |
| Include workstation continuity procedures in the continuity plan. CC ID 01378 | Establish/Maintain Documentation | Preventive | |
| Include server continuity procedures in the continuity plan. CC ID 01379 | Establish/Maintain Documentation | Preventive | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Establish/Maintain Documentation | Preventive | |
| Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 | Data and Information Management | Preventive | |
| Include near-line capabilities in the continuity plan. CC ID 01383 | Establish/Maintain Documentation | Preventive | |
| Include online capabilities in the continuity plan. CC ID 11690 | Establish/Maintain Documentation | Preventive | |
| Include mainframe continuity procedures in the continuity plan. CC ID 01382 | Establish/Maintain Documentation | Preventive | |
| Include telecommunications continuity procedures in the continuity plan. CC ID 11691 | Establish/Maintain Documentation | Preventive | |
| Include system continuity procedures in the continuity plan. CC ID 01268 | Establish/Maintain Documentation | Preventive | |
| Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 | Establish/Maintain Documentation | Detective | |
| Include Local Area Network continuity procedures in the continuity plan. CC ID 01381 | Establish/Maintain Documentation | Preventive | |
| Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294 | Establish/Maintain Documentation | Preventive | |
| Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396 | Establish/Maintain Documentation | Preventive | |
| Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397 | Testing | Detective | |
| Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399 | Testing | Detective | |
| Require telecommunications service providers to have adequate continuity plans. CC ID 01400 | Testing | Detective | |
| Include emergency power continuity procedures in the continuity plan. CC ID 01254 | Establish/Maintain Documentation | Preventive | |
| Include evacuation procedures in the continuity plan. CC ID 12773 | Systems Continuity | Preventive | |
| Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 | Physical and Environmental Protection | Corrective | |
| Designate an alternate facility in the continuity plan. CC ID 00742 | Establish/Maintain Documentation | Detective | |
| Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 | Physical and Environmental Protection | Preventive | |
| Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391 | Establish/Maintain Documentation | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Establish/Maintain Documentation | Preventive | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Establish/Maintain Documentation | Preventive | |
| Include naming conventions in the backup policy. CC ID 16218 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. § 8.13 Control] | Systems Continuity | Preventive | |
| Determine which data elements to back up. CC ID 13483 | Data and Information Management | Detective | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 | Systems Continuity | Preventive | |
| Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Physical and Environmental Protection | Preventive | |
| Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 | Testing | Detective | |
| Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 | Configuration | Preventive | |
| Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 | Establish/Maintain Documentation | Preventive | |
| Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 | Systems Continuity | Detective | |
| Store backup media at an off-site electronic media storage facility. CC ID 01332 | Data and Information Management | Preventive | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 | Data and Information Management | Preventive | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Systems Continuity | Preventive | |
| Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Data and Information Management | Preventive | |
| Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 | Systems Continuity | Preventive | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Data and Information Management | Preventive | |
| Perform backup procedures for in scope systems. CC ID 11692 | Process or Activity | Preventive | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Data and Information Management | Preventive | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Data and Information Management | Preventive | |
| Back up all records. CC ID 11974 | Systems Continuity | Preventive | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Data and Information Management | Preventive | |
| Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 | Establish/Maintain Documentation | Preventive | |
| Encrypt backup data. CC ID 00958 | Configuration | Preventive | |
| Log the execution of each backup. CC ID 00956 | Establish/Maintain Documentation | Preventive | |
| Test backup media for media integrity and information integrity, as necessary. CC ID 01401 [Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. § 8.13 Control] | Testing | Detective | |
| Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 | Testing | Detective | |
| Test each restored system for media integrity and information integrity. CC ID 01920 | Testing | Detective | |
| Include stakeholders when testing restored systems, as necessary. CC ID 13066 | Testing | Corrective | |
| Digitally sign disk images, as necessary. CC ID 06814 | Establish/Maintain Documentation | Preventive | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 | Establish/Maintain Documentation | Preventive | |
| Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 | Establish/Maintain Documentation | Preventive | |
| Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Systems Continuity | Preventive | |
| Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 | Establish/Maintain Documentation | Preventive | |
| Log important conversations conducted during emergencies with third parties. CC ID 12763 | Log Management | Preventive | |
| Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 | Communicate | Preventive | |
| Identify who can speak to the media in the emergency communications procedures. CC ID 12761 | Communicate | Corrective | |
| Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370 | Testing | Detective | |
| Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 | Acquisition/Sale of Assets or Services | Preventive | |
| Minimize system continuity requirements. CC ID 00753 | Establish/Maintain Documentation | Preventive | |
| Include purchasing insurance in the continuity plan. CC ID 00762 | Establish/Maintain Documentation | Preventive | |
| Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 | Acquisition/Sale of Assets or Services | Preventive | |
| Obtain an insurance policy to cover business products and services delivered to clients. CC ID 06683 | Acquisition/Sale of Assets or Services | Preventive | |
| Review the insurance coverage of the insurance policy, as necessary. CC ID 12688 | Business Processes | Detective | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Business Processes | Detective | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Establish/Maintain Documentation | Detective | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Establish/Maintain Documentation | Preventive | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Establish/Maintain Documentation | Detective | |
| Validate information security continuity controls regularly. CC ID 12008 | Systems Continuity | Preventive | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Testing | Preventive | |
| Test the continuity plan, as necessary. CC ID 00755 [ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. § 5.30 Control] | Testing | Detective | |
| Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Testing | Preventive | |
| Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Testing | Preventive | |
| Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Testing | Preventive | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Testing | Preventive | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Testing | Detective | |
| Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 | Testing | Detective | |
| Analyze system interdependence during continuity plan tests. CC ID 13082 | Testing | Detective | |
| Validate the evacuation plans during continuity plan tests. CC ID 12760 | Testing | Preventive | |
| Test the continuity plan at the alternate facility. CC ID 01174 | Testing | Detective | |
| Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Establish/Maintain Documentation | Preventive | |
| Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 | Testing | Preventive | |
| Review all third party's continuity plan test results. CC ID 01365 | Testing | Detective | |
| Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Testing | Detective | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 | Actionable Reports or Measurements | Preventive | |
| Approve the continuity plan test results. CC ID 15718 | Systems Continuity | Preventive | |
| Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Testing | Detective | |
| Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Testing | Detective | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a capacity management plan. CC ID 11751 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [The use of resources should be monitored and adjusted in line with current and expected capacity requirements. § 8.6 Control] | Establish/Maintain Documentation | Preventive | |
| Manage cloud services. CC ID 13144 [Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization's information security requirements. § 5.23 Control] | Business Processes | Preventive | |
| Refrain from implementing network elements in a public cloud. CC ID 16382 | Technical Security | Preventive | |
| Protect clients' hosted environments. CC ID 11862 | Physical and Environmental Protection | Preventive | |
| Notify cloud customers of the geographic locations of the cloud service organization and its assets. CC ID 13037 | Communicate | Preventive | |
| Establish, implement, and maintain cloud service agreements. CC ID 13157 | Establish/Maintain Documentation | Preventive | |
| Include the asset removal policy in the cloud service agreement. CC ID 13161 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cloud management procedures. CC ID 13149 | Technical Security | Preventive | |
| Establish, implement, and maintain a migration process and/or strategy to transfer systems from one asset to another. CC ID 16384 | Process or Activity | Preventive | |
| Define and enforce the deployment requirements for applications and virtual network devices in a public cloud. CC ID 16383 | Process or Activity | Preventive | |
| Include cloud security requirements in the cloud management procedures. CC ID 16366 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a cloud service usage standard. CC ID 13143 | Establish/Maintain Documentation | Preventive | |
| Use strong data encryption when storing information within a cloud service. CC ID 16411 | Technical Security | Preventive | |
| Include the roles and responsibilities of cloud service users in the cloud service usage standard. CC ID 13984 | Establish/Maintain Documentation | Preventive | |
| Include information security requirements in the cloud service usage standard. CC ID 13148 | Establish/Maintain Documentation | Preventive | |
| Monitor managing cloud services. CC ID 13150 | Monitor and Evaluate Occurrences | Detective | |
| Disseminate and communicate documentation of pertinent monitoring capabilities to interested personnel and affected parties. CC ID 13159 | Communicate | Preventive | |
| Disseminate and communicate the legal jurisdiction of cloud services to interested personnel and affected parties. CC ID 13147 | Communicate | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Establish/Maintain Documentation | Preventive | |
| Measure policy compliance when reviewing the internal control framework. CC ID 06442 [Compliance with the organization's information security policy, topic-specific policies, rules and standards should be regularly reviewed. § 5.36 Control] | Actionable Reports or Measurements | Corrective | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 [The organization should establish and maintain contact with relevant authorities. § 5.5 Control] | Establish/Maintain Documentation | Preventive | |
| Share security information with interested personnel and affected parties. CC ID 11732 [The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations. § 5.6 Control] | Communicate | Preventive | |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Process or Activity | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the information security program. CC ID 12378 | Establish/Maintain Documentation | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 [Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain. § 5.21 Control Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier's products or services. § 5.19 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. § 5.1 Control] | Establish/Maintain Documentation | Preventive | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Business Processes | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Establish/Maintain Documentation | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 | Establish/Maintain Documentation | Preventive | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Establish/Maintain Documentation | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 [Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. § 5.1 Control] | Process or Activity | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Business Processes | Preventive | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Establish Roles | Preventive | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 [Information security roles and responsibilities should be defined and allocated according to the organization needs. § 5.2 Control] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. § 5.1 Control] | Communicate | Preventive | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [Operating procedures for information processing facilities should be documented and made available to personnel who need them. § 5.37 Control] | Establish/Maintain Documentation | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Records Management | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Business Processes | Preventive | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Establish/Maintain Documentation | Corrective | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 [Operating procedures for information processing facilities should be documented and made available to personnel who need them. § 5.37 Control] | Communicate | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Establish/Maintain Documentation | Preventive | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 [Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. § 5.10 Control] | Establish/Maintain Documentation | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. § 5.10 Control] | Establish/Maintain Documentation | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Establish/Maintain Documentation | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 [Procedures and measures should be implemented to securely manage software installation on operational systems. § 8.19 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [The organization should implement appropriate procedures to protect intellectual property rights. § 5.32 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [{confidentiality agreement} Confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties. § 6.6 Control] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Communicate | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 [{confidentiality agreement} Confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties. § 6.6 Control] | Establish/Maintain Documentation | Preventive | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 [Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. § 5.14 Control] | Establish/Maintain Documentation | Preventive | |
| Include use limitations in the use of information agreement. CC ID 06244 | Establish/Maintain Documentation | Preventive | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Establish/Maintain Documentation | Preventive | |
| Include information recipients in the use of information agreement. CC ID 06245 | Establish/Maintain Documentation | Preventive | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Establish/Maintain Documentation | Preventive | |
| Include disclosure of information in the use of information agreement. CC ID 11830 | Establish/Maintain Documentation | Preventive | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Establish/Maintain Documentation | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Establish/Maintain Documentation | Preventive | |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Establish/Maintain Documentation | Preventive | |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a network management program. CC ID 13123 [Networks and network devices should be secured, managed and controlled to protect information in systems and applications. § 8.20 Control] | Establish/Maintain Documentation | Preventive | |
| Include quality of service requirements in the network management program. CC ID 16429 | Establish/Maintain Documentation | Preventive | |
| Document the network design in the network management program. CC ID 13135 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain network documentation. CC ID 16497 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the network standard to all interested personnel and affected parties. CC ID 13129 | Communicate | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 [Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. § 5.10 Control] | Business Processes | Preventive | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Business Processes | Preventive | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 | Establish/Maintain Documentation | Preventive | |
| Assign an information owner to organizational assets, as necessary. CC ID 12729 | Human Resources Management | Preventive | |
| Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Business Processes | Preventive | |
| Include life cycle requirements in the security management program. CC ID 16392 | Establish/Maintain Documentation | Preventive | |
| Include program objectives in the asset management program. CC ID 14413 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement in the asset management program. CC ID 14412 | Establish/Maintain Documentation | Preventive | |
| Include compliance with applicable requirements in the asset management program. CC ID 14411 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Business Processes | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Establish/Maintain Documentation | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Establish/Maintain Documentation | Preventive | |
| Define confidentiality controls. CC ID 01908 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 | Establish/Maintain Documentation | Preventive | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Process or Activity | Preventive | |
| Define integrity controls. CC ID 01909 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Establish/Maintain Documentation | Preventive | |
| Define availability controls. CC ID 01911 | Establish/Maintain Documentation | Preventive | |
| Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Communicate | Preventive | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 | Establish Roles | Preventive | |
| Classify virtual systems by type and purpose. CC ID 16332 | Business Processes | Preventive | |
| Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Establish/Maintain Documentation | Preventive | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Establish Roles | Preventive | |
| Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Configuration | Preventive | |
| Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [An inventory of information and other associated assets, including owners, should be developed and maintained. § 5.9 Control] | Business Processes | Preventive | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 | Establish/Maintain Documentation | Preventive | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Establish/Maintain Documentation | Preventive | |
| Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Systems Design, Build, and Implementation | Preventive | |
| Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Data and Information Management | Preventive | |
| Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Establish/Maintain Documentation | Preventive | |
| Categorize all major applications according to the business information they process. CC ID 07182 | Establish/Maintain Documentation | Preventive | |
| Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Establish/Maintain Documentation | Preventive | |
| Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Establish/Maintain Documentation | Preventive | |
| Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Establish/Maintain Documentation | Preventive | |
| Conduct environmental surveys. CC ID 00690 | Physical and Environmental Protection | Preventive | |
| Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Establish/Maintain Documentation | Preventive | |
| Include network equipment in the Information Technology inventory. CC ID 00693 | Establish/Maintain Documentation | Preventive | |
| Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Establish/Maintain Documentation | Preventive | |
| Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Process or Activity | Preventive | |
| Include software in the Information Technology inventory. CC ID 00692 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a storage media inventory. CC ID 00694 | Establish/Maintain Documentation | Preventive | |
| Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 [An inventory of information and other associated assets, including owners, should be developed and maintained. § 5.9 Control] | Establish/Maintain Documentation | Preventive | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Establish/Maintain Documentation | Preventive | |
| Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Monitor and Evaluate Occurrences | Corrective | |
| Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Monitor and Evaluate Occurrences | Corrective | |
| Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Establish/Maintain Documentation | Preventive | |
| Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Technical Security | Preventive | |
| Link the authentication system to the asset inventory. CC ID 13718 | Technical Security | Preventive | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Data and Information Management | Preventive | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Establish/Maintain Documentation | Preventive | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Data and Information Management | Preventive | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Data and Information Management | Preventive | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Establish/Maintain Documentation | Preventive | |
| Include source code in the asset inventory. CC ID 14858 | Records Management | Preventive | |
| Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Human Resources Management | Preventive | |
| Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Technical Security | Detective | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Establish/Maintain Documentation | Preventive | |
| Record software license information for each asset in the asset inventory. CC ID 11736 | Data and Information Management | Preventive | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Establish/Maintain Documentation | Preventive | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Establish/Maintain Documentation | Preventive | |
| Record the software version in the asset inventory. CC ID 12196 | Establish/Maintain Documentation | Preventive | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Establish/Maintain Documentation | Preventive | |
| Record the authentication system in the asset inventory. CC ID 13724 | Establish/Maintain Documentation | Preventive | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Establish/Maintain Documentation | Preventive | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Establish/Maintain Documentation | Preventive | |
| Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Establish/Maintain Documentation | Preventive | |
| Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Establish/Maintain Documentation | Preventive | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Establish/Maintain Documentation | Preventive | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Establish/Maintain Documentation | Preventive | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Establish/Maintain Documentation | Preventive | |
| Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Data and Information Management | Preventive | |
| Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Establish/Maintain Documentation | Preventive | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Data and Information Management | Preventive | |
| Record the department associated with the asset in the asset inventory. CC ID 12084 | Establish/Maintain Documentation | Preventive | |
| Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Establish/Maintain Documentation | Preventive | |
| Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Establish/Maintain Documentation | Preventive | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Establish/Maintain Documentation | Preventive | |
| Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Establish/Maintain Documentation | Preventive | |
| Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Establish/Maintain Documentation | Preventive | |
| Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Establish/Maintain Documentation | Preventive | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Data and Information Management | Preventive | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Data and Information Management | Preventive | |
| Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Establish/Maintain Documentation | Preventive | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 [An inventory of information and other associated assets, including owners, should be developed and maintained. § 5.9 Control] | Establish/Maintain Documentation | Preventive | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Establish/Maintain Documentation | Preventive | |
| Record all changes to assets in the asset inventory. CC ID 12190 | Establish/Maintain Documentation | Preventive | |
| Record cloud service derived data in the asset inventory. CC ID 13007 | Establish/Maintain Documentation | Preventive | |
| Include cloud service customer data in the asset inventory. CC ID 13006 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a software accountability policy. CC ID 00868 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software asset management procedures. CC ID 00895 | Establish/Maintain Documentation | Preventive | |
| Prevent users from disabling required software. CC ID 16417 | Technical Security | Preventive | |
| Establish, implement, and maintain software archives procedures. CC ID 00866 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software distribution procedures. CC ID 00894 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software license management procedures. CC ID 06639 | Establish/Maintain Documentation | Preventive | |
| Automate software license monitoring, as necessary. CC ID 07057 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system redeployment program. CC ID 06276 | Establish/Maintain Documentation | Preventive | |
| Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Testing | Detective | |
| Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Behavior | Preventive | |
| Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Data and Information Management | Preventive | |
| Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Acquisition/Sale of Assets or Services | Preventive | |
| Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Establish/Maintain Documentation | Preventive | |
| Redeploy systems to other organizational units, as necessary. CC ID 11452 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system disposal program. CC ID 14431 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain disposal procedures. CC ID 16513 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Establish/Maintain Documentation | Preventive | |
| Destroy systems in accordance with the system disposal program. CC ID 16457 | Business Processes | Preventive | |
| Approve the release of systems and waste material into the public domain. CC ID 16461 | Business Processes | Preventive | |
| Establish, implement, and maintain system destruction procedures. CC ID 16474 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information. § 7.13 Control] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain maintenance reports. CC ID 11749 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain system inspection reports. CC ID 06346 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the system maintenance policy. CC ID 14214 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Communicate | Preventive | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Communicate | Preventive | |
| Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Establish/Maintain Documentation | Preventive | |
| Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Physical and Environmental Protection | Preventive | |
| Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Behavior | Preventive | |
| Use system components only when third party support is available. CC ID 10644 | Maintenance | Preventive | |
| Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Maintenance | Preventive | |
| Control and monitor all maintenance tools. CC ID 01432 | Physical and Environmental Protection | Detective | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Business Processes | Preventive | |
| Control remote maintenance according to the system's asset classification. CC ID 01433 | Technical Security | Preventive | |
| Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Configuration | Preventive | |
| Approve all remote maintenance sessions. CC ID 10615 | Technical Security | Preventive | |
| Log the performance of all remote maintenance. CC ID 13202 | Log Management | Preventive | |
| Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Technical Security | Preventive | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Maintenance | Preventive | |
| Conduct maintenance with authorized personnel. CC ID 01434 | Testing | Detective | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Maintenance | Preventive | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Maintenance | Preventive | |
| Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Behavior | Preventive | |
| Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Establish/Maintain Documentation | Preventive | |
| Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Acquisition/Sale of Assets or Services | Preventive | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 | Behavior | Preventive | |
| Restart systems on a periodic basis. CC ID 16498 | Maintenance | Preventive | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Maintenance | Preventive | |
| Employ dedicated systems during system maintenance. CC ID 12108 | Technical Security | Preventive | |
| Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Technical Security | Preventive | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Human Resources Management | Preventive | |
| Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Physical and Environmental Protection | Preventive | |
| Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Testing | Detective | |
| Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Establish/Maintain Documentation | Preventive | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Process or Activity | Preventive | |
| Refrain from protecting physical assets when no longer required. CC ID 13484 | Physical and Environmental Protection | Corrective | |
| Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Business Processes | Preventive | |
| Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Establish/Maintain Documentation | Preventive | |
| Dispose of hardware and software at their life cycle end. CC ID 06278 | Business Processes | Preventive | |
| Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Business Processes | Preventive | |
| Establish, implement, and maintain disposal contracts. CC ID 12199 | Establish/Maintain Documentation | Preventive | |
| Include disposal procedures in disposal contracts. CC ID 13905 | Establish/Maintain Documentation | Preventive | |
| Remove asset tags prior to disposal of an asset. CC ID 12198 | Business Processes | Preventive | |
| Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Establish/Maintain Documentation | Preventive | |
| Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Testing | Detective | |
| Review each system's operational readiness. CC ID 06275 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain an unauthorized software list. CC ID 10601 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. § 5.24 Control] | Business Processes | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Establish/Maintain Documentation | Preventive | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 | Human Resources Management | Preventive | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Establish/Maintain Documentation | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 | Establish/Maintain Documentation | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 | Establish/Maintain Documentation | Preventive | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Business Processes | Detective | |
| Include detection procedures in the Incident Management program. CC ID 00588 | Establish/Maintain Documentation | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Technical Security | Preventive | |
| Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 | Establish/Maintain Documentation | Preventive | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Monitor and Evaluate Occurrences | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Monitor and Evaluate Occurrences | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Monitor and Evaluate Occurrences | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Investigate | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 | Monitor and Evaluate Occurrences | Detective | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Establish/Maintain Documentation | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Monitor and Evaluate Occurrences | Corrective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Process or Activity | Corrective | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Behavior | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Process or Activity | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Process or Activity | Corrective | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Technical Security | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Technical Security | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Technical Security | Corrective | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Log Management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Technical Security | Corrective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Investigate | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Establish/Maintain Documentation | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Establish/Maintain Documentation | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Establish/Maintain Documentation | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [The organization should assess information security events and decide if they are to be categorized as information security incidents. § 5.25 Control Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. § 8.16 Control] | Testing | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Monitor and Evaluate Occurrences | Corrective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Investigate | Detective | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Data and Information Management | Corrective | |
| Share data loss event information with the media. CC ID 01759 | Behavior | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Establish/Maintain Documentation | Corrective | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Data and Information Management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
| Remediate security violations according to organizational standards. CC ID 12338 | Business Processes | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Behavior | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Behavior | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Behavior | Corrective | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
| Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Establish/Maintain Documentation | Preventive | |
| Avoid false positive incident response notifications. CC ID 04732 | Behavior | Detective | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Establish/Maintain Documentation | Corrective | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
| Include information required by law in incident response notifications. CC ID 00802 | Establish/Maintain Documentation | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Establish/Maintain Documentation | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Establish/Maintain Documentation | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Establish/Maintain Documentation | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Establish/Maintain Documentation | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Establish/Maintain Documentation | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Establish/Maintain Documentation | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Establish/Maintain Documentation | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Establish/Maintain Documentation | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Establish/Maintain Documentation | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Establish/Maintain Documentation | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Establish/Maintain Documentation | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Establish/Maintain Documentation | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Establish/Maintain Documentation | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Establish/Maintain Documentation | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Establish/Maintain Documentation | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Establish/Maintain Documentation | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Establish/Maintain Documentation | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Establish/Maintain Documentation | Detective | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
| Include contact information in incident response notifications. CC ID 04739 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Behavior | Corrective | |
| Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Behavior | Corrective | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Behavior | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Behavior | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Behavior | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Establish/Maintain Documentation | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Behavior | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Behavior | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Behavior | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Behavior | Corrective | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 [{be appropriate} The organization should plan how to maintain information security at an appropriate level during disruption. § 5.29 Control] | Establish/Maintain Documentation | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Establish/Maintain Documentation | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Establish/Maintain Documentation | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Establish/Maintain Documentation | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Technical Security | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Business Processes | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Establish/Maintain Documentation | Preventive | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Data and Information Management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Data and Information Management | Preventive | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Human Resources Management | Corrective | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Establish/Maintain Documentation | Preventive | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Monitor and Evaluate Occurrences | Detective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Technical Security | Corrective | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Establish/Maintain Documentation | Preventive | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 [Knowledge gained from information security incidents should be used to strengthen and improve the information security controls. § 5.27 Control] | Monitor and Evaluate Occurrences | Preventive | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Investigate | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Establish/Maintain Documentation | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 | Establish/Maintain Documentation | Preventive | |
| Test incident monitoring procedures. CC ID 13194 | Testing | Detective | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Establish/Maintain Documentation | Preventive | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Technical Security | Preventive | |
| Include incident management procedures in the Incident Management program. CC ID 12689 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Establish/Maintain Documentation | Corrective | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Establish/Maintain Documentation | Preventive | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Establish/Maintain Documentation | Preventive | |
| Conduct incident investigations, as necessary. CC ID 13826 | Process or Activity | Detective | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Investigate | Detective | |
| Identify the affected parties during incident investigations. CC ID 16781 | Investigate | Detective | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Investigate | Detective | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Investigate | Detective | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Records Management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Establish/Maintain Documentation | Preventive | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Log Management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Establish/Maintain Documentation | Preventive | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Log Management | Corrective | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Log Management | Preventive | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Establish/Maintain Documentation | Preventive | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Establish/Maintain Documentation | Preventive | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Establish/Maintain Documentation | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner. § 6.8 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Communicate | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
| Include incident response team structures in the Incident Response program. CC ID 01237 | Establish/Maintain Documentation | Preventive | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. § 5.24 Control] | Establish Roles | Preventive | |
| Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Establish Roles | Preventive | |
| Open a priority incident request after a security breach is detected. CC ID 04838 | Testing | Corrective | |
| Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Testing | Corrective | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Communicate | Corrective | |
| Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Establish Roles | Preventive | |
| Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Establish Roles | Preventive | |
| Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Establish Roles | Preventive | |
| Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Establish Roles | Preventive | |
| Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Establish Roles | Preventive | |
| Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Establish Roles | Preventive | |
| Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Establish Roles | Preventive | |
| Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Establish Roles | Preventive | |
| Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Establish Roles | Preventive | |
| Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Human Resources Management | Preventive | |
| Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 | Investigate | Detective | |
| Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Establish/Maintain Documentation | Preventive | |
| Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Communicate | Preventive | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [Information security incidents should be responded to in accordance with the documented procedures. § 5.26 Control] | Establish/Maintain Documentation | Detective | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Establish/Maintain Documentation | Preventive | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Establish/Maintain Documentation | Preventive | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Technical Security | Corrective | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Technical Security | Corrective | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Technical Security | Corrective | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Establish/Maintain Documentation | Preventive | |
| Identify potential sources of digital forensic evidence. CC ID 08651 [The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. § 5.28 Control] | Investigate | Preventive | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 [The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. § 5.28 Control] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 [The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. § 5.28 Control] | Records Management | Preventive | |
| Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 [The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. § 5.24 Control The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. § 5.24 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a performance management standard. CC ID 01615 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain rate limiting filters. CC ID 06883 | Business Processes | Preventive | |
| Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 [The use of resources should be monitored and adjusted in line with current and expected capacity requirements. § 8.6 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 | Establish/Maintain Documentation | Preventive | |
| Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023 [Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. § 8.21 Control] | Establish/Maintain Documentation | Preventive | |
| Include the management requirements for network services in the Service Level Agreement. CC ID 12025 [Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. § 8.21 Control] | Establish/Maintain Documentation | Preventive | |
| Include the service levels for network services in the Service Level Agreement. CC ID 12024 [Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. § 8.21 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Establish/Maintain Documentation | Preventive | |
| Implement changes according to the change control program. CC ID 11776 [Changes to information processing facilities and information systems should be subject to change management procedures. § 8.32 Control] | Business Processes | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 | Establish/Maintain Documentation | Preventive | |
Physical and environmental protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 [Security perimeters should be defined and used to protect areas that contain information and other associated assets. § 7.1 Control Physical security for offices, rooms and facilities should be designed and implemented. § 7.3 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Establish/Maintain Documentation | Preventive | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Behavior | Preventive | |
| Protect the facility from crime. CC ID 06347 | Physical and Environmental Protection | Preventive | |
| Define communication methods for reporting crimes. CC ID 06349 | Establish/Maintain Documentation | Preventive | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Establish/Maintain Documentation | Preventive | |
| Protect facilities from eavesdropping. CC ID 02222 | Physical and Environmental Protection | Preventive | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and Environmental Protection | Detective | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Technical Security | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Establish/Maintain Documentation | Preventive | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and Environmental Protection | Preventive | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and Environmental Protection | Preventive | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and Environmental Protection | Preventive | |
| Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Establish/Maintain Documentation | Preventive | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Establish/Maintain Documentation | Preventive | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Communicate | Preventive | |
| Post and maintain security signage for all facilities. CC ID 02201 | Establish/Maintain Documentation | Preventive | |
| Inspect items brought into the facility. CC ID 06341 | Physical and Environmental Protection | Preventive | |
| Maintain all physical security systems. CC ID 02206 | Physical and Environmental Protection | Preventive | |
| Detect anomalies in physical barriers. CC ID 13533 | Investigate | Detective | |
| Maintain all security alarm systems. CC ID 11669 | Physical and Environmental Protection | Preventive | |
| Identify and document physical access controls for all physical entry points. CC ID 01637 [Secure areas should be protected by appropriate entry controls and access points. § 7.2 Control] | Establish/Maintain Documentation | Preventive | |
| Control physical access to (and within) the facility. CC ID 01329 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 | Establish/Maintain Documentation | Preventive | |
| Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and Environmental Protection | Preventive | |
| Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and Environmental Protection | Detective | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Establish/Maintain Documentation | Preventive | |
| Escort visitors within the facility, as necessary. CC ID 06417 | Establish/Maintain Documentation | Preventive | |
| Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and Environmental Protection | Preventive | |
| Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Testing | Preventive | |
| Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Behavior | Preventive | |
| Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Establish/Maintain Documentation | Preventive | |
| Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Establish/Maintain Documentation | Preventive | |
| Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and Environmental Protection | Corrective | |
| Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Establish/Maintain Documentation | Preventive | |
| Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain physical identification procedures. CC ID 00713 | Establish/Maintain Documentation | Preventive | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Human Resources Management | Preventive | |
| Implement physical identification processes. CC ID 13715 | Process or Activity | Preventive | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Process or Activity | Preventive | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and Environmental Protection | Preventive | |
| Implement operational requirements for card readers. CC ID 02225 | Testing | Preventive | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Establish/Maintain Documentation | Preventive | |
| Document all lost badges in a lost badge list. CC ID 12448 | Establish/Maintain Documentation | Corrective | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and Environmental Protection | Preventive | |
| Manage constituent identification inside the facility. CC ID 02215 | Behavior | Preventive | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Human Resources Management | Preventive | |
| Manage visitor identification inside the facility. CC ID 11670 | Physical and Environmental Protection | Preventive | |
| Issue visitor identification badges to all non-employees. CC ID 00543 | Behavior | Preventive | |
| Secure unissued visitor identification badges. CC ID 06712 | Physical and Environmental Protection | Preventive | |
| Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Behavior | Preventive | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Establish/Maintain Documentation | Preventive | |
| Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Process or Activity | Preventive | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Establish/Maintain Documentation | Preventive | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Business Processes | Preventive | |
| Include information security in the identification issuance procedures. CC ID 15425 | Establish/Maintain Documentation | Preventive | |
| Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Process or Activity | Preventive | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Establish/Maintain Documentation | Preventive | |
| Include an identity registration process in the identification issuance procedures. CC ID 11671 | Establish/Maintain Documentation | Preventive | |
| Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and Environmental Protection | Preventive | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and Environmental Protection | Preventive | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and Environmental Protection | Preventive | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Establish/Maintain Documentation | Preventive | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Human Resources Management | Preventive | |
| Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Establish/Maintain Documentation | Preventive | |
| Prevent tailgating through physical entry points. CC ID 06685 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Establish/Maintain Documentation | Preventive | |
| Install doors so that exposed hinges are on the secured side. CC ID 06687 | Configuration | Preventive | |
| Install emergency doors to permit egress only. CC ID 06688 | Configuration | Preventive | |
| Install contact alarms on doors, as necessary. CC ID 06710 | Configuration | Preventive | |
| Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and Environmental Protection | Preventive | |
| Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Configuration | Preventive | |
| Test locks for physical security vulnerabilities. CC ID 04880 | Testing | Detective | |
| Secure unissued access mechanisms. CC ID 06713 | Technical Security | Preventive | |
| Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Establish/Maintain Documentation | Preventive | |
| Change cipher lock codes, as necessary. CC ID 06651 | Technical Security | Preventive | |
| Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Establish/Maintain Documentation | Preventive | |
| Install contact alarms on openable windows, as necessary. CC ID 06690 | Configuration | Preventive | |
| Install glass break alarms on windows, as necessary. CC ID 06691 | Configuration | Preventive | |
| Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Establish/Maintain Documentation | Preventive | |
| Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and Environmental Protection | Preventive | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and Environmental Protection | Preventive | |
| Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and Environmental Protection | Preventive | |
| Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and Environmental Protection | Preventive | |
| Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and Environmental Protection | Preventive | |
| Screen incoming mail and deliveries. CC ID 06719 | Physical and Environmental Protection | Preventive | |
| Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Establish/Maintain Documentation | Preventive | |
| Establish a security room, if necessary. CC ID 00738 | Physical and Environmental Protection | Preventive | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and Environmental Protection | Preventive | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and Environmental Protection | Preventive | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and Environmental Protection | Preventive | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and Environmental Protection | Detective | |
| Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 [Security measures for working in secure areas should be designed and implemented. § 7.6 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Establish/Maintain Documentation | Preventive | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Communicate | Preventive | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 [Premises should be continuously monitored for unauthorized physical access. § 7.4 Control] | Monitor and Evaluate Occurrences | Detective | |
| Establish and maintain a visitor log. CC ID 00715 | Log Management | Preventive | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Investigate | Detective | |
| Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Establish/Maintain Documentation | Preventive | |
| Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Behavior | Preventive | |
| Record the visitor's name in the visitor log. CC ID 00557 | Log Management | Preventive | |
| Record the visitor's organization in the visitor log. CC ID 12121 | Log Management | Preventive | |
| Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Log Management | Preventive | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Establish/Maintain Documentation | Preventive | |
| Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Establish/Maintain Documentation | Preventive | |
| Retain all records in the visitor log as prescribed by law. CC ID 00572 | Log Management | Preventive | |
| Establish, implement, and maintain a physical access log. CC ID 12080 | Establish/Maintain Documentation | Preventive | |
| Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Log Management | Preventive | |
| Log when the vault is accessed. CC ID 06725 | Log Management | Detective | |
| Log when the cabinet is accessed. CC ID 11674 | Log Management | Detective | |
| Store facility access logs in off-site storage. CC ID 06958 | Log Management | Preventive | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Monitor and Evaluate Occurrences | Preventive | |
| Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Monitor and Evaluate Occurrences | Detective | |
| Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Monitor and Evaluate Occurrences | Detective | |
| Configure video cameras to cover all physical entry points. CC ID 06302 | Configuration | Preventive | |
| Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Configuration | Preventive | |
| Retain video events according to Records Management procedures. CC ID 06304 | Records Management | Preventive | |
| Monitor physical entry point alarms. CC ID 01639 | Physical and Environmental Protection | Detective | |
| Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Monitor and Evaluate Occurrences | Detective | |
| Monitor for alarmed security doors being propped open. CC ID 06684 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain physical security threat reports. CC ID 02207 | Establish/Maintain Documentation | Preventive | |
| Build and maintain fencing, as necessary. CC ID 02235 | Physical and Environmental Protection | Preventive | |
| Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and Environmental Protection | Preventive | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and Environmental Protection | Preventive | |
| Employ security guards to provide physical security, as necessary. CC ID 06653 | Establish Roles | Preventive | |
| Establish, implement, and maintain a facility wall standard. CC ID 06692 | Establish/Maintain Documentation | Preventive | |
| Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and Environmental Protection | Preventive | |
| Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Configuration | Preventive | |
| Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Behavior | Preventive | |
| Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Behavior | Preventive | |
| Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Business Processes | Preventive | |
| Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Behavior | Preventive | |
| Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Behavior | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [{be secure} Equipment should be sited securely and protected. § 7.8 Control] | Physical and Environmental Protection | Preventive | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements. § 7.10 Control] | Records Management | Preventive | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Log Management | Preventive | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Technical Security | Preventive | |
| Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 | Records Management | Preventive | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and Environmental Protection | Preventive | |
| Transport restricted media using a delivery method that can be tracked. CC ID 11777 | Business Processes | Preventive | |
| Track restricted storage media while it is in transit. CC ID 00967 | Data and Information Management | Detective | |
| Restrict physical access to distributed assets. CC ID 11865 [{physical access} Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. § 5.15 Control] | Physical and Environmental Protection | Preventive | |
| House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 | Physical and Environmental Protection | Preventive | |
| Protect electronic storage media with physical access controls. CC ID 00720 [{physical access} Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. § 5.15 Control] | Physical and Environmental Protection | Preventive | |
| Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the media protection policy. CC ID 14182 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the media protection policy. CC ID 14167 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the media protection policy. CC ID 14166 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Communicate | Preventive | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Communicate | Preventive | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Data and Information Management | Preventive | |
| Control access to restricted storage media. CC ID 04889 | Data and Information Management | Preventive | |
| Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 | Physical and Environmental Protection | Preventive | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 | Records Management | Preventive | |
| Treat archive media as evidence. CC ID 00960 | Records Management | Preventive | |
| Log the transfer of removable storage media. CC ID 12322 | Log Management | Preventive | |
| Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Establish/Maintain Documentation | Preventive | |
| Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Behavior | Preventive | |
| Control the storage of restricted storage media. CC ID 00965 | Records Management | Preventive | |
| Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 | Physical and Environmental Protection | Preventive | |
| Protect the combinations for all combination locks. CC ID 02199 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain eavesdropping protection for vaults. CC ID 02231 | Physical and Environmental Protection | Preventive | |
| Serialize all removable storage media. CC ID 00949 | Configuration | Preventive | |
| Protect distributed assets against theft. CC ID 06799 | Physical and Environmental Protection | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Establish/Maintain Documentation | Preventive | |
| Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Communicate | Preventive | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Establish/Maintain Documentation | Preventive | |
| Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Process or Activity | Preventive | |
| Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 | Physical and Environmental Protection | Preventive | |
| Control the removal of assets through physical entry points and physical exit points. CC ID 11681 | Physical and Environmental Protection | Preventive | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Log Management | Preventive | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Technical Security | Preventive | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Technical Security | Preventive | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 [Off-site assets should be protected. § 7.9 Control] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Establish/Maintain Documentation | Preventive | |
| Attach asset location technologies to distributed assets. CC ID 10626 | Physical and Environmental Protection | Detective | |
| Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and Environmental Protection | Preventive | |
| Monitor the location of distributed assets. CC ID 11684 | Monitor and Evaluate Occurrences | Detective | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Technical Security | Corrective | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Process or Activity | Corrective | |
| Unpair missing Bluetooth devices. CC ID 12428 | Physical and Environmental Protection | Corrective | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [{be accessible} Information stored on, processed by or accessible via user endpoint devices should be protected. § 8.1 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a locking screen saver policy. CC ID 06717 | Establish/Maintain Documentation | Preventive | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Data and Information Management | Preventive | |
| Secure workstations to desks with security cables. CC ID 04724 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Establish/Maintain Documentation | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Business Processes | Preventive | |
| Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Establish/Maintain Documentation | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Data and Information Management | Preventive | |
| Include legal requirements in the mobile device security guidelines. CC ID 12291 | Establish/Maintain Documentation | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and Environmental Protection | Preventive | |
| Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Establish/Maintain Documentation | Preventive | |
| Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Establish/Maintain Documentation | Preventive | |
| Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Establish/Maintain Documentation | Preventive | |
| Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and Environmental Protection | Preventive | |
| Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and Environmental Protection | Preventive | |
| Encrypt information stored on mobile devices. CC ID 01422 | Data and Information Management | Preventive | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Process or Activity | Corrective | |
| Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 | Physical and Environmental Protection | Preventive | |
| Secure system components from unauthorized viewing. CC ID 01437 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain asset return procedures. CC ID 04537 [Personnel and other interested parties as appropriate should return all the organization's assets in their possession upon change or termination of their employment, contract or agreement. § 5.11 Control] | Establish/Maintain Documentation | Preventive | |
| Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 | Behavior | Preventive | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 | Behavior | Preventive | |
| Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598 | Behavior | Preventive | |
| Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 | Behavior | Preventive | |
| Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 | Behavior | Preventive | |
| Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 | Configuration | Preventive | |
| Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 | Investigate | Detective | |
| Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 | Monitor and Evaluate Occurrences | Corrective | |
| Establish, implement, and maintain open storage container procedures. CC ID 02198 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a clean desk policy. CC ID 06534 [Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced. § 7.7 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a clear screen policy. CC ID 12436 [Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced. § 7.7 Control] | Technical Security | Preventive | |
| Establish, implement, and maintain contact card reader security guidelines. CC ID 06588 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590 | Establish/Maintain Documentation | Preventive | |
| Identify customer property within the organizational facility. CC ID 06612 | Physical and Environmental Protection | Preventive | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and Environmental Protection | Preventive | |
| Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 | Technical Security | Preventive | |
| Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 | Configuration | Preventive | |
| Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 | Technical Security | Preventive | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 [Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented. § 7.5 Control] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain clean energy standards. CC ID 16285 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain environmental control procedures. CC ID 12246 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a telecommunications equipment room, as necessary. CC ID 06708 | Configuration | Preventive | |
| Protect power equipment and power cabling from damage or destruction. CC ID 01438 [{power cabling} Cables carrying power, data or supporting information services should be protected from interception, interference or damage. § 7.12 Control] | Physical and Environmental Protection | Preventive | |
| Install and maintain power distribution boards. CC ID 16486 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a battery room, as necessary. CC ID 06706 | Configuration | Preventive | |
| Establish and maintain a generator room, as necessary. CC ID 06704 | Configuration | Preventive | |
| Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain facility maintenance procedures. CC ID 00710 | Establish/Maintain Documentation | Preventive | |
| Design the Information Technology facility with consideration given to natural disasters and man-made disasters. CC ID 00712 | Physical and Environmental Protection | Preventive | |
| Design the Information Technology facility with a low profile. CC ID 16140 | Physical and Environmental Protection | Preventive | |
| Prohibit signage indicating computer room location and uses. CC ID 06343 | Physical and Environmental Protection | Preventive | |
| Require critical facilities to have adequate room for facility maintenance. CC ID 06361 | Physical and Environmental Protection | Preventive | |
| Require critical facilities to have adequate room for evacuation. CC ID 11686 | Physical and Environmental Protection | Preventive | |
| Build critical facilities according to applicable building codes. CC ID 06366 | Physical and Environmental Protection | Preventive | |
| Build critical facilities with fire resistant materials. CC ID 06365 | Physical and Environmental Protection | Preventive | |
| Build critical facilities with materials that limit electromagnetic interference. CC ID 16131 | Physical and Environmental Protection | Preventive | |
| Build critical facilities with water-resistant materials. CC ID 11679 | Physical and Environmental Protection | Preventive | |
| Monitor operational conditions at unmanned facilities. CC ID 06327 | Physical and Environmental Protection | Preventive | |
| Remotely control operational conditions at unmanned facilities. CC ID 11680 | Technical Security | Preventive | |
| Inspect and maintain the facility and supporting assets. CC ID 06345 | Physical and Environmental Protection | Preventive | |
| Test and inspect assets under full load working conditions. CC ID 06356 | Testing | Detective | |
| Define selection criteria for facility locations. CC ID 06351 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain facility demolition procedures. CC ID 16133 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain work environment requirements. CC ID 06613 | Establish/Maintain Documentation | Preventive | |
| Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain system cleanliness requirements. CC ID 06614 | Establish/Maintain Documentation | Preventive | |
| House system components in areas where the physical damage potential is minimized. CC ID 01623 [{be secure} Equipment should be sited securely and protected. § 7.8 Control] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695 | Establish/Maintain Documentation | Preventive | |
| Install and maintain fire protection equipment. CC ID 00728 | Configuration | Preventive | |
| Install and maintain fire suppression systems. CC ID 00729 | Configuration | Preventive | |
| Install and maintain smoke detectors. CC ID 15264 | Physical and Environmental Protection | Preventive | |
| Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888 | Physical and Environmental Protection | Preventive | |
| Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362 | Physical and Environmental Protection | Preventive | |
| Conduct fire drills, as necessary. CC ID 13985 | Process or Activity | Preventive | |
| Employ environmental protections. CC ID 12570 | Process or Activity | Preventive | |
| Monitor and review environmental protections. CC ID 12571 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472 | Establish/Maintain Documentation | Preventive | |
| Install and maintain seismic detectors in critical facilities. CC ID 06364 | Physical and Environmental Protection | Detective | |
| Protect physical assets against static electricity, as necessary. CC ID 06363 | Physical and Environmental Protection | Preventive | |
| Install and maintain emergency lighting for use in a power failure. CC ID 01440 | Physical and Environmental Protection | Preventive | |
| Install and maintain lightning protection mechanisms in critical facilities. CC ID 06367 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain pest control systems in organizational facilities. CC ID 16139 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727 | Configuration | Preventive | |
| Install and maintain an environment control monitoring system. CC ID 06370 | Monitor and Evaluate Occurrences | Detective | |
| Protect air intakes into the organizational facility. CC ID 02211 | Physical and Environmental Protection | Preventive | |
| Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368 | Configuration | Preventive | |
| Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369 | Configuration | Preventive | |
| Install and maintain a moisture control system as a part of the climate control system. CC ID 06694 | Configuration | Preventive | |
| Install and maintain hydrogen sensors, as necessary. CC ID 06705 | Configuration | Preventive | |
| Protect physical assets from water damage. CC ID 00730 | Configuration | Preventive | |
| Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 | Communicate | Preventive | |
| Install and maintain water detection devices. CC ID 11678 | Physical and Environmental Protection | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements. § 5.34 Control] | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Data and Information Management | Preventive | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 | Establish/Maintain Documentation | Preventive | |
| Include the purpose of the privacy notice in the privacy notice. CC ID 13526 | Establish/Maintain Documentation | Preventive | |
| Include the processing purpose in the privacy notice. CC ID 16543 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the privacy notice. CC ID 14432 | Establish/Maintain Documentation | Preventive | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 | Establish/Maintain Documentation | Preventive | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Establish/Maintain Documentation | Preventive | |
| Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 | Establish/Maintain Documentation | Preventive | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 | Establish/Maintain Documentation | Preventive | |
| Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 | Establish/Maintain Documentation | Preventive | |
| Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 | Establish/Maintain Documentation | Preventive | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 | Establish/Maintain Documentation | Preventive | |
| Include disclosure exceptions in the privacy notice. CC ID 13447 | Establish/Maintain Documentation | Preventive | |
| Include the types of personal data disclosed in the privacy notice. CC ID 13446 | Establish/Maintain Documentation | Preventive | |
| Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Establish/Maintain Documentation | Preventive | |
| Specify the time frame that notice will be given. CC ID 00385 | Establish/Maintain Documentation | Preventive | |
| Include the information about the appeal process in the privacy notice. CC ID 15312 | Establish/Maintain Documentation | Preventive | |
| Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 | Establish/Maintain Documentation | Preventive | |
| Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 | Communicate | Preventive | |
| Deliver privacy notices to data subjects, as necessary. CC ID 13444 | Communicate | Preventive | |
| Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Establish/Maintain Documentation | Preventive | |
| Update privacy notices, as necessary. CC ID 13474 | Communicate | Preventive | |
| Redeliver privacy notices, as necessary. CC ID 14850 | Communicate | Preventive | |
| Deliver privacy notices to third parties, as necessary. CC ID 13473 | Communicate | Preventive | |
| Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 | Communicate | Preventive | |
| Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 | Establish/Maintain Documentation | Corrective | |
| Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 | Establish/Maintain Documentation | Preventive | |
| Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 | Establish/Maintain Documentation | Preventive | |
| Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 | Establish/Maintain Documentation | Preventive | |
| Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Establish/Maintain Documentation | Preventive | |
| Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Establish/Maintain Documentation | Preventive | |
| Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Establish/Maintain Documentation | Preventive | |
| Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Establish/Maintain Documentation | Preventive | |
| Explain the right to opt out in the opt-out notice. CC ID 13462 | Establish/Maintain Documentation | Preventive | |
| Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Establish/Maintain Documentation | Preventive | |
| Deliver opt-out notices, as necessary. CC ID 13449 | Communicate | Preventive | |
| Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 | Communicate | Preventive | |
| Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 | Communicate | Preventive | |
| Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 | Communicate | Preventive | |
| Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 | Communicate | Preventive | |
| Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 | Data and Information Management | Preventive | |
| Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 | Communicate | Preventive | |
| Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 | Communicate | Preventive | |
| Provide the data subject with a notice of participation procedures. CC ID 06241 | Establish/Maintain Documentation | Preventive | |
| Deliver notices to the intended parties. CC ID 06240 | Data and Information Management | Preventive | |
| Notify data subjects about their privacy rights. CC ID 12989 | Communicate | Preventive | |
| Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 | Communicate | Preventive | |
| Require a data protection impact assessment when profiling the data subject. CC ID 12680 | Process or Activity | Detective | |
| Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Data and Information Management | Preventive | |
| Provide public proof the organization participates in a privacy program. CC ID 12349 | Communicate | Preventive | |
| Publish a description of processing activities in an official register. CC ID 00379 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a records request manual. CC ID 00381 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Establish/Maintain Documentation | Preventive | |
| Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 | Behavior | Preventive | |
| Define what is included in registration notices. CC ID 00386 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the registration notice. CC ID 16803 | Establish Roles | Preventive | |
| Include the verification method in the registration notice. CC ID 16798 | Establish/Maintain Documentation | Preventive | |
| Include the statutory authority in the registration notice. CC ID 16799 | Establish/Maintain Documentation | Preventive | |
| Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Establish/Maintain Documentation | Preventive | |
| Include a purpose specification description in the registration notice. CC ID 00388 | Establish/Maintain Documentation | Preventive | |
| Include information about the dispute resolution body in the registration notice. CC ID 16800 | Establish/Maintain Documentation | Preventive | |
| Include the data subject category being processed in the registration notice. CC ID 00389 | Establish/Maintain Documentation | Preventive | |
| Include the time period for data processing in the registration notice. CC ID 00390 | Establish/Maintain Documentation | Preventive | |
| Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Establish/Maintain Documentation | Preventive | |
| Provide legal authorities access to personal data, upon request. CC ID 06818 | Data and Information Management | Preventive | |
| Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Process or Activity | Preventive | |
| Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 | Process or Activity | Preventive | |
| Document the countries where restricted data may be stored. CC ID 12750 | Data and Information Management | Preventive | |
| Protect the rights of students and their parents or legal representatives. CC ID 00222 | Data and Information Management | Preventive | |
| Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Technical Security | Preventive | |
| Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Records Management | Preventive | |
| Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Records Management | Preventive | |
| Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Records Management | Corrective | |
| Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Records Management | Corrective | |
| Define the criteria for waivers of data subjects' rights. CC ID 16858 | Behavior | Preventive | |
| Revoke waivers of data subject's rights, as necessary. CC ID 16859 | Behavior | Preventive | |
| Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Establish/Maintain Documentation | Preventive | |
| Disclose educational data, as necessary. CC ID 00223 | Data and Information Management | Preventive | |
| Grant access to education records in support of educational program audits. CC ID 13032 | Records Management | Preventive | |
| Grant access to education records in support of external requirements. CC ID 13033 | Records Management | Preventive | |
| Disclose statements added to education records, as necessary. CC ID 12990 | Communicate | Preventive | |
| Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Data and Information Management | Preventive | |
| Disclose education records when written consent is received. CC ID 00224 | Data and Information Management | Preventive | |
| Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Establish/Maintain Documentation | Preventive | |
| Specify the purpose of the disclosure in the written consent. CC ID 13001 | Establish/Maintain Documentation | Preventive | |
| Specify which education records may be disclosed in the written consent. CC ID 13000 | Establish/Maintain Documentation | Preventive | |
| Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Establish/Maintain Documentation | Preventive | |
| Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Communicate | Preventive | |
| Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Communicate | Preventive | |
| Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Communicate | Preventive | |
| Disclose educational data absent consent to other school officials. CC ID 00226 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Data and Information Management | Preventive | |
| Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Communicate | Preventive | |
| Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Data and Information Management | Preventive | |
| Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Data and Information Management | Preventive | |
| Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Data and Information Management | Preventive | |
| Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Data and Information Management | Preventive | |
| Disclose educational data absent consent to a crime victim. CC ID 00236 | Data and Information Management | Preventive | |
| Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Establish/Maintain Documentation | Preventive | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Communicate | Preventive | |
| Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Communicate | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Communicate | Preventive | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Communicate | Preventive | |
| Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Communicate | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the data retention period for personal data. CC ID 12587 | Process or Activity | Preventive | |
| Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 | Process or Activity | Preventive | |
| Provide the data subject with the adequacy decision. CC ID 12586 | Process or Activity | Preventive | |
| Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 | Process or Activity | Preventive | |
| Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Process or Activity | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 | Data and Information Management | Preventive | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Business Processes | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Business Processes | Preventive | |
| Notify the data subject of the right to data portability. CC ID 12603 | Process or Activity | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Process or Activity | Preventive | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Data and Information Management | Preventive | |
| Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Establish/Maintain Documentation | Preventive | |
| Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Establish/Maintain Documentation | Preventive | |
| Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Establish/Maintain Documentation | Preventive | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 | Establish/Maintain Documentation | Preventive | |
| Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Establish/Maintain Documentation | Preventive | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Establish/Maintain Documentation | Preventive | |
| Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Establish/Maintain Documentation | Preventive | |
| Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Establish/Maintain Documentation | Preventive | |
| Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Establish/Maintain Documentation | Preventive | |
| Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Establish/Maintain Documentation | Preventive | |
| Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Establish/Maintain Documentation | Preventive | |
| Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Establish/Maintain Documentation | Preventive | |
| Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 | Data and Information Management | Preventive | |
| Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 | Communicate | Preventive | |
| Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 | Establish/Maintain Documentation | Preventive | |
| Provide shareholders access to electronic messages via electronic means. CC ID 11855 | Process or Activity | Preventive | |
| Make telephone directory information available to the public. CC ID 08698 | Establish/Maintain Documentation | Preventive | |
| Display warning screens and confirmation screens for all payment transactions. CC ID 06409 | Technical Security | Preventive | |
| Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 | Process or Activity | Preventive | |
| Establish, implement, and maintain a privacy policy. CC ID 06281 | Establish/Maintain Documentation | Preventive | |
| Include the data subject's rights in the privacy policy. CC ID 16355 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Establish/Maintain Documentation | Preventive | |
| Document privacy policies in clearly written and easily understood language. CC ID 00376 | Establish/Maintain Documentation | Detective | |
| Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 | Behavior | Preventive | |
| Write privacy notices in the official languages required by law. CC ID 16529 | Establish/Maintain Documentation | Preventive | |
| Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Establish/Maintain Documentation | Preventive | |
| Define what is included in the privacy policy. CC ID 00404 | Establish/Maintain Documentation | Preventive | |
| Define the information being collected in the privacy policy. CC ID 13115 | Establish/Maintain Documentation | Preventive | |
| Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Establish/Maintain Documentation | Preventive | |
| Include the means by which information is collected in the privacy policy. CC ID 13114 | Establish/Maintain Documentation | Preventive | |
| Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 | Establish/Maintain Documentation | Corrective | |
| Include roles and responsibilities in the privacy policy. CC ID 14669 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the privacy policy. CC ID 14668 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the privacy policy. CC ID 14667 | Establish/Maintain Documentation | Preventive | |
| Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the privacy policy. CC ID 14666 | Establish/Maintain Documentation | Preventive | |
| Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Establish/Maintain Documentation | Preventive | |
| Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 | Establish/Maintain Documentation | Corrective | |
| Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 | Establish/Maintain Documentation | Preventive | |
| Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 | Establish/Maintain Documentation | Preventive | |
| Include a complaint form in the privacy policy. CC ID 12364 | Establish/Maintain Documentation | Preventive | |
| Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Establish/Maintain Documentation | Preventive | |
| Include the processing purpose in the privacy policy. CC ID 00406 | Establish/Maintain Documentation | Preventive | |
| Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Establish/Maintain Documentation | Preventive | |
| Include the data subject categories being processed in the privacy policy. CC ID 00407 | Establish/Maintain Documentation | Preventive | |
| Define the retention period for collected information in the privacy policy. CC ID 13116 | Establish/Maintain Documentation | Preventive | |
| Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 | Establish/Maintain Documentation | Preventive | |
| Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 | Establish/Maintain Documentation | Preventive | |
| Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Establish/Maintain Documentation | Preventive | |
| Include instructions on how to opt-out in the privacy policy. CC ID 00411 | Establish/Maintain Documentation | Preventive | |
| Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 | Establish/Maintain Documentation | Preventive | |
| Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 | Establish/Maintain Documentation | Preventive | |
| Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 | Establish/Maintain Documentation | Preventive | |
| Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 | Establish/Maintain Documentation | Preventive | |
| Post the privacy policy in an easily seen location. CC ID 00401 | Establish/Maintain Documentation | Preventive | |
| Define who will receive the privacy policy. CC ID 00402 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 | Communicate | Preventive | |
| Establish, implement, and maintain privacy procedures. CC ID 14665 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Communicate | Preventive | |
| Establish, implement, and maintain a privacy plan. CC ID 14672 | Establish/Maintain Documentation | Preventive | |
| Align the enterprise architecture with the privacy plan. CC ID 14705 | Process or Activity | Preventive | |
| Approve the privacy plan. CC ID 14700 | Business Processes | Preventive | |
| Include privacy requirements in the privacy plan. CC ID 14699 | Establish/Maintain Documentation | Preventive | |
| Include the information types in the privacy plan. CC ID 14695 | Establish/Maintain Documentation | Preventive | |
| Include threats in the privacy plan. CC ID 14694 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the privacy plan. CC ID 14702 | Establish/Maintain Documentation | Preventive | |
| Include a description of the operational context in the privacy plan. CC ID 14692 | Establish/Maintain Documentation | Preventive | |
| Include risk assessment results in the privacy plan. CC ID 14701 | Establish/Maintain Documentation | Preventive | |
| Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Establish/Maintain Documentation | Preventive | |
| Include security controls in the privacy plan. CC ID 14681 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Communicate | Preventive | |
| Include a description of the operational environment in the privacy plan. CC ID 14679 | Establish/Maintain Documentation | Preventive | |
| Include network diagrams in the privacy plan. CC ID 14678 | Establish/Maintain Documentation | Preventive | |
| Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a privacy report. CC ID 14754 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 | Communicate | Preventive | |
| Protect private communications in keeping with compliance requirements. CC ID 14334 | Business Processes | Preventive | |
| Disseminate private communications when required by law. CC ID 14335 | Communicate | Corrective | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data request procedures. CC ID 16546 | Establish/Maintain Documentation | Preventive | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 | Human Resources Management | Preventive | |
| Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Business Processes | Preventive | |
| Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 | Establish/Maintain Documentation | Preventive | |
| Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 | Establish/Maintain Documentation | Preventive | |
| Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Establish/Maintain Documentation | Preventive | |
| Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Establish/Maintain Documentation | Preventive | |
| Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Establish/Maintain Documentation | Preventive | |
| Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Establish/Maintain Documentation | Preventive | |
| Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Establish/Maintain Documentation | Preventive | |
| Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Establish/Maintain Documentation | Preventive | |
| Include agreement termination information in the disclosure authorization form. CC ID 13437 | Establish/Maintain Documentation | Preventive | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Business Processes | Preventive | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Business Processes | Preventive | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 | Data and Information Management | Preventive | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Business Processes | Preventive | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Business Processes | Preventive | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Data and Information Management | Preventive | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 | Business Processes | Preventive | |
| Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Process or Activity | Preventive | |
| Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Establish/Maintain Documentation | Preventive | |
| Allow consent requests to be provided in any official languages. CC ID 16530 | Business Processes | Preventive | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Communicate | Preventive | |
| Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Records Management | Preventive | |
| Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 | Data and Information Management | Preventive | |
| Refrain from obtaining consent through deception. CC ID 13556 | Data and Information Management | Preventive | |
| Give individuals the ability to change the uses of their personal data. CC ID 00469 | Data and Information Management | Preventive | |
| Notify data subjects of the implications of withdrawing consent. CC ID 13551 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
| Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 | Human Resources Management | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
| Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Human Resources Management | Preventive | |
| Notify the supervisory authority. CC ID 00472 | Behavior | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Establish/Maintain Documentation | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Business Processes | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Communicate | Preventive | |
| Include required information in the approval application. CC ID 16628 | Establish/Maintain Documentation | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Business Processes | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Process or Activity | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Process or Activity | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Communicate | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Communicate | Corrective | |
| Cooperate with Data Protection Authorities. CC ID 06870 | Data and Information Management | Preventive | |
| Submit a safe harbor self-certification letter. CC ID 06871 | Establish/Maintain Documentation | Preventive | |
| Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 | Human Resources Management | Preventive | |
| Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 | Establish/Maintain Documentation | Preventive | |
| Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Establish/Maintain Documentation | Preventive | |
| Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Establish/Maintain Documentation | Preventive | |
| Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Establish/Maintain Documentation | Preventive | |
| Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Establish/Maintain Documentation | Preventive | |
| Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Establish/Maintain Documentation | Preventive | |
| Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Establish/Maintain Documentation | Preventive | |
| Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Establish/Maintain Documentation | Preventive | |
| Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Establish/Maintain Documentation | Preventive | |
| Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Establish/Maintain Documentation | Preventive | |
| Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Establish/Maintain Documentation | Preventive | |
| Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Establish/Maintain Documentation | Preventive | |
| Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Establish/Maintain Documentation | Preventive | |
| Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Establish/Maintain Documentation | Preventive | |
| Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Establish/Maintain Documentation | Preventive | |
| Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Establish/Maintain Documentation | Preventive | |
| Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Establish/Maintain Documentation | Preventive | |
| Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Establish/Maintain Documentation | Preventive | |
| Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Establish/Maintain Documentation | Preventive | |
| Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Establish/Maintain Documentation | Preventive | |
| Notify the data controller of any changes in data processors. CC ID 12648 | Communicate | Preventive | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 | Establish/Maintain Documentation | Preventive | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Establish/Maintain Documentation | Preventive | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Establish/Maintain Documentation | Preventive | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Establish/Maintain Documentation | Preventive | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Establish/Maintain Documentation | Preventive | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Establish/Maintain Documentation | Preventive | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 | Establish/Maintain Documentation | Preventive | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Human Resources Management | Preventive | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Establish/Maintain Documentation | Preventive | |
| Display or print the least amount of personal data necessary. CC ID 04643 | Data and Information Management | Preventive | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Data and Information Management | Preventive | |
| Notify the data subject of the collection purpose. CC ID 00095 | Behavior | Preventive | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Data and Information Management | Preventive | |
| Document the law that requires restricted data to be collected. CC ID 00103 | Establish/Maintain Documentation | Preventive | |
| Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Behavior | Preventive | |
| Notify the data subject of changes to personal data use. CC ID 00105 | Behavior | Preventive | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Establish/Maintain Documentation | Preventive | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Establish/Maintain Documentation | Preventive | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Establish/Maintain Documentation | Preventive | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Establish/Maintain Documentation | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Establish/Maintain Documentation | Preventive | |
| Obtain the data subject's consent when the personal data use changes. CC ID 11832 | Behavior | Preventive | |
| Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Establish/Maintain Documentation | Preventive | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 | Data and Information Management | Preventive | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Records Management | Preventive | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Communicate | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 | Establish/Maintain Documentation | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 | Process or Activity | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Data and Information Management | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Data and Information Management | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Data and Information Management | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Data and Information Management | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Data and Information Management | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Establish/Maintain Documentation | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Business Processes | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 | Behavior | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Data and Information Management | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Data and Information Management | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Behavior | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Behavior | Detective | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Business Processes | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Process or Activity | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Establish/Maintain Documentation | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Data and Information Management | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Data and Information Management | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Establish/Maintain Documentation | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Records Management | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Establish/Maintain Documentation | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Records Management | Corrective | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Establish/Maintain Documentation | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Process or Activity | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Establish/Maintain Documentation | Preventive | |
| Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 | Data and Information Management | Preventive | |
| Disclose de-identified data, as necessary. CC ID 13034 | Communicate | Preventive | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 | Behavior | Preventive | |
| Refrain from processing restricted data, as necessary. CC ID 12551 | Records Management | Preventive | |
| Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Process or Activity | Preventive | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Process or Activity | Preventive | |
| Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Business Processes | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Process or Activity | Detective | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Process or Activity | Preventive | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Data and Information Management | Preventive | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Data and Information Management | Preventive | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Business Processes | Preventive | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Business Processes | Preventive | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Business Processes | Preventive | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Business Processes | Preventive | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Business Processes | Preventive | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Business Processes | Preventive | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Business Processes | Preventive | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Process or Activity | Preventive | |
| Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Establish/Maintain Documentation | Preventive | |
| Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Establish/Maintain Documentation | Preventive | |
| Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Records Management | Preventive | |
| Include the data processor's contact information in the record of processing activities. CC ID 12657 | Records Management | Preventive | |
| Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Records Management | Preventive | |
| Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Records Management | Preventive | |
| Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Records Management | Preventive | |
| Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Records Management | Preventive | |
| Include the personal data processing categories in the record of processing activities. CC ID 12661 | Records Management | Preventive | |
| Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Records Management | Preventive | |
| Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Records Management | Preventive | |
| Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Records Management | Preventive | |
| Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Records Management | Preventive | |
| Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Records Management | Preventive | |
| Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Records Management | Preventive | |
| Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Records Management | Preventive | |
| Include the data controller's contact information in the record of processing activities. CC ID 12637 | Records Management | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 | Establish Roles | Preventive | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Investigate | Detective | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Technical Security | Preventive | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Data and Information Management | Preventive | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Communicate | Corrective | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Records Management | Preventive | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Establish/Maintain Documentation | Preventive | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Data and Information Management | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Records Management | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Process or Activity | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Records Management | Preventive | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Data and Information Management | Preventive | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Establish/Maintain Documentation | Preventive | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Establish/Maintain Documentation | Preventive | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Data and Information Management | Preventive | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Establish/Maintain Documentation | Preventive | |
| Define and implement valid authorization control requirements. CC ID 06258 | Establish/Maintain Documentation | Preventive | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Data and Information Management | Preventive | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Data and Information Management | Preventive | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Data and Information Management | Preventive | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 | Data and Information Management | Preventive | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Data and Information Management | Preventive | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Data and Information Management | Preventive | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Data and Information Management | Preventive | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Data and Information Management | Preventive | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Data and Information Management | Preventive | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 | Data and Information Management | Preventive | |
| Process traffic data in a controlled manner. CC ID 00130 | Data and Information Management | Preventive | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Data and Information Management | Preventive | |
| Process personal data when it is publicly accessible. CC ID 00187 | Data and Information Management | Preventive | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Data and Information Management | Preventive | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Business Processes | Preventive | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Communicate | Corrective | |
| Process personal data for the purposes of employment. CC ID 16527 | Data and Information Management | Preventive | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Data and Information Management | Preventive | |
| Process personal data for debt collection or benefit payments. CC ID 00190 | Data and Information Management | Preventive | |
| Process personal data in order to advance the public interest. CC ID 00191 | Data and Information Management | Preventive | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 | Data and Information Management | Preventive | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Data and Information Management | Preventive | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Data and Information Management | Preventive | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Data and Information Management | Preventive | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Data and Information Management | Preventive | |
| Follow legal obligations while processing personal data. CC ID 04794 | Data and Information Management | Preventive | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Data and Information Management | Preventive | |
| Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 | Data and Information Management | Preventive | |
| Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Process or Activity | Preventive | |
| Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Data and Information Management | Preventive | |
| Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Data and Information Management | Preventive | |
| Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Data and Information Management | Preventive | |
| Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Data and Information Management | Preventive | |
| Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Data and Information Management | Preventive | |
| Process personal data absent consent in order to perform a contract. CC ID 13586 | Data and Information Management | Preventive | |
| Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Data and Information Management | Preventive | |
| Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Data and Information Management | Preventive | |
| Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is needed by law. CC ID 13577 | Data and Information Management | Preventive | |
| Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is from publicly available information. CC ID 13576 | Data and Information Management | Preventive | |
| Process personal data absent consent to create a credit report. CC ID 15288 | Data and Information Management | Preventive | |
| Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 | Data and Information Management | Preventive | |
| Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Data and Information Management | Preventive | |
| Process personal data absent consent when produced for business purposes. CC ID 13563 | Data and Information Management | Preventive | |
| Process personal data absent consent for handling insurance claims. CC ID 13561 | Data and Information Management | Preventive | |
| Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Data and Information Management | Preventive | |
| Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Data and Information Management | Preventive | |
| Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Data and Information Management | Preventive | |
| Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Data and Information Management | Preventive | |
| Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 | Behavior | Preventive | |
| Define security breach notification requirement exceptions. CC ID 04797 | Establish/Maintain Documentation | Preventive | |
| Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 | Communicate | Corrective | |
| Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 | Records Management | Preventive | |
| Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Communicate | Corrective | |
| Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 | Data and Information Management | Preventive | |
| Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Establish/Maintain Documentation | Preventive | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Establish/Maintain Documentation | Preventive | |
| Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 | Data and Information Management | Detective | |
| Define opt-out exceptions for disclosing restricted data. CC ID 00159 | Establish/Maintain Documentation | Preventive | |
| Define how a data subject may give consent. CC ID 00160 | Establish/Maintain Documentation | Preventive | |
| Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 | Communicate | Preventive | |
| Disclose restricted data absent consent when the law does not require consent. CC ID 00136 | Data and Information Management | Preventive | |
| Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 | Data and Information Management | Preventive | |
| Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 | Data and Information Management | Preventive | |
| Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Data and Information Management | Preventive | |
| Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Data and Information Management | Preventive | |
| Disclose personal data absent consent to create a credit report. CC ID 15297 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 | Data and Information Management | Preventive | |
| Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Data and Information Management | Preventive | |
| Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to perform a contract. CC ID 00139 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Data and Information Management | Preventive | |
| Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent for public economic interests. CC ID 00148 | Data and Information Management | Preventive | |
| Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 | Data and Information Management | Preventive | |
| Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 | Data and Information Management | Preventive | |
| Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Establish/Maintain Documentation | Detective | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 | Data and Information Management | Preventive | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 | Data and Information Management | Preventive | |
| Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Data and Information Management | Preventive | |
| Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 | Data and Information Management | Preventive | |
| Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 | Data and Information Management | Preventive | |
| Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Communicate | Preventive | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Establish/Maintain Documentation | Preventive | |
| Capture personal data removal requests. CC ID 13507 | Communicate | Preventive | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Records Management | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Process or Activity | Preventive | |
| Dispose of personal data removal requests, as necessary. CC ID 13512 | Business Processes | Preventive | |
| Limit the redisclosure and reuse of restricted data. CC ID 00168 | Data and Information Management | Preventive | |
| Refrain from redisclosing or reusing restricted data. CC ID 00169 | Data and Information Management | Preventive | |
| Document the redisclosing restricted data exceptions. CC ID 00170 | Establish/Maintain Documentation | Preventive | |
| Redisclose restricted data when the data subject consents. CC ID 00171 | Data and Information Management | Preventive | |
| Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to protect public revenue. CC ID 00173 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Data and Information Management | Preventive | |
| Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Data and Information Management | Preventive | |
| Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Data and Information Management | Preventive | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 | Data and Information Management | Preventive | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Data and Information Management | Preventive | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Data and Information Management | Preventive | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Data and Information Management | Preventive | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Data and Information Management | Preventive | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Behavior | Preventive | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Data and Information Management | Preventive | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Data and Information Management | Preventive | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Data and Information Management | Preventive | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Data and Information Management | Preventive | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Establish/Maintain Documentation | Preventive | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Data and Information Management | Preventive | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Data and Information Management | Preventive | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Data and Information Management | Preventive | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Data and Information Management | Preventive | |
| Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 | Data and Information Management | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Establish/Maintain Documentation | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Data and Information Management | Preventive | |
| Review personal data disclosure requests. CC ID 07129 | Data and Information Management | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Communicate | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 | Establish/Maintain Documentation | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Data and Information Management | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Data and Information Management | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Data and Information Management | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Data and Information Management | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Data and Information Management | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Data and Information Management | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Data and Information Management | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Process or Activity | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Data and Information Management | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Data and Information Management | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Data and Information Management | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Data and Information Management | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Data and Information Management | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Data and Information Management | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Data and Information Management | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Data and Information Management | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Data and Information Management | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Communicate | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Data and Information Management | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Process or Activity | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Data and Information Management | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Data and Information Management | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Communicate | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Data and Information Management | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Communicate | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Data and Information Management | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Data and Information Management | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Data and Information Management | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 | Data and Information Management | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 | Data and Information Management | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Data and Information Management | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Data and Information Management | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Data and Information Management | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Data and Information Management | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Establish/Maintain Documentation | Preventive | |
| Include cookie management in the privacy framework. CC ID 13809 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cookie management procedures. CC ID 13810 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Establish/Maintain Documentation | Preventive | |
| Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Data and Information Management | Preventive | |
| Refrain from collecting personal data, as necessary. CC ID 15269 | Data and Information Management | Preventive | |
| Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Business Processes | Detective | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Establish/Maintain Documentation | Preventive | |
| Use personal data for specified purposes. CC ID 11831 | Data and Information Management | Preventive | |
| Post the collection purpose. CC ID 00101 | Establish/Maintain Documentation | Preventive | |
| Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Data and Information Management | Preventive | |
| Document each individual's personal data collection consent preferences. CC ID 06945 | Establish/Maintain Documentation | Preventive | |
| Provide explicit consent that is clear and unambiguous. CC ID 00181 | Data and Information Management | Preventive | |
| Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Data and Information Management | Preventive | |
| Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Data and Information Management | Preventive | |
| Notify the data subject of the source of collected personal data. CC ID 00083 | Behavior | Preventive | |
| Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Data and Information Management | Preventive | |
| Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Data and Information Management | Preventive | |
| Establish and maintain a personal data definition. CC ID 00028 | Establish/Maintain Documentation | Preventive | |
| Include an individual's name in the personal data definition. CC ID 04710 | Data and Information Management | Preventive | |
| Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Data and Information Management | Preventive | |
| Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Data and Information Management | Preventive | |
| Include an individual's signature in the personal data definition. CC ID 04711 | Data and Information Management | Preventive | |
| Include an individual's date of birth in the personal data definition. CC ID 04770 | Data and Information Management | Preventive | |
| Include the number of children in the personal data definition. CC ID 13759 | Establish/Maintain Documentation | Preventive | |
| Include the individual's religion in the personal data definition. CC ID 13765 | Establish/Maintain Documentation | Preventive | |
| Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Data and Information Management | Preventive | |
| Include an individual's biometric data in the personal data definition. CC ID 04698 | Data and Information Management | Preventive | |
| Include an individual's photographic image in the personal data definition. CC ID 04779 | Data and Information Management | Preventive | |
| Include an individual's fingerprints in the personal data definition. CC ID 04689 | Data and Information Management | Preventive | |
| Include an individual's address in the personal data definition. CC ID 04687 | Data and Information Management | Preventive | |
| Include an individual's telephone number in the personal data definition. CC ID 04688 | Data and Information Management | Preventive | |
| Include an individual's fax number in the personal data definition. CC ID 07120 | Data and Information Management | Preventive | |
| Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Establish/Maintain Documentation | Preventive | |
| Include an individual's license plate number in the personal data definition. CC ID 13763 | Establish/Maintain Documentation | Preventive | |
| Include an individual's financial account number in the personal data definition. CC ID 04692 | Data and Information Management | Preventive | |
| Include an individual's account balances in the personal data definition. CC ID 13770 | Establish/Maintain Documentation | Preventive | |
| Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Data and Information Management | Preventive | |
| Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Data and Information Management | Preventive | |
| Include an individual's logon credentials in the personal data definition. CC ID 13771 | Establish/Maintain Documentation | Preventive | |
| Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Data and Information Management | Preventive | |
| Include an individual's passport number in the personal data definition. CC ID 04713 | Data and Information Management | Preventive | |
| Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Data and Information Management | Preventive | |
| Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Data and Information Management | Preventive | |
| Include an individual's military identification number in the personal data definition. CC ID 13083 | Establish/Maintain Documentation | Preventive | |
| Include an individual's e-mail address in the personal data definition. CC ID 04696 | Data and Information Management | Preventive | |
| Include electronic signatures in the personal data definition. CC ID 04697 | Data and Information Management | Preventive | |
| Include an individual's payment card information in the personal data definition. CC ID 04751 | Data and Information Management | Preventive | |
| Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Data and Information Management | Preventive | |
| Include an individual's payment card service code in the personal data definition. CC ID 04753 | Data and Information Management | Preventive | |
| Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Data and Information Management | Preventive | |
| Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Data and Information Management | Preventive | |
| Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Data and Information Management | Preventive | |
| Include an individual's medical history in the personal data definition. CC ID 04701 | Data and Information Management | Preventive | |
| Include an individual's medical treatment in the personal data definition. CC ID 04702 | Data and Information Management | Preventive | |
| Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Data and Information Management | Preventive | |
| Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Data and Information Management | Preventive | |
| Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Data and Information Management | Preventive | |
| Include an individual's health insurance information in the personal data definition. CC ID 04705 | Data and Information Management | Preventive | |
| Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Data and Information Management | Preventive | |
| Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Data and Information Management | Preventive | |
| Include an individual's education information in the personal data definition. CC ID 04714 | Data and Information Management | Preventive | |
| Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Data and Information Management | Preventive | |
| Include an individual's employment information in the personal data definition. CC ID 04715 | Data and Information Management | Preventive | |
| Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Data and Information Management | Preventive | |
| Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Data and Information Management | Preventive | |
| Include an individual's employment history in the personal data definition. CC ID 04716 | Data and Information Management | Preventive | |
| Include an individual's place of employment in the personal data definition. CC ID 04765 | Data and Information Management | Preventive | |
| Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Data and Information Management | Preventive | |
| Include an individual's property information in the personal data definition. CC ID 04780 | Data and Information Management | Preventive | |
| Include an individual's property title in the personal data definition. CC ID 04781 | Data and Information Management | Preventive | |
| Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Data and Information Management | Preventive | |
| Include hardware asset identification information in the personal data definition. CC ID 07123 | Data and Information Management | Preventive | |
| Include MAC addresses in the personal data definition. CC ID 04778 | Data and Information Management | Preventive | |
| Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Data and Information Management | Preventive | |
| Include asset serial numbers in the personal data definition. CC ID 07124 | Data and Information Management | Preventive | |
| Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Data and Information Management | Preventive | |
| Refrain from including publicly available information in the personal data definition. CC ID 13084 | Establish/Maintain Documentation | Preventive | |
| Define specially restricted data. CC ID 00037 | Data and Information Management | Preventive | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Data and Information Management | Preventive | |
| Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Data and Information Management | Preventive | |
| Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Data and Information Management | Preventive | |
| Implement a nondiscrimination principle. CC ID 00081 | Data and Information Management | Preventive | |
| Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Data and Information Management | Preventive | |
| Preserve each individual's right to human dignity. CC ID 00082 | Data and Information Management | Preventive | |
| Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Data and Information Management | Preventive | |
| Employ a random number generator to create authenticators. CC ID 13782 | Technical Security | Preventive | |
| Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Data and Information Management | Preventive | |
| Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Data and Information Management | Preventive | |
| Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Data and Information Management | Preventive | |
| Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Data and Information Management | Preventive | |
| Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Behavior | Preventive | |
| Manage health data collection. CC ID 00050 | Data and Information Management | Preventive | |
| Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Data and Information Management | Preventive | |
| Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Data and Information Management | Preventive | |
| Collect Individually Identifiable Health Information for research. CC ID 00054 | Data and Information Management | Preventive | |
| Remove personal data before disclosing health data. CC ID 00055 | Data and Information Management | Preventive | |
| Give special attention to collecting children's data. CC ID 00038 | Data and Information Management | Preventive | |
| Use simple understandable language to collect information from children. CC ID 00039 | Behavior | Preventive | |
| Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Establish/Maintain Documentation | Preventive | |
| Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Data and Information Management | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Establish/Maintain Documentation | Preventive | |
| Collect personal data directly from the data subject. CC ID 00011 | Data and Information Management | Preventive | |
| Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Data and Information Management | Preventive | |
| Provide unlinkability for users and resources. CC ID 04550 | Data and Information Management | Preventive | |
| Provide unobservability of users and resources. CC ID 04551 | Technical Security | Preventive | |
| Confirm the data quality of personal data collected from third parties. CC ID 13510 | Investigate | Detective | |
| Collect restricted data in a fair and lawful manner. CC ID 00010 | Data and Information Management | Preventive | |
| Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Data and Information Management | Preventive | |
| Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Data and Information Management | Preventive | |
| Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Data and Information Management | Preventive | |
| Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Data and Information Management | Preventive | |
| Collect personal data absent consent for handling insurance claims. CC ID 13543 | Data and Information Management | Preventive | |
| Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Data and Information Management | Preventive | |
| Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Data and Information Management | Preventive | |
| Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Data and Information Management | Preventive | |
| Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Data and Information Management | Preventive | |
| Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Data and Information Management | Preventive | |
| Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Data and Information Management | Preventive | |
| Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Data and Information Management | Preventive | |
| Collect restricted data absent consent from publicly available information. CC ID 00019 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when needed by law. CC ID 00020 | Data and Information Management | Preventive | |
| Collect personal data absent consent to create a credit report. CC ID 15287 | Data and Information Management | Preventive | |
| Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Data and Information Management | Preventive | |
| Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Data and Information Management | Preventive | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 | Data and Information Management | Preventive | |
| Collect restricted data in a proper information framework. CC ID 00009 | Data and Information Management | Preventive | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Data and Information Management | Preventive | |
| Collect restricted data when required by law. CC ID 00031 | Data and Information Management | Preventive | |
| Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Data and Information Management | Preventive | |
| Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Data and Information Management | Preventive | |
| Collect restricted data for legal purposes. CC ID 00036 | Data and Information Management | Preventive | |
| Review the methods for collecting personal data, as necessary. CC ID 13511 | Investigate | Detective | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Communicate | Preventive | |
| Provide the data subject with the data collector's name and contact information. CC ID 00024 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Establish/Maintain Documentation | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Data and Information Management | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Technical Security | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Data and Information Management | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Configuration | Preventive | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Testing | Detective | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Configuration | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Configuration | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Technical Security | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Data and Information Management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Log Management | Preventive | |
| Log the modification of personal data. CC ID 11844 | Log Management | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Technical Security | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Technical Security | Preventive | |
| Implement physical controls to protect personal data. CC ID 00355 | Testing | Preventive | |
| Limit data leakage. CC ID 00356 [Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information. § 8.12 Control] | Data and Information Management | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Testing | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Business Processes | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Data and Information Management | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Data and Information Management | Detective | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Investigate | Detective | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Behavior | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Data and Information Management | Detective | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Log Management | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Monitor and Evaluate Occurrences | Corrective | |
| Log dates for account name changes or address changes. CC ID 04876 | Log Management | Detective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Monitor and Evaluate Occurrences | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Data and Information Management | Detective | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Acquisition/Sale of Assets or Services | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Process or Activity | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Process or Activity | Preventive | |
| Review monitored websites for data leakage. CC ID 10593 | Monitor and Evaluate Occurrences | Detective | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Process or Activity | Corrective | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [Data masking should be used in accordance with the organization's topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration. § 8.11 Control] | Data and Information Management | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Data and Information Management | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Data and Information Management | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Data and Information Management | Preventive | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Communicate | Preventive | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 [Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. § 5.10 Control] | Establish/Maintain Documentation | Preventive | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Establish/Maintain Documentation | Preventive | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Data and Information Management | Preventive | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Data and Information Management | Preventive | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Data and Information Management | Preventive | |
| Define an out of scope privacy breach. CC ID 04677 | Establish/Maintain Documentation | Preventive | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Business Processes | Preventive | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Monitor and Evaluate Occurrences | Preventive | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Monitor and Evaluate Occurrences | Preventive | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Monitor and Evaluate Occurrences | Preventive | |
| Conduct internal data processing audits. CC ID 00374 | Testing | Detective | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Communicate | Preventive | |
| Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Establish/Maintain Documentation | Preventive | |
| Obtain consent from an individual prior to transferring personal data. CC ID 06948 | Data and Information Management | Preventive | |
| Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 | Business Processes | Preventive | |
| Notify data subjects when their personal data is transferred. CC ID 00352 | Behavior | Preventive | |
| Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 | Establish/Maintain Documentation | Preventive | |
| Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 | Communicate | Preventive | |
| Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 | Data and Information Management | Preventive | |
| Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Data and Information Management | Preventive | |
| Prohibit the transfer of personal data when security is inadequate. CC ID 00345 | Data and Information Management | Preventive | |
| Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Data and Information Management | Preventive | |
| Refrain from transferring past the first transfer. CC ID 00347 | Data and Information Management | Preventive | |
| Document transfer disagreements by the data subject in writing. CC ID 00348 | Establish/Maintain Documentation | Preventive | |
| Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Data and Information Management | Preventive | |
| Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Records Management | Preventive | |
| Follow the instructions of the data transferrer. CC ID 00334 | Behavior | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Establish/Maintain Documentation | Preventive | |
| Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Data and Information Management | Preventive | |
| Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Data and Information Management | Preventive | |
| Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Data and Information Management | Preventive | |
| Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Data and Information Management | Preventive | |
| Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Data and Information Management | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Data and Information Management | Preventive | |
| Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Data and Information Management | Preventive | |
| Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Data and Information Management | Preventive | |
| Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Data and Information Management | Preventive | |
| Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Data and Information Management | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Data and Information Management | Preventive | |
| Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 | Data and Information Management | Preventive | |
| Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 | Business Processes | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Establish/Maintain Documentation | Preventive | |
| Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Data and Information Management | Preventive | |
| Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Data and Information Management | Preventive | |
| Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Data and Information Management | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Data and Information Management | Preventive | |
| Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Data and Information Management | Preventive | |
| Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Data and Information Management | Preventive | |
| Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Data and Information Management | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Data and Information Management | Preventive | |
| Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 | Communicate | Preventive | |
| Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Behavior | Preventive | |
| Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 | Establish/Maintain Documentation | Preventive | |
| Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 | Data and Information Management | Preventive | |
| Obtain consent prior to downloading software to an individual's computer. CC ID 06951 | Data and Information Management | Preventive | |
| Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 | Process or Activity | Preventive | |
| Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 | Process or Activity | Preventive | |
| Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 | Process or Activity | Preventive | |
| Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a privacy impact assessment. CC ID 13712 | Establish/Maintain Documentation | Preventive | |
| Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Establish/Maintain Documentation | Preventive | |
| Include how to grant consent in the privacy impact assessment. CC ID 15519 | Establish/Maintain Documentation | Preventive | |
| Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Establish/Maintain Documentation | Preventive | |
| Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Establish/Maintain Documentation | Preventive | |
| Include data handling procedures in the privacy impact assessment. CC ID 15516 | Establish/Maintain Documentation | Preventive | |
| Include the intended use of information in the privacy impact assessment. CC ID 15515 | Establish/Maintain Documentation | Preventive | |
| Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Establish/Maintain Documentation | Preventive | |
| Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Business Processes | Preventive | |
| Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Communicate | Preventive | |
| Review compliance with the organization's privacy objectives. CC ID 13490 | Human Resources Management | Detective | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Data and Information Management | Preventive | |
| Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Behavior | Preventive | |
| Implement procedures to file privacy rights violation complaints. CC ID 00476 | Data and Information Management | Corrective | |
| File privacy rights violation complaints in writing. CC ID 00477 | Establish/Maintain Documentation | Corrective | |
| Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Establish/Maintain Documentation | Corrective | |
| Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Establish/Maintain Documentation | Preventive | |
| Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 | Behavior | Corrective | |
| Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Business Processes | Preventive | |
| File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Behavior | Corrective | |
| Change or destroy any personal data that is incorrect. CC ID 00462 | Data and Information Management | Corrective | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Behavior | Corrective | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Data and Information Management | Preventive | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Data and Information Management | Corrective | |
| Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 | Establish/Maintain Documentation | Preventive | |
| Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 | Establish/Maintain Documentation | Preventive | |
| Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 | Establish/Maintain Documentation | Preventive | |
| Document unresolved challenges. CC ID 13568 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Establish/Maintain Documentation | Preventive | |
| Notify individuals of their right to challenge personal data. CC ID 00457 | Data and Information Management | Preventive | |
| Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Data and Information Management | Preventive | |
| Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Configuration | Preventive | |
| Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Human Resources Management | Preventive | |
| Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Data and Information Management | Preventive | |
| Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Communicate | Preventive | |
| Investigate the disputed accuracy of personal data. CC ID 00461 | Data and Information Management | Preventive | |
| Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 | Behavior | Corrective | |
| Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 | Behavior | Corrective | |
| Notify third parties of unresolved challenges. CC ID 13559 | Communicate | Preventive | |
| Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Establish/Maintain Documentation | Preventive | |
| Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Establish/Maintain Documentation | Preventive | |
| Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 | Data and Information Management | Corrective | |
| Investigate privacy rights violation complaints. CC ID 00480 | Behavior | Detective | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Business Processes | Corrective | |
| Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Behavior | Detective | |
| Include the allegations against the organization in the notice of investigation. CC ID 13031 | Establish/Maintain Documentation | Preventive | |
| Investigate privacy rights violation complaints in private. CC ID 00492 | Behavior | Detective | |
| Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 | Behavior | Detective | |
| Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Behavior | Detective | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 | Behavior | Preventive | |
| Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Behavior | Preventive | |
| Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Behavior | Preventive | |
| Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Behavior | Preventive | |
| Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Behavior | Preventive | |
| Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Behavior | Preventive | |
| Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Communicate | Corrective | |
| Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 | Establish/Maintain Documentation | Corrective | |
| Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Behavior | Corrective | |
| Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 | Establish/Maintain Documentation | Detective | |
| Order the organization to change to be in compliance with applicable law. CC ID 00499 | Behavior | Corrective | |
| Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Behavior | Corrective | |
| Award damages based on applicable law. CC ID 00501 | Behavior | Corrective | |
| Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 | Data and Information Management | Corrective | |
| Define the organization's liability based on the applicable law. CC ID 00504 | Establish/Maintain Documentation | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Establish/Maintain Documentation | Preventive | |
| Define the appeal process based on the applicable law. CC ID 00506 | Establish/Maintain Documentation | Preventive | |
| Define the fee structure for the appeal process. CC ID 16532 | Process or Activity | Preventive | |
| Define the time requirements for the appeal process. CC ID 16531 | Process or Activity | Preventive | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Communicate | Preventive | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Communicate | Preventive | |
| Provide notice of proposed penalties. CC ID 06216 | Establish/Maintain Documentation | Preventive | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 | Behavior | Preventive | |
| Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 | Testing | Detective | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a record classification scheme. CC ID 00914 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a records authentication system. CC ID 11648 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. § 5.33 Control] | Establish/Maintain Documentation | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 [Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements. § 7.10 Control] | Establish/Maintain Documentation | Preventive | |
| Supervise media destruction in accordance with organizational standards. CC ID 16456 | Business Processes | Preventive | |
| Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 | Data and Information Management | Preventive | |
| Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 [Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. § 7.14 Control] | Data and Information Management | Preventive | |
| Degauss as a method of sanitizing electronic storage media. CC ID 00973 | Records Management | Preventive | |
| Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 | Testing | Detective | |
| Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Process or Activity | Preventive | |
| Maintain media sanitization equipment in operational condition. CC ID 00721 | Testing | Detective | |
| Use approved media sanitization equipment for destruction. CC ID 16459 | Business Processes | Preventive | |
| Define each system's disposition requirements for records and logs. CC ID 11651 | Process or Activity | Preventive | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. § 5.33 Control] | Establish/Maintain Documentation | Preventive | |
| Manage the disposition status for all records. CC ID 00972 | Records Management | Preventive | |
| Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 | Data and Information Management | Preventive | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 [Information stored in information systems, devices or in any other storage media should be deleted when no longer required. § 8.10 Control] | Records Management | Preventive | |
| Place printed records awaiting destruction into secure containers. CC ID 12464 | Physical and Environmental Protection | Preventive | |
| Destroy printed records so they cannot be reconstructed. CC ID 11779 | Physical and Environmental Protection | Preventive | |
| Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Data and Information Management | Preventive | |
| Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 | Establish/Maintain Documentation | Preventive | |
| Maintain disposal records or redeployment records. CC ID 01644 | Establish/Maintain Documentation | Preventive | |
| Include the name of the signing officer in the disposal record. CC ID 15710 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
| Protect records from loss in accordance with applicable requirements. CC ID 12007 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. § 5.33 Control] | Records Management | Preventive | |
| Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. § 5.33 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 [Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements. § 7.10 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security label procedures. CC ID 06747 [An appropriate set of procedures for information labelling should be developed and implementedpan> in accordance with the information classification scheme nd-color:#CBD0E5;" class="term_secondary-verb">adopted by the organization. § 5.13 Control] | Establish/Maintain Documentation | Preventive | |
| Label restricted storage media appropriately. CC ID 00966 | Data and Information Management | Preventive | |
| Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records Management | Detective | |
| Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Establish/Maintain Documentation | Preventive | |
| Conspicuously locate the restricted record's overall classification. CC ID 01890 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Establish/Maintain Documentation | Preventive | |
| Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Data and Information Management | Preventive | |
| Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Technical Security | Preventive | |
| Establish the minimum originator requirements for security labels. CC ID 06579 | Establish/Maintain Documentation | Preventive | |
| Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Establish/Maintain Documentation | Preventive | |
| Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Establish/Maintain Documentation | Preventive | |
| Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain access controls for all records. CC ID 00371 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. § 5.33 Control] | Records Management | Preventive | |
| Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information preservation policy. CC ID 16483 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information preservation procedures. CC ID 06277 | Establish/Maintain Documentation | Preventive | |
| Implement and maintain high availability storage, as necessary. CC ID 00952 | Technical Security | Preventive | |
| Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records Management | Preventive | |
| Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records Management | Preventive | |
| Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records Management | Preventive | |
| Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Technical Security | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records Management | Preventive | |
| Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Testing | Detective | |
| Provide encryption for different types of electronic storage media. CC ID 00945 | Technical Security | Preventive | |
| Implement electronic storage media integrity controls. CC ID 00946 | Configuration | Preventive | |
| Automate electronic storage media integrity check controls. CC ID 00948 | Configuration | Preventive | |
| Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Configuration | Preventive | |
| Provide audit trails for all pertinent records. CC ID 00372 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a removable storage media log. CC ID 12317 | Log Management | Preventive | |
| Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Establish/Maintain Documentation | Preventive | |
| Include the date and time in the removable storage media log. CC ID 12318 | Establish/Maintain Documentation | Preventive | |
| Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Establish/Maintain Documentation | Preventive | |
| Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Establish/Maintain Documentation | Preventive | |
| Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Establish/Maintain Documentation | Preventive | |
| Include the sender's name in the removable storage media log. CC ID 12752 | Establish/Maintain Documentation | Preventive | |
| Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Establish/Maintain Documentation | Preventive | |
| Include the reason for transfer in the removable storage media log. CC ID 12316 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Process or Activity | Preventive | |
| Identify electronic storage media that require downgrading. CC ID 10620 | Process or Activity | Detective | |
| Downgrade electronic storage media, as necessary. CC ID 10621 | Process or Activity | Corrective | |
| Document all actions taken when downgrading electronic storage media. CC ID 10622 | Establish/Maintain Documentation | Preventive | |
| Test the storage media downgrade for correct performance. CC ID 10623 | Testing | Detective | |
System hardening through configuration management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. § 8.9 Control] | Establish/Maintain Documentation | Preventive | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | Establish/Maintain Documentation | Preventive | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | Establish/Maintain Documentation | Preventive | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | Establish/Maintain Documentation | Preventive | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | Establish/Maintain Documentation | Preventive | |
| Include installed custom software in the baseline configuration. CC ID 13274 | Establish/Maintain Documentation | Preventive | |
| Include network ports in the baseline configuration. CC ID 13273 | Establish/Maintain Documentation | Preventive | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
| Remove all unnecessary functionality. CC ID 00882 | Configuration | Preventive | |
| Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827 | Configuration | Preventive | |
| Restrict and control the use of privileged utility programs. CC ID 12030 [The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled. § 8.18 Control] | Technical Security | Preventive | |
| Establish, implement, and maintain authenticators. CC ID 15305 | Technical Security | Preventive | |
| Establish, implement, and maintain an authenticator standard. CC ID 01702 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an authenticator management system. CC ID 12031 [Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information. § 5.17 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a repository of authenticators. CC ID 16372 | Data and Information Management | Preventive | |
| Establish, implement, and maintain authenticator procedures. CC ID 12002 | Establish/Maintain Documentation | Preventive | |
| Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127 | Technical Security | Preventive | |
| Configure authenticators to comply with organizational standards. CC ID 06412 | Configuration | Preventive | |
| Configure the system to require new users to change their authenticator on first use. CC ID 05268 | Configuration | Preventive | |
| Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519 | Configuration | Preventive | |
| Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | Business Processes | Corrective | |
| Configure the system to prevent unencrypted authenticator use. CC ID 04457 | Configuration | Preventive | |
| Disable store passwords using reversible encryption. CC ID 01708 | Configuration | Preventive | |
| Configure the system to encrypt authenticators. CC ID 06735 | Configuration | Preventive | |
| Configure the system to mask authenticators. CC ID 02037 | Configuration | Preventive | |
| Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992 | Configuration | Preventive | |
| Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717 | Establish/Maintain Documentation | Preventive | |
| Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718 | Establish/Maintain Documentation | Preventive | |
| Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 | Configuration | Preventive | |
| Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719 | Establish/Maintain Documentation | Preventive | |
| Disable machine account password changes. CC ID 01737 | Configuration | Preventive | |
| Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720 | Establish/Maintain Documentation | Preventive | |
| Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722 | Establish/Maintain Documentation | Preventive | |
| Configure the "password reuse" setting to organizational standards. CC ID 08724 | Establish/Maintain Documentation | Preventive | |
| Configure the "Disable Remember Password" setting. CC ID 05270 | Configuration | Preventive | |
| Configure the "Minimum password age" to organizational standards. CC ID 01703 | Configuration | Preventive | |
| Configure the LILO/GRUB password. CC ID 01576 | Configuration | Preventive | |
| Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481 | Configuration | Preventive | |
| Change the default password to Apple's Keychain. CC ID 04482 | Configuration | Preventive | |
| Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483 | Configuration | Preventive | |
| Configure the Syskey Encryption Key and associated password. CC ID 05978 | Configuration | Preventive | |
| Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505 | Configuration | Preventive | |
| Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534 | Configuration | Preventive | |
| Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267 | Configuration | Preventive | |
| Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269 | Configuration | Preventive | |
| Configure the "Send LanMan compatible password" setting. CC ID 05271 | Configuration | Preventive | |
| Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993 | Configuration | Preventive | |
| Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054 | Configuration | Preventive | |
| Set the default folder for BitLocker recovery passwords correctly. CC ID 06055 | Configuration | Preventive | |
| Notify affected parties to keep authenticators confidential. CC ID 06787 | Behavior | Preventive | |
| Discourage affected parties from recording authenticators. CC ID 06788 | Behavior | Preventive | |
| Ensure the root account is the first entry in password files. CC ID 16323 | Data and Information Management | Detective | |
| Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721 | Establish/Maintain Documentation | Preventive | |
| Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723 | Establish/Maintain Documentation | Preventive | |
| Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866 | Configuration | Preventive | |
| Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185 | Configuration | Preventive | |
| Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187 | Configuration | Preventive | |
| Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296 | Configuration | Preventive | |
| Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355 | Configuration | Preventive | |
| Configure the authenticator display screen to organizational standards. CC ID 13794 | Configuration | Preventive | |
| Configure the authenticator field to disallow memorized secrets found in the memorized secret list. CC ID 13808 | Configuration | Preventive | |
| Configure the authenticator display screen to display the memorized secret as an option. CC ID 13806 | Configuration | Preventive | |
| Disseminate and communicate with the end user when a memorized secret entered into an authenticator field matches one found in the memorized secret list. CC ID 13807 | Communicate | Preventive | |
| Configure the look-up secret authenticator to dispose of memorized secrets after their use. CC ID 13817 | Configuration | Corrective | |
| Configure the memorized secret verifiers to refrain from allowing anonymous users to access memorized secret hints. CC ID 13823 | Configuration | Preventive | |
| Configure the system to allow paste functionality for the authenticator field. CC ID 13819 | Configuration | Preventive | |
| Configure the system to require successful authentication before an authenticator for a user account is changed. CC ID 13821 | Configuration | Preventive | |
Systems design, build, and implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 | Systems Design, Build, and Implementation | Preventive | |
| Include information security throughout the system development life cycle. CC ID 12042 [Information security requirements should be identified, specified and approved when developing or acquiring applications. § 8.26 Control] | Systems Design, Build, and Implementation | Preventive | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Data and Information Management | Preventive | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security design principles. CC ID 14718 [Principles for engineering secure systems should be established, documented, maintained and applied to any information system development activities. § 8.27 Control Rules for the secure development of software and systems should be established and applied. § 8.25 Control] | Systems Design, Build, and Implementation | Preventive | |
| Include reduced complexity of systems or system components in the security design principles. CC ID 14753 | Systems Design, Build, and Implementation | Preventive | |
| Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 | Systems Design, Build, and Implementation | Preventive | |
| Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751 | Systems Design, Build, and Implementation | Preventive | |
| Include modularity and layering of systems or system components in the security design principles. CC ID 14750 | Systems Design, Build, and Implementation | Preventive | |
| Include secure evolvability of systems or system components in the security design principles. CC ID 14749 | Systems Design, Build, and Implementation | Preventive | |
| Include continuous protection of systems or system components in the security design principles. CC ID 14748 | Establish/Maintain Documentation | Preventive | |
| Include least common mechanisms between systems or system components in the security design principles. CC ID 14747 | Systems Design, Build, and Implementation | Preventive | |
| Include secure system modification of systems or system components in the security design principles. CC ID 14746 | Systems Design, Build, and Implementation | Preventive | |
| Include clear abstractions of systems or system components in the security design principles. CC ID 14745 | Systems Design, Build, and Implementation | Preventive | |
| Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 | Systems Design, Build, and Implementation | Preventive | |
| Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743 | Systems Design, Build, and Implementation | Preventive | |
| Include least privilege of systems or system components in the security design principles. CC ID 14742 | Systems Design, Build, and Implementation | Preventive | |
| Include minimized sharing of systems or system components in the security design principles. CC ID 14741 | Systems Design, Build, and Implementation | Preventive | |
| Include acceptable security of systems or system components in the security design principles. CC ID 14740 | Systems Design, Build, and Implementation | Preventive | |
| Include minimized security elements in systems or system components in the security design principles. CC ID 14739 | Systems Design, Build, and Implementation | Preventive | |
| Include hierarchical protection in systems or system components in the security design principles. CC ID 14738 | Systems Design, Build, and Implementation | Preventive | |
| Include self-analysis of systems or system components in the security design principles. CC ID 14737 | Systems Design, Build, and Implementation | Preventive | |
| Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736 | Systems Design, Build, and Implementation | Preventive | |
| Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735 | Systems Design, Build, and Implementation | Preventive | |
| Include secure distributed composition of systems or system components in the security design principles. CC ID 14734 | Systems Design, Build, and Implementation | Preventive | |
| Include minimization of systems or system components in the security design principles. CC ID 14733 | Systems Design, Build, and Implementation | Preventive | |
| Include secure defaults in systems or system components in the security design principles. CC ID 14732 | Systems Design, Build, and Implementation | Preventive | |
| Include trusted communications channels for systems or system components in the security design principles. CC ID 14731 | Systems Design, Build, and Implementation | Preventive | |
| Include economic security in systems or system components in the security design principles. CC ID 14730 | Systems Design, Build, and Implementation | Preventive | |
| Include trusted components of systems or system components in the security design principles. CC ID 14729 | Systems Design, Build, and Implementation | Preventive | |
| Include procedural rigor in systems or system components in the security design principles. CC ID 14728 | Systems Design, Build, and Implementation | Preventive | |
| Include accountability and traceability of systems or system components in the security design principles. CC ID 14727 | Systems Design, Build, and Implementation | Preventive | |
| Include hierarchical trust in systems or system components in the security design principles. CC ID 14726 | Systems Design, Build, and Implementation | Preventive | |
| Include sufficient documentation for systems or system components in the security design principles. CC ID 14725 | Systems Design, Build, and Implementation | Preventive | |
| Include performance security of systems or system components in the security design principles. CC ID 14724 | Systems Design, Build, and Implementation | Preventive | |
| Include human factored security in systems or system components in the security design principles. CC ID 14723 | Systems Design, Build, and Implementation | Preventive | |
| Include secure metadata management of systems or system components in the security design principles. CC ID 14722 | Systems Design, Build, and Implementation | Preventive | |
| Include predicate permission of systems or system components in the security design principles. CC ID 14721 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain project management standards. CC ID 00992 [Information security should be integrated into project management. § 5.8 Control] | Establish/Maintain Documentation | Preventive | |
| Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a project program documentation standard. CC ID 00995 | Establish/Maintain Documentation | Preventive | |
| Include budgeting for projects in the project management standard. CC ID 13136 | Establish/Maintain Documentation | Preventive | |
| Formally approve the initiation of each project phase. CC ID 00997 | Systems Design, Build, and Implementation | Detective | |
| Establish, implement, and maintain integrated project plans. CC ID 01056 | Establish/Maintain Documentation | Preventive | |
| Perform a risk assessment for each system development project. CC ID 01000 | Testing | Detective | |
| Establish, implement, and maintain a project control program. CC ID 01612 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a project test plan. CC ID 01001 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a project team plan. CC ID 06533 | Establish/Maintain Documentation | Preventive | |
| Identify accreditation tasks. CC ID 00999 | Systems Design, Build, and Implementation | Detective | |
| Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a project management training plan. CC ID 01002 | Establish/Maintain Documentation | Preventive | |
| Conduct a post implementation review when the system design project ends. CC ID 01003 | Testing | Detective | |
| Separate the design and development environment from the production environment. CC ID 06088 [{development environment}{test environment} Development, testing and production environments should be separated and secured. § 8.31 Control] | Systems Design, Build, and Implementation | Preventive | |
| Specify appropriate tools for the system development project. CC ID 06830 | Establish/Maintain Documentation | Preventive | |
| Implement security controls in development endpoints. CC ID 16389 | Testing | Preventive | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems Design, Build, and Implementation | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain outsourced development procedures. CC ID 01141 | Establish/Maintain Documentation | Preventive | |
| Supervise and monitor outsourced development projects. CC ID 01096 [The organization should direct, monitor and review the activities related to outsourced system development. § 8.30 Control] | Monitor and Evaluate Occurrences | Detective | |
| Develop new products based on best practices. CC ID 01095 | Systems Design, Build, and Implementation | Preventive | |
| Protect application program libraries. CC ID 11762 [{read access}{software development tool} Read and write access to source code, development tools and software libraries should be appropriately managed. § 8.4 Control] | Technical Security | Preventive | |
| Establish and maintain access rights to source code based upon least privilege. CC ID 06962 [{read access}{software development tool} Read and write access to source code, development tools and software libraries should be appropriately managed. § 8.4 Control] | Technical Security | Preventive | |
| Develop new products based on secure coding techniques. CC ID 11733 [Secure coding principles should be applied to software development. § 8.28 Control] | Systems Design, Build, and Implementation | Preventive | |
| Establish and maintain a coding manual for secure coding techniques. CC ID 11863 [Rules for the secure development of software and systems should be established and applied. § 8.25 Control] | Establish/Maintain Documentation | Preventive | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Technical Security | Preventive | |
| Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 | Technical Security | Preventive | |
| Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937 | Technical Security | Preventive | |
| Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 | Technical Security | Preventive | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems Design, Build, and Implementation | Preventive | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Technical Security | Preventive | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Technical Security | Preventive | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems Design, Build, and Implementation | Preventive | |
| Refrain from hard-coding usernames in source code. CC ID 06561 | Technical Security | Preventive | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Technical Security | Preventive | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Technical Security | Preventive | |
| Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 | Technical Security | Preventive | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems Design, Build, and Implementation | Preventive | |
| Control user account management through secure coding techniques in source code. CC ID 11909 | Technical Security | Preventive | |
| Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 | Technical Security | Preventive | |
| Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 | Technical Security | Preventive | |
| Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 | Process or Activity | Preventive | |
| Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897 | Process or Activity | Preventive | |
| Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 | Process or Activity | Preventive | |
| Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 | Technical Security | Preventive | |
| Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 | Process or Activity | Preventive | |
| Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 | Technical Security | Preventive | |
| Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 | Systems Design, Build, and Implementation | Preventive | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Configuration | Preventive | |
| Address known coding vulnerabilities as a part of secure coding techniques. CC ID 12493 | Systems Design, Build, and Implementation | Corrective | |
| Standardize Application Programming Interfaces. CC ID 12167 | Technical Security | Preventive | |
| Include all confidentiality, integrity, and availability functions in the system design specification. CC ID 04556 | Establish/Maintain Documentation | Preventive | |
| Include the relationships and dependencies between modules in the system design specification. CC ID 04559 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security policy model document. CC ID 04560 | Establish/Maintain Documentation | Preventive | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 | Testing | Detective | |
| Establish, implement, and maintain a system testing policy. CC ID 01102 | Establish/Maintain Documentation | Preventive | |
| Configure the test environment similar to the production environment. CC ID 06837 [{development environment}{test environment} Development, testing and production environments should be separated and secured. § 8.31 Control] | Configuration | Preventive | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 [Security testing processes should be defined and implemented in the development life cycle. § 8.29 Control] | Establish/Maintain Documentation | Preventive | |
| Restrict production data from being used in the test environment. CC ID 01103 | Testing | Detective | |
| Protect test data in the development environment. CC ID 12014 [Test information should be appropriately selected, protected and managed. § 8.33 Control] | Technical Security | Preventive | |
| Control the test data used in the development environment. CC ID 12013 [Test information should be appropriately selected, protected and managed. § 8.33 Control] | Systems Design, Build, and Implementation | Preventive | |
| Select the test data carefully. CC ID 12011 [Test information should be appropriately selected, protected and managed. § 8.33 Control] | Systems Design, Build, and Implementation | Preventive | |
| Test all software changes before promoting the system to a production environment. CC ID 01106 | Testing | Detective | |
| Test security functionality during the development process. CC ID 12015 | Testing | Preventive | |
| Include system performance in the scope of system testing. CC ID 12624 | Process or Activity | Preventive | |
| Include security controls in the scope of system testing. CC ID 12623 | Process or Activity | Preventive | |
| Include business logic in the scope of system testing. CC ID 12622 | Process or Activity | Preventive | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 | Testing | Detective | |
| Review and test source code. CC ID 01086 | Testing | Detective | |
| Assign the review of custom code changes to individuals other than the code author. CC ID 06291 | Establish Roles | Preventive | |
| Evaluate and document all known code anomalies and code deficiencies. CC ID 06611 | Establish/Maintain Documentation | Preventive | |
| Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292 | Testing | Corrective | |
| Approve all custom code test results before code is released. CC ID 06293 | Testing | Detective | |
| Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471 | Communicate | Preventive | |
| Establish, implement, and maintain poor quality material removal procedures. CC ID 06214 | Establish/Maintain Documentation | Preventive | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 [The full life cycle of identities should be managed. § 5.16 Control] | Establish/Maintain Documentation | Preventive | |
| Establish the requirements for Identity Assurance Levels. CC ID 13857 | Technical Security | Preventive | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 | Establish/Maintain Documentation | Preventive | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Establish/Maintain Documentation | Preventive | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Establish/Maintain Documentation | Preventive | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Establish/Maintain Documentation | Preventive | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Establish/Maintain Documentation | Preventive | |
| Implement digital identification processes. CC ID 13731 | Process or Activity | Preventive | |
| Implement identity proofing processes. CC ID 13719 | Process or Activity | Preventive | |
| Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Process or Activity | Preventive | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Process or Activity | Preventive | |
| Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Process or Activity | Detective | |
| Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Process or Activity | Preventive | |
| Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Establish/Maintain Documentation | Preventive | |
| Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Configuration | Preventive | |
| Interact with the data subject when performing remote proofing. CC ID 13777 | Process or Activity | Detective | |
| Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Process or Activity | Preventive | |
| View all applicant actions when performing remote proofing. CC ID 13804 | Process or Activity | Detective | |
| Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Process or Activity | Preventive | |
| Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Process or Activity | Detective | |
| Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Process or Activity | Detective | |
| Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Process or Activity | Preventive | |
| Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Process or Activity | Preventive | |
| Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Process or Activity | Detective | |
| Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Process or Activity | Preventive | |
| Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Configuration | Preventive | |
| Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Configuration | Preventive | |
| Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Configuration | Preventive | |
| Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Process or Activity | Preventive | |
| Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Process or Activity | Detective | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Process or Activity | Detective | |
| Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Business Processes | Detective | |
| Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Process or Activity | Detective | |
| Verify proof of identity records. CC ID 13761 | Investigate | Detective | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Process or Activity | Detective | |
| Allow records that relate to the data subject as proof of identity. CC ID 13772 | Process or Activity | Preventive | |
| Conduct in-person proofing with physical interactions. CC ID 13775 | Process or Activity | Detective | |
| Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Process or Activity | Preventive | |
| Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Process or Activity | Preventive | |
| Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Process or Activity | Preventive | |
| Refrain from approving attributes in the identity proofing process. CC ID 13716 | Process or Activity | Preventive | |
| Reperform the identity proofing process for each individual, as necessary. CC ID 13762 | Process or Activity | Detective | |
| Establish, implement, and maintain federated identity systems. CC ID 13837 | Technical Security | Preventive | |
| Authenticate all systems in a federated identity system. CC ID 13835 | Technical Security | Preventive | |
| Send and receive authentication assertions, as necessary. CC ID 13839 | Technical Security | Preventive | |
| Make the assertion reference for authentication assertions single-use. CC ID 13843 | Technical Security | Preventive | |
| Validate the issuer in the authentication assertion. CC ID 13878 | Technical Security | Detective | |
| Limit the lifetime of the assertion reference. CC ID 13874 | Technical Security | Preventive | |
| Refrain from using authentication assertions that have expired. CC ID 13872 | Technical Security | Preventive | |
| Protect the authentication assertion from unauthorized access or unauthorized disclosure. CC ID 16836 | Technical Security | Preventive | |
| Include the issuer identifier in the authentication assertion. CC ID 13865 | Technical Security | Preventive | |
| Include attribute metadata in the authentication assertion. CC ID 13856 | Technical Security | Preventive | |
| Include the authentication time in the authentication assertion. CC ID 13855 | Technical Security | Preventive | |
| Validate each element within the authentication assertion. CC ID 13853 | Technical Security | Preventive | |
| Validate the timestamp in the authentication assertion. CC ID 13875 | Technical Security | Detective | |
| Validate the digital signature in the authentication assertion. CC ID 13869 | Technical Security | Detective | |
| Validate the signature validation element in the authentication assertion. CC ID 13867 | Technical Security | Detective | |
| Validate the audience restriction element in the authentication assertion. CC ID 13866 | Technical Security | Detective | |
| Include the subject in the authentication assertion. CC ID 13852 | Technical Security | Preventive | |
| Include the target audience in the authentication assertion. CC ID 13851 | Technical Security | Preventive | |
| Include audience restrictions in the authentication assertion. CC ID 13870 | Technical Security | Preventive | |
| Include the issue date in the authentication assertion. CC ID 13850 | Technical Security | Preventive | |
| Revoke authentication assertions, as necessary. CC ID 16534 | Technical Security | Preventive | |
| Include the expiration date in the authentication assertion. CC ID 13849 | Technical Security | Preventive | |
| Include identifiers in the authentication assertion. CC ID 13848 | Technical Security | Preventive | |
| Include digital signatures in the authentication assertion. CC ID 13847 | Technical Security | Preventive | |
| Include key binding in the authentication assertion. CC ID 13846 | Technical Security | Preventive | |
| Include attribute references in the authentication assertion. CC ID 13845 | Technical Security | Preventive | |
| Include attribute values in the authentication assertion. CC ID 13844 | Technical Security | Preventive | |
| Limit the use of the assertion reference to a single organization. CC ID 13841 | Technical Security | Preventive | |
| Request attribute references instead of attribute values during the presentation of an authentication assertion. CC ID 13840 | Technical Security | Preventive | |
| Define the assertion level for authentication assertions. CC ID 13873 | Technical Security | Preventive | |
| Refrain from assigning assertion levels for authentication assertions when not defined. CC ID 13879 | Technical Security | Preventive | |
| Authenticate systems referenced in the whitelist. CC ID 13838 | Technical Security | Preventive | |
| Place nonmembers of whitelists and blacklists into a gray area until a runtime decision is made during the authentication assertion. CC ID 13854 | Technical Security | Preventive | |
| Require runtime decisions regarding authentication for organizations that are excluded from the whitelist. CC ID 13842 | Technical Security | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
| Include guidance for how users should protect their authentication credentials in the access control program. CC ID 11929 [Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information. § 5.17 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. § 5.18 Control] | Establish/Maintain Documentation | Preventive | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical Security | Preventive | |
| Inventory all user accounts. CC ID 13732 | Establish/Maintain Documentation | Preventive | |
| Identify information system users. CC ID 12081 | Technical Security | Detective | |
| Review user accounts. CC ID 00525 | Technical Security | Detective | |
| Match user accounts to authorized parties. CC ID 12126 | Configuration | Detective | |
| Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 | Technical Security | Detective | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Data and Information Management | Preventive | |
| Review shared accounts. CC ID 11840 | Technical Security | Detective | |
| Control access rights to organizational assets. CC ID 00004 [{physical access} Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. § 5.15 Control Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. § 5.18 Control The allocation and use of privileged access rights should be restricted and managed. § 8.2 Control Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. § 8.3 Control] | Technical Security | Preventive | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Configuration | Preventive | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Establish/Maintain Documentation | Preventive | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical Security | Preventive | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Configuration | Detective | |
| Define roles for information systems. CC ID 12454 | Human Resources Management | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Human Resources Management | Preventive | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical Security | Preventive | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical Security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 [The allocation and use of privileged access rights should be restricted and managed. § 8.2 Control] | Technical Security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical Security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical Security | Preventive | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [Groups of information services, users and information systems should be segregated in the organization's networks. § 8.22 Control] | Configuration | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical Security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Configuration | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Communicate | Corrective | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical Security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Configuration | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 | Configuration | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical Security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Configuration | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Configuration | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Configuration | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Configuration | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 | Configuration | Preventive | |
| Include all system components in the access control system. CC ID 11939 | Technical Security | Preventive | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Process or Activity | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical Security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical Security | Preventive | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical Security | Preventive | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Establish/Maintain Documentation | Preventive | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Establish Roles | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 | Technical Security | Preventive | |
| Enforce access restrictions for restricted data. CC ID 01921 [{physical access} Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. § 5.15 Control Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. § 8.3 Control] | Data and Information Management | Preventive | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical Security | Preventive | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Testing | Detective | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical Security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Establish/Maintain Documentation | Preventive | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Establish/Maintain Documentation | Preventive | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical Security | Preventive | |
| Display previous logon information in the logon banner. CC ID 01415 | Configuration | Preventive | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Establish/Maintain Documentation | Preventive | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical Security | Preventive | |
| Control user privileges. CC ID 11665 [Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. § 5.18 Control] | Technical Security | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 [Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. § 5.18 Control] | Technical Security | Preventive | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 | Behavior | Corrective | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Configuration | Preventive | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Behavior | Corrective | |
| Change authenticators after personnel status changes. CC ID 12284 | Human Resources Management | Preventive | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical Security | Preventive | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Establish/Maintain Documentation | Preventive | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical Security | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical Security | Preventive | |
| Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Establish/Maintain Documentation | Preventive | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical Security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 | Technical Security | Preventive | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 | Human Resources Management | Preventive | |
| Automate access control methods, as necessary. CC ID 11838 | Technical Security | Preventive | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical Security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical Security | Preventive | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical Security | Preventive | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Communicate | Detective | |
| Remove inactive user accounts, as necessary. CC ID 00517 | Technical Security | Corrective | |
| Remove temporary user accounts, as necessary. CC ID 11839 | Technical Security | Corrective | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Establish/Maintain Documentation | Preventive | |
| Enforce the password policy. CC ID 16347 | Technical Security | Preventive | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Establish/Maintain Documentation | Preventive | |
| Limit superuser accounts to designated System Administrators. CC ID 06766 | Configuration | Preventive | |
| Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical Security | Preventive | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 | Technical Security | Preventive | |
| Protect and manage biometric systems and biometric data. CC ID 01261 | Technical Security | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Establish/Maintain Documentation | Preventive | |
| Document the business need justification for authentication data storage. CC ID 06325 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. § 8.5 Control] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Communicate | Preventive | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical Security | Preventive | |
| Require proper authentication for user identifiers. CC ID 11785 | Technical Security | Preventive | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 [Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. § 8.5 Control] | Configuration | Preventive | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical Security | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Establish/Maintain Documentation | Preventive | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Configuration | Preventive | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical Security | Preventive | |
| Identify and control all network access controls. CC ID 00529 | Technical Security | Preventive | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 [Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. § 8.9 Control] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain network segmentation requirements. CC ID 16380 | Establish/Maintain Documentation | Preventive | |
| Enforce the network segmentation requirements. CC ID 16381 | Process or Activity | Preventive | |
| Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical Security | Preventive | |
| Establish, implement, and maintain a network security policy. CC ID 06440 [Networks and network devices should be secured, managed and controlled to protect information in systems and applications. § 8.20 Control] | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the network security policy. CC ID 14205 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the network security policy. CC ID 14203 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the network security policy. CC ID 14201 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the network security policy. CC ID 14200 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Communicate | Preventive | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Communicate | Preventive | |
| Establish, implement, and maintain a wireless networking policy. CC ID 06732 | Establish/Maintain Documentation | Preventive | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Establish/Maintain Documentation | Preventive | |
| Maintain up-to-date network diagrams. CC ID 00531 | Establish/Maintain Documentation | Preventive | |
| Include the date of the most recent update on the network diagram. CC ID 14319 | Establish/Maintain Documentation | Preventive | |
| Include virtual systems in the network diagram. CC ID 16324 | Data and Information Management | Preventive | |
| Include the organization's name in the network diagram. CC ID 14318 | Establish/Maintain Documentation | Preventive | |
| Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Process or Activity | Detective | |
| Include Internet Protocol addresses in the network diagram. CC ID 16244 | Establish/Maintain Documentation | Preventive | |
| Include Domain Name System names in the network diagram. CC ID 16240 | Establish/Maintain Documentation | Preventive | |
| Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Communicate | Preventive | |
| Maintain up-to-date data flow diagrams. CC ID 10059 | Establish/Maintain Documentation | Preventive | |
| Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Process or Activity | Detective | |
| Establish, implement, and maintain a sensitive information inventory. CC ID 13736 | Establish/Maintain Documentation | Detective | |
| Include information flows to third parties in the data flow diagram. CC ID 13185 | Establish/Maintain Documentation | Preventive | |
| Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Communicate | Preventive | |
| Enforce information flow control. CC ID 11781 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. § 5.14 Control] | Establish/Maintain Documentation | Preventive | |
| Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a document printing policy. CC ID 14384 | Establish/Maintain Documentation | Preventive | |
| Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information flow procedures. CC ID 04542 [Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. § 5.14 Control] | Establish/Maintain Documentation | Preventive | |
| Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 | Data and Information Management | Preventive | |
| Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 | Data and Information Management | Preventive | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 | Establish/Maintain Documentation | Preventive | |
| Perform content sanitization on data-in-transit. CC ID 16512 | Data and Information Management | Preventive | |
| Perform content conversion on data-in-transit. CC ID 16510 | Data and Information Management | Preventive | |
| Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Data and Information Management | Preventive | |
| Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 | Data and Information Management | Preventive | |
| Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 | Data and Information Management | Preventive | |
| Review and approve information exchange system connections. CC ID 07143 | Technical Security | Preventive | |
| Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Log Management | Preventive | |
| Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 | Technical Security | Preventive | |
| Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107 | Technical Security | Preventive | |
| Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097 [Access to external websites should be managed to reduce exposure to malicious content. § 8.23 Control] | Establish/Maintain Documentation | Preventive | |
| Revoke membership in the whitelist, as necessary. CC ID 13827 | Establish/Maintain Documentation | Corrective | |
| Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183 | Configuration | Preventive | |
| Block uncategorized sites using URL filtering. CC ID 12140 | Technical Security | Preventive | |
| Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139 | Technical Security | Detective | |
| Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234 | Data and Information Management | Preventive | |
| Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 | Establish/Maintain Documentation | Preventive | |
| Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094 | Behavior | Preventive | |
| Control all methods of remote access and teleworking. CC ID 00559 [{remote working arrangement} Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization's premises. § 6.7 Control] | Technical Security | Preventive | |
| Assign virtual escorting to authorized personnel. CC ID 16440 | Process or Activity | Preventive | |
| Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 | Establish/Maintain Documentation | Preventive | |
| Include information security requirements in the remote access and teleworking program. CC ID 15704 | Establish/Maintain Documentation | Preventive | |
| Refrain from allowing remote users to copy files to remote devices. CC ID 06792 | Technical Security | Preventive | |
| Control remote administration in accordance with organizational standards. CC ID 04459 | Configuration | Preventive | |
| Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560 | Testing | Detective | |
| Control remote access through a network access control. CC ID 01421 | Technical Security | Preventive | |
| Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371 | Configuration | Preventive | |
| Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324 | Technical Security | Preventive | |
| Employ multifactor authentication for remote access to the organization's network. CC ID 12505 | Technical Security | Preventive | |
| Implement multifactor authentication techniques. CC ID 00561 | Configuration | Preventive | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical Security | Preventive | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Establish/Maintain Documentation | Preventive | |
| Limit the source addresses from which remote administration is performed. CC ID 16393 | Technical Security | Preventive | |
| Protect remote access accounts with encryption. CC ID 00562 | Configuration | Preventive | |
| Monitor and evaluate all remote access usage. CC ID 00563 | Monitor and Evaluate Occurrences | Detective | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical Security | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented. § 8.24 Control] | Establish/Maintain Documentation | Preventive | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Configuration | Preventive | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 | Data and Information Management | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Data and Information Management | Preventive | |
| Make key usage for data fields unique for each device. CC ID 04828 | Technical Security | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Data and Information Management | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Data and Information Management | Preventive | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical Security | Preventive | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Data and Information Management | Preventive | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Process or Activity | Preventive | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Process or Activity | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Communicate | Preventive | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Process or Activity | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Data and Information Management | Preventive | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented. § 8.24 Control] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Communicate | Preventive | |
| Bind keys to each identity. CC ID 12337 | Technical Security | Preventive | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Establish/Maintain Documentation | Preventive | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Establish/Maintain Documentation | Preventive | |
| Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Data and Information Management | Preventive | |
| Generate strong cryptographic keys. CC ID 01299 | Data and Information Management | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical Security | Preventive | |
| Use approved random number generators for creating cryptographic keys. CC ID 06574 | Data and Information Management | Preventive | |
| Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical Security | Preventive | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 | Data and Information Management | Preventive | |
| Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Data and Information Management | Preventive | |
| Store cryptographic keys securely. CC ID 01298 | Data and Information Management | Preventive | |
| Restrict access to cryptographic keys. CC ID 01297 | Data and Information Management | Preventive | |
| Store cryptographic keys in encrypted format. CC ID 06084 | Data and Information Management | Preventive | |
| Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical Security | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Establish/Maintain Documentation | Preventive | |
| Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Data and Information Management | Preventive | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Data and Information Management | Preventive | |
| Control cryptographic keys with split knowledge and dual control. CC ID 01304 | Data and Information Management | Preventive | |
| Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Data and Information Management | Preventive | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical Security | Preventive | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Data and Information Management | Corrective | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Data and Information Management | Corrective | |
| Archive outdated cryptographic keys. CC ID 06884 | Data and Information Management | Preventive | |
| Archive revoked cryptographic keys. CC ID 11819 | Data and Information Management | Preventive | |
| Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Establish/Maintain Documentation | Preventive | |
| Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Human Resources Management | Preventive | |
| Test cryptographic key management applications, as necessary. CC ID 04829 | Testing | Detective | |
| Manage the digital signature cryptographic key pair. CC ID 06576 | Data and Information Management | Preventive | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Establish/Maintain Documentation | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Establish Roles | Preventive | |
| Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Establish/Maintain Documentation | Preventive | |
| Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Establish/Maintain Documentation | Preventive | |
| Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Establish/Maintain Documentation | Preventive | |
| Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Establish/Maintain Documentation | Preventive | |
| Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Establish/Maintain Documentation | Preventive | |
| Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical Security | Preventive | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical Security | Preventive | |
| Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Establish/Maintain Documentation | Preventive | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Establish/Maintain Documentation | Preventive | |
| Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Establish/Maintain Documentation | Preventive | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Establish/Maintain Documentation | Preventive | |
| Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical Security | Preventive | |
| Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Records Management | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [Protection against malware should be implemented and supported by appropriate user awareness. § 8.7 Control] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Communicate | Preventive | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Communicate | Preventive | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Establish/Maintain Documentation | Preventive | |
| Restrict downloading to reduce malicious code attacks. CC ID 04576 | Behavior | Preventive | |
| Install security and protection software, as necessary. CC ID 00575 | Configuration | Preventive | |
| Install and maintain container security solutions. CC ID 16178 | Technical Security | Preventive | |
| Scan for malicious code, as necessary. CC ID 11941 | Investigate | Detective | |
| Test all removable storage media for viruses and malicious code. CC ID 11861 | Testing | Detective | |
| Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Testing | Detective | |
| Remove malware when malicious code is discovered. CC ID 13691 | Process or Activity | Corrective | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Communicate | Corrective | |
| Protect the system against replay attacks. CC ID 04552 | Technical Security | Preventive | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Establish Roles | Preventive | |
| Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Establish/Maintain Documentation | Corrective | |
| Log and react to all malicious code activity. CC ID 07072 | Monitor and Evaluate Occurrences | Detective | |
| Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical Security | Detective | |
| Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical Security | Corrective | |
| Lock antivirus configurations. CC ID 10047 | Configuration | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 [Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. § 5.14 Control] | Establish/Maintain Documentation | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 [The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. § 5.22 Control] | Establish/Maintain Documentation | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Establish/Maintain Documentation | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Establish/Maintain Documentation | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Establish/Maintain Documentation | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Establish/Maintain Documentation | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Testing | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. § 5.22 Control] | Testing | Detective | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Process or Activity | Preventive | |
| Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 [The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. § 5.22 Control Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. § 8.21 Control] | Establish/Maintain Documentation | Detective | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 | Testing | Detective | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship. § 5.20 Control] | Establish/Maintain Documentation | Preventive | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 | Business Processes | Detective | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 | Monitor and Evaluate Occurrences | Detective | |
| Review the supply chain's service delivery on a regular basis. CC ID 12010 [The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. § 5.22 Control] | Business Processes | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 | Operational and Systems Continuity | Preventive | |
| Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 | Operational and Systems Continuity | Preventive | |
| Obtain an insurance policy to cover business products and services delivered to clients. CC ID 06683 | Operational and Systems Continuity | Preventive | |
| Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Operational management | Preventive | |
| Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Operational management | Preventive | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Obtain user documentation before acquiring products and services. CC ID 14283 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Detective | |
| Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Detective | |
| Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Detective | |
| Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Detective | |
| Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Detective | |
| Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Detective | |
| Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Detective | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 | Operational and Systems Continuity | Preventive | |
| Measure policy compliance when reviewing the internal control framework. CC ID 06442 [Compliance with the organization's information security policy, topic-specific policies, rules and standards should be regularly reviewed. § 5.36 Control] | Operational management | Corrective | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Address operational anomalies within the incident management system. CC ID 11633 | Monitoring and measurement | Preventive | |
| Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 | Monitoring and measurement | Preventive | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Monitoring and measurement | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Preventive | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Preventive | |
| Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Preventive | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Preventive | |
| Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and risk management | Preventive | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Preventive | |
| Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Operational and Systems Continuity | Preventive | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Preventive | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 | Technical security | Corrective | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Technical security | Corrective | |
| Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094 | Technical security | Preventive | |
| Restrict downloading to reduce malicious code attacks. CC ID 04576 | Technical security | Preventive | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Physical and environmental protection | Preventive | |
| Manage constituent identification inside the facility. CC ID 02215 | Physical and environmental protection | Preventive | |
| Issue visitor identification badges to all non-employees. CC ID 00543 | Physical and environmental protection | Preventive | |
| Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Physical and environmental protection | Preventive | |
| Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Physical and environmental protection | Preventive | |
| Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Physical and environmental protection | Preventive | |
| Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Physical and environmental protection | Preventive | |
| Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Physical and environmental protection | Preventive | |
| Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Physical and environmental protection | Preventive | |
| Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Physical and environmental protection | Preventive | |
| Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 | Physical and environmental protection | Preventive | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 | Physical and environmental protection | Preventive | |
| Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598 | Physical and environmental protection | Preventive | |
| Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 | Physical and environmental protection | Preventive | |
| Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 | Physical and environmental protection | Preventive | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Operational and Systems Continuity | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Preventive | |
| Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation. § 6.4 Control] | Human Resources management | Corrective | |
| Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Operational management | Preventive | |
| Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Operational management | Preventive | |
| Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Operational management | Preventive | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 | Operational management | Preventive | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Corrective | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Corrective | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Corrective | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Detective | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Corrective | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Corrective | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Corrective | |
| Notify affected parties to keep authenticators confidential. CC ID 06787 | System hardening through configuration management | Preventive | |
| Discourage affected parties from recording authenticators. CC ID 06788 | System hardening through configuration management | Preventive | |
| Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 | Privacy protection for information and data | Preventive | |
| Define the criteria for waivers of data subjects' rights. CC ID 16858 | Privacy protection for information and data | Preventive | |
| Revoke waivers of data subject's rights, as necessary. CC ID 16859 | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 | Privacy protection for information and data | Preventive | |
| Notify the supervisory authority. CC ID 00472 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the collection purpose. CC ID 00095 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Privacy protection for information and data | Preventive | |
| Notify the data subject of changes to personal data use. CC ID 00105 | Privacy protection for information and data | Preventive | |
| Obtain the data subject's consent when the personal data use changes. CC ID 11832 | Privacy protection for information and data | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 | Privacy protection for information and data | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Detective | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 | Privacy protection for information and data | Preventive | |
| Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 | Privacy protection for information and data | Preventive | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Preventive | |
| Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Preventive | |
| Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Preventive | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Detective | |
| Notify data subjects when their personal data is transferred. CC ID 00352 | Privacy protection for information and data | Preventive | |
| Follow the instructions of the data transferrer. CC ID 00334 | Privacy protection for information and data | Preventive | |
| Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Privacy protection for information and data | Preventive | |
| Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Privacy protection for information and data | Preventive | |
| Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 | Privacy protection for information and data | Corrective | |
| File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Privacy protection for information and data | Corrective | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Corrective | |
| Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 | Privacy protection for information and data | Corrective | |
| Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 | Privacy protection for information and data | Corrective | |
| Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Detective | |
| Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Privacy protection for information and data | Detective | |
| Investigate privacy rights violation complaints in private. CC ID 00492 | Privacy protection for information and data | Detective | |
| Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 | Privacy protection for information and data | Detective | |
| Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Privacy protection for information and data | Detective | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 | Privacy protection for information and data | Preventive | |
| Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Privacy protection for information and data | Preventive | |
| Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Privacy protection for information and data | Preventive | |
| Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Privacy protection for information and data | Preventive | |
| Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Privacy protection for information and data | Preventive | |
| Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Privacy protection for information and data | Preventive | |
| Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Privacy protection for information and data | Corrective | |
| Order the organization to change to be in compliance with applicable law. CC ID 00499 | Privacy protection for information and data | Corrective | |
| Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Privacy protection for information and data | Corrective | |
| Award damages based on applicable law. CC ID 00501 | Privacy protection for information and data | Corrective | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 | Privacy protection for information and data | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Review the organization's approach to managing information security, as necessary. CC ID 12005 [The organization's approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur. § 5.35 Control] | Leadership and high level objectives | Preventive | |
| Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [{legal requirement}{statutory requirement}{regulatory requirement} Legal, statutory, regulatory and contractual requirements relevant to information security and the organization's approach to meet these requirements should be identified, documented and kept up to date. § 5.31 Control] | Leadership and high level objectives | Preventive | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Monitoring and measurement | Preventive | |
| Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Technical security | Detective | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Preventive | |
| Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Physical and environmental protection | Preventive | |
| Transport restricted media using a delivery method that can be tracked. CC ID 11777 | Physical and environmental protection | Preventive | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Preventive | |
| Review the insurance coverage of the insurance policy, as necessary. CC ID 12688 | Operational and Systems Continuity | Detective | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Operational and Systems Continuity | Detective | |
| Manage cloud services. CC ID 13144 [Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization's information security requirements. § 5.23 Control] | Operational management | Preventive | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 [Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. § 5.10 Control] | Operational management | Preventive | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Preventive | |
| Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Operational management | Preventive | |
| Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Preventive | |
| Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Preventive | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [An inventory of information and other associated assets, including owners, should be developed and maintained. § 5.9 Control] | Operational management | Preventive | |
| Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Preventive | |
| Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Preventive | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Preventive | |
| Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Operational management | Preventive | |
| Dispose of hardware and software at their life cycle end. CC ID 06278 | Operational management | Preventive | |
| Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Preventive | |
| Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. § 5.24 Control] | Operational management | Preventive | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Detective | |
| Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Preventive | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Corrective | |
| Establish, implement, and maintain rate limiting filters. CC ID 06883 | Operational management | Preventive | |
| Implement changes according to the change control program. CC ID 11776 [Changes to information processing facilities and information systems should be subject to change management procedures. § 8.32 Control] | Operational management | Preventive | |
| Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | System hardening through configuration management | Corrective | |
| Supervise media destruction in accordance with organizational standards. CC ID 16456 | Records management | Preventive | |
| Use approved media sanitization equipment for destruction. CC ID 16459 | Records management | Preventive | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Preventive | |
| Approve the privacy plan. CC ID 14700 | Privacy protection for information and data | Preventive | |
| Protect private communications in keeping with compliance requirements. CC ID 14334 | Privacy protection for information and data | Preventive | |
| Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Privacy protection for information and data | Preventive | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Privacy protection for information and data | Preventive | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Preventive | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Preventive | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Preventive | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 | Privacy protection for information and data | Preventive | |
| Allow consent requests to be provided in any official languages. CC ID 16530 | Privacy protection for information and data | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Preventive | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Preventive | |
| Dispose of personal data removal requests, as necessary. CC ID 13512 | Privacy protection for information and data | Preventive | |
| Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Preventive | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Preventive | |
| Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 | Privacy protection for information and data | Preventive | |
| Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 | Privacy protection for information and data | Preventive | |
| Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Privacy protection for information and data | Preventive | |
| Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Privacy protection for information and data | Preventive | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Privacy protection for information and data | Corrective | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 | Third Party and supply chain oversight | Detective | |
| Review the supply chain's service delivery on a regular basis. CC ID 12010 [The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. § 5.22 Control] | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 | Monitoring and measurement | Preventive | |
| Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 | Monitoring and measurement | Detective | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Detective | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Corrective | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Detective | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Preventive | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Technical security | Preventive | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Technical security | Preventive | |
| Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Technical security | Preventive | |
| Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Technical security | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Preventive | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Technical security | Preventive | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Technical security | Preventive | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Technical security | Preventive | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Corrective | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Physical and environmental protection | Preventive | |
| Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 | Physical and environmental protection | Preventive | |
| Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 | Operational and Systems Continuity | Preventive | |
| Identify who can speak to the media in the emergency communications procedures. CC ID 12761 | Operational and Systems Continuity | Corrective | |
| Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties. § 6.5 Control] | Human Resources management | Preventive | |
| Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 [A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation. § 6.4 Control] | Human Resources management | Preventive | |
| Notify cloud customers of the geographic locations of the cloud service organization and its assets. CC ID 13037 | Operational management | Preventive | |
| Disseminate and communicate documentation of pertinent monitoring capabilities to interested personnel and affected parties. CC ID 13159 | Operational management | Preventive | |
| Disseminate and communicate the legal jurisdiction of cloud services to interested personnel and affected parties. CC ID 13147 | Operational management | Preventive | |
| Share security information with interested personnel and affected parties. CC ID 11732 [The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations. § 5.6 Control] | Operational management | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. § 5.1 Control] | Operational management | Preventive | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 [Operating procedures for information processing facilities should be documented and made available to personnel who need them. § 5.37 Control] | Operational management | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Preventive | |
| Disseminate and communicate the network standard to all interested personnel and affected parties. CC ID 13129 | Operational management | Preventive | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Preventive | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Preventive | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Operational management | Preventive | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Operational management | Corrective | |
| Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Operational management | Preventive | |
| Disseminate and communicate with the end user when a memorized secret entered into an authenticator field matches one found in the memorized secret list. CC ID 13807 | System hardening through configuration management | Preventive | |
| Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471 | Systems design, build, and implementation | Preventive | |
| Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 | Privacy protection for information and data | Preventive | |
| Deliver privacy notices to data subjects, as necessary. CC ID 13444 | Privacy protection for information and data | Preventive | |
| Update privacy notices, as necessary. CC ID 13474 | Privacy protection for information and data | Preventive | |
| Redeliver privacy notices, as necessary. CC ID 14850 | Privacy protection for information and data | Preventive | |
| Deliver privacy notices to third parties, as necessary. CC ID 13473 | Privacy protection for information and data | Preventive | |
| Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 | Privacy protection for information and data | Preventive | |
| Deliver opt-out notices, as necessary. CC ID 13449 | Privacy protection for information and data | Preventive | |
| Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 | Privacy protection for information and data | Preventive | |
| Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 | Privacy protection for information and data | Preventive | |
| Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 | Privacy protection for information and data | Preventive | |
| Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 | Privacy protection for information and data | Preventive | |
| Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 | Privacy protection for information and data | Preventive | |
| Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 | Privacy protection for information and data | Preventive | |
| Notify data subjects about their privacy rights. CC ID 12989 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 | Privacy protection for information and data | Preventive | |
| Provide public proof the organization participates in a privacy program. CC ID 12349 | Privacy protection for information and data | Preventive | |
| Disclose statements added to education records, as necessary. CC ID 12990 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 | Privacy protection for information and data | Preventive | |
| Disseminate private communications when required by law. CC ID 14335 | Privacy protection for information and data | Corrective | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Privacy protection for information and data | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Corrective | |
| Notify the data controller of any changes in data processors. CC ID 12648 | Privacy protection for information and data | Preventive | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Preventive | |
| Disclose de-identified data, as necessary. CC ID 13034 | Privacy protection for information and data | Preventive | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Corrective | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Corrective | |
| Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 | Privacy protection for information and data | Corrective | |
| Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Privacy protection for information and data | Corrective | |
| Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Privacy protection for information and data | Preventive | |
| Capture personal data removal requests. CC ID 13507 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Preventive | |
| Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 | Privacy protection for information and data | Preventive | |
| Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Privacy protection for information and data | Preventive | |
| Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Privacy protection for information and data | Preventive | |
| Notify third parties of unresolved challenges. CC ID 13559 | Privacy protection for information and data | Preventive | |
| Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Privacy protection for information and data | Corrective | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Privacy protection for information and data | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [The clocks of information processing systems used by the organization should be synchronized to approved time sources. § 8.17 Control] | Monitoring and measurement | Preventive | |
| Centralize network time servers to as few as practical. CC ID 06308 | Monitoring and measurement | Preventive | |
| Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Technical security | Preventive | |
| Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Technical security | Preventive | |
| Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Technical security | Preventive | |
| Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Technical security | Preventive | |
| Match user accounts to authorized parties. CC ID 12126 | Technical security | Detective | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Preventive | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Detective | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [Groups of information services, users and information systems should be segregated in the organization's networks. § 8.22 Control] | Technical security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 | Technical security | Preventive | |
| Display previous logon information in the logon banner. CC ID 01415 | Technical security | Preventive | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Technical security | Preventive | |
| Limit superuser accounts to designated System Administrators. CC ID 06766 | Technical security | Preventive | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 [Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. § 8.5 Control] | Technical security | Preventive | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Technical security | Preventive | |
| Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183 | Technical security | Preventive | |
| Control remote administration in accordance with organizational standards. CC ID 04459 | Technical security | Preventive | |
| Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371 | Technical security | Preventive | |
| Implement multifactor authentication techniques. CC ID 00561 | Technical security | Preventive | |
| Protect remote access accounts with encryption. CC ID 00562 | Technical security | Preventive | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Technical security | Preventive | |
| Install security and protection software, as necessary. CC ID 00575 | Technical security | Preventive | |
| Lock antivirus configurations. CC ID 10047 | Technical security | Preventive | |
| Install doors so that exposed hinges are on the secured side. CC ID 06687 | Physical and environmental protection | Preventive | |
| Install emergency doors to permit egress only. CC ID 06688 | Physical and environmental protection | Preventive | |
| Install contact alarms on doors, as necessary. CC ID 06710 | Physical and environmental protection | Preventive | |
| Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Physical and environmental protection | Preventive | |
| Install contact alarms on openable windows, as necessary. CC ID 06690 | Physical and environmental protection | Preventive | |
| Install glass break alarms on windows, as necessary. CC ID 06691 | Physical and environmental protection | Preventive | |
| Configure video cameras to cover all physical entry points. CC ID 06302 | Physical and environmental protection | Preventive | |
| Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Physical and environmental protection | Preventive | |
| Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Physical and environmental protection | Preventive | |
| Serialize all removable storage media. CC ID 00949 | Physical and environmental protection | Preventive | |
| Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 | Physical and environmental protection | Preventive | |
| Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 | Physical and environmental protection | Preventive | |
| Establish and maintain a telecommunications equipment room, as necessary. CC ID 06708 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a battery room, as necessary. CC ID 06706 | Physical and environmental protection | Preventive | |
| Establish and maintain a generator room, as necessary. CC ID 06704 | Physical and environmental protection | Preventive | |
| Install and maintain fire protection equipment. CC ID 00728 | Physical and environmental protection | Preventive | |
| Install and maintain fire suppression systems. CC ID 00729 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727 | Physical and environmental protection | Preventive | |
| Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368 | Physical and environmental protection | Preventive | |
| Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369 | Physical and environmental protection | Preventive | |
| Install and maintain a moisture control system as a part of the climate control system. CC ID 06694 | Physical and environmental protection | Preventive | |
| Install and maintain hydrogen sensors, as necessary. CC ID 06705 | Physical and environmental protection | Preventive | |
| Protect physical assets from water damage. CC ID 00730 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 [Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. § 8.14 Control] | Operational and Systems Continuity | Preventive | |
| Install and maintain redundant power supplies for critical facilities. CC ID 06355 [Information processing facilities should be protected from power failures and other disruptions caused by failures in supporting utilities. § 7.11 Control] | Operational and Systems Continuity | Preventive | |
| Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 | Operational and Systems Continuity | Preventive | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Operational and Systems Continuity | Corrective | |
| Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 | Operational and Systems Continuity | Preventive | |
| Encrypt backup data. CC ID 00958 | Operational and Systems Continuity | Preventive | |
| Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Operational management | Preventive | |
| Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Operational management | Preventive | |
| Remove all unnecessary functionality. CC ID 00882 | System hardening through configuration management | Preventive | |
| Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827 | System hardening through configuration management | Preventive | |
| Configure authenticators to comply with organizational standards. CC ID 06412 | System hardening through configuration management | Preventive | |
| Configure the system to require new users to change their authenticator on first use. CC ID 05268 | System hardening through configuration management | Preventive | |
| Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519 | System hardening through configuration management | Preventive | |
| Configure the system to prevent unencrypted authenticator use. CC ID 04457 | System hardening through configuration management | Preventive | |
| Disable store passwords using reversible encryption. CC ID 01708 | System hardening through configuration management | Preventive | |
| Configure the system to encrypt authenticators. CC ID 06735 | System hardening through configuration management | Preventive | |
| Configure the system to mask authenticators. CC ID 02037 | System hardening through configuration management | Preventive | |
| Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992 | System hardening through configuration management | Preventive | |
| Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 | System hardening through configuration management | Preventive | |
| Disable machine account password changes. CC ID 01737 | System hardening through configuration management | Preventive | |
| Configure the "Disable Remember Password" setting. CC ID 05270 | System hardening through configuration management | Preventive | |
| Configure the "Minimum password age" to organizational standards. CC ID 01703 | System hardening through configuration management | Preventive | |
| Configure the LILO/GRUB password. CC ID 01576 | System hardening through configuration management | Preventive | |
| Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481 | System hardening through configuration management | Preventive | |
| Change the default password to Apple's Keychain. CC ID 04482 | System hardening through configuration management | Preventive | |
| Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483 | System hardening through configuration management | Preventive | |
| Configure the Syskey Encryption Key and associated password. CC ID 05978 | System hardening through configuration management | Preventive | |
| Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505 | System hardening through configuration management | Preventive | |
| Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534 | System hardening through configuration management | Preventive | |
| Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267 | System hardening through configuration management | Preventive | |
| Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269 | System hardening through configuration management | Preventive | |
| Configure the "Send LanMan compatible password" setting. CC ID 05271 | System hardening through configuration management | Preventive | |
| Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993 | System hardening through configuration management | Preventive | |
| Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054 | System hardening through configuration management | Preventive | |
| Set the default folder for BitLocker recovery passwords correctly. CC ID 06055 | System hardening through configuration management | Preventive | |
| Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866 | System hardening through configuration management | Preventive | |
| Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185 | System hardening through configuration management | Preventive | |
| Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187 | System hardening through configuration management | Preventive | |
| Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296 | System hardening through configuration management | Preventive | |
| Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355 | System hardening through configuration management | Preventive | |
| Configure the authenticator display screen to organizational standards. CC ID 13794 | System hardening through configuration management | Preventive | |
| Configure the authenticator field to disallow memorized secrets found in the memorized secret list. CC ID 13808 | System hardening through configuration management | Preventive | |
| Configure the authenticator display screen to display the memorized secret as an option. CC ID 13806 | System hardening through configuration management | Preventive | |
| Configure the look-up secret authenticator to dispose of memorized secrets after their use. CC ID 13817 | System hardening through configuration management | Corrective | |
| Configure the memorized secret verifiers to refrain from allowing anonymous users to access memorized secret hints. CC ID 13823 | System hardening through configuration management | Preventive | |
| Configure the system to allow paste functionality for the authenticator field. CC ID 13819 | System hardening through configuration management | Preventive | |
| Configure the system to require successful authentication before an authenticator for a user account is changed. CC ID 13821 | System hardening through configuration management | Preventive | |
| Implement electronic storage media integrity controls. CC ID 00946 | Records management | Preventive | |
| Automate electronic storage media integrity check controls. CC ID 00948 | Records management | Preventive | |
| Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Records management | Preventive | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Systems design, build, and implementation | Preventive | |
| Configure the test environment similar to the production environment. CC ID 06837 [{development environment}{test environment} Development, testing and production environments should be separated and secured. § 8.31 Control] | Systems design, build, and implementation | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Preventive | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Preventive | |
| Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Privacy protection for information and data | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Preventive | |
| Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Preventive | |
| Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Preventive | |
| Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Preventive | |
| Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Preventive | |
| Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Preventive | |
| Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Preventive | |
| Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Preventive | |
| Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Preventive | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Preventive | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Preventive | |
| Enforce access restrictions for restricted data. CC ID 01921 [{physical access} Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. § 5.15 Control Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. § 8.3 Control] | Technical security | Preventive | |
| Include virtual systems in the network diagram. CC ID 16324 | Technical security | Preventive | |
| Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923 | Technical security | Preventive | |
| Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 | Technical security | Preventive | |
| Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 | Technical security | Preventive | |
| Perform content sanitization on data-in-transit. CC ID 16512 | Technical security | Preventive | |
| Perform content conversion on data-in-transit. CC ID 16510 | Technical security | Preventive | |
| Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Technical security | Preventive | |
| Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 | Technical security | Preventive | |
| Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 | Technical security | Preventive | |
| Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234 | Technical security | Preventive | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 | Technical security | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Preventive | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Technical security | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Preventive | |
| Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Technical security | Preventive | |
| Generate strong cryptographic keys. CC ID 01299 | Technical security | Preventive | |
| Use approved random number generators for creating cryptographic keys. CC ID 06574 | Technical security | Preventive | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 | Technical security | Preventive | |
| Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Technical security | Preventive | |
| Store cryptographic keys securely. CC ID 01298 | Technical security | Preventive | |
| Restrict access to cryptographic keys. CC ID 01297 | Technical security | Preventive | |
| Store cryptographic keys in encrypted format. CC ID 06084 | Technical security | Preventive | |
| Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Technical security | Preventive | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Technical security | Preventive | |
| Control cryptographic keys with split knowledge and dual control. CC ID 01304 | Technical security | Preventive | |
| Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Technical security | Preventive | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Technical security | Corrective | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Technical security | Corrective | |
| Archive outdated cryptographic keys. CC ID 06884 | Technical security | Preventive | |
| Archive revoked cryptographic keys. CC ID 11819 | Technical security | Preventive | |
| Manage the digital signature cryptographic key pair. CC ID 06576 | Technical security | Preventive | |
| Track restricted storage media while it is in transit. CC ID 00967 | Physical and environmental protection | Detective | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Physical and environmental protection | Preventive | |
| Control access to restricted storage media. CC ID 04889 | Physical and environmental protection | Preventive | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Preventive | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Preventive | |
| Encrypt information stored on mobile devices. CC ID 01422 | Physical and environmental protection | Preventive | |
| Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 | Operational and Systems Continuity | Preventive | |
| Determine which data elements to back up. CC ID 13483 | Operational and Systems Continuity | Detective | |
| Store backup media at an off-site electronic media storage facility. CC ID 01332 | Operational and Systems Continuity | Preventive | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 | Operational and Systems Continuity | Preventive | |
| Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Operational and Systems Continuity | Preventive | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Operational and Systems Continuity | Preventive | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Operational and Systems Continuity | Preventive | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Operational and Systems Continuity | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
| Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Preventive | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Preventive | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Preventive | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Preventive | |
| Record software license information for each asset in the asset inventory. CC ID 11736 | Operational management | Preventive | |
| Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Preventive | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Preventive | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Preventive | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Preventive | |
| Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Operational management | Preventive | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Corrective | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Corrective | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Preventive | |
| Establish, implement, and maintain a repository of authenticators. CC ID 16372 | System hardening through configuration management | Preventive | |
| Ensure the root account is the first entry in password files. CC ID 16323 | System hardening through configuration management | Detective | |
| Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 | Records management | Preventive | |
| Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 [Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. § 7.14 Control] | Records management | Preventive | |
| Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 | Records management | Preventive | |
| Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Records management | Preventive | |
| Label restricted storage media appropriately. CC ID 00966 | Records management | Preventive | |
| Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Preventive | |
| Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Records management | Preventive | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Preventive | |
| Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 | Privacy protection for information and data | Preventive | |
| Deliver notices to the intended parties. CC ID 06240 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Privacy protection for information and data | Preventive | |
| Provide legal authorities access to personal data, upon request. CC ID 06818 | Privacy protection for information and data | Preventive | |
| Document the countries where restricted data may be stored. CC ID 12750 | Privacy protection for information and data | Preventive | |
| Protect the rights of students and their parents or legal representatives. CC ID 00222 | Privacy protection for information and data | Preventive | |
| Disclose educational data, as necessary. CC ID 00223 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Privacy protection for information and data | Preventive | |
| Disclose education records when written consent is received. CC ID 00224 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to other school officials. CC ID 00226 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Privacy protection for information and data | Preventive | |
| Disclose educational data absent consent to a crime victim. CC ID 00236 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 | Privacy protection for information and data | Preventive | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Preventive | |
| Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 | Privacy protection for information and data | Preventive | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Privacy protection for information and data | Preventive | |
| Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 | Privacy protection for information and data | Preventive | |
| Refrain from obtaining consent through deception. CC ID 13556 | Privacy protection for information and data | Preventive | |
| Give individuals the ability to change the uses of their personal data. CC ID 00469 | Privacy protection for information and data | Preventive | |
| Notify data subjects of the implications of withdrawing consent. CC ID 13551 | Privacy protection for information and data | Preventive | |
| Cooperate with Data Protection Authorities. CC ID 06870 | Privacy protection for information and data | Preventive | |
| Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Preventive | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Preventive | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Preventive | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Preventive | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Preventive | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Preventive | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Preventive | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 | Privacy protection for information and data | Preventive | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Privacy protection for information and data | Preventive | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Preventive | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Preventive | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Preventive | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Preventive | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 | Privacy protection for information and data | Preventive | |
| Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Preventive | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Preventive | |
| Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Preventive | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Preventive | |
| Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Preventive | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Preventive | |
| Process personal data for debt collection or benefit payments. CC ID 00190 | Privacy protection for information and data | Preventive | |
| Process personal data in order to advance the public interest. CC ID 00191 | Privacy protection for information and data | Preventive | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Preventive | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Preventive | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Preventive | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Preventive | |
| Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Preventive | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent in order to perform a contract. CC ID 13586 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is needed by law. CC ID 13577 | Privacy protection for information and data | Preventive | |
| Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is from publicly available information. CC ID 13576 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to create a credit report. CC ID 15288 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when produced for business purposes. CC ID 13563 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Privacy protection for information and data | Preventive | |
| Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 | Privacy protection for information and data | Preventive | |
| Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 | Privacy protection for information and data | Detective | |
| Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the law does not require consent. CC ID 00136 | Privacy protection for information and data | Preventive | |
| Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 | Privacy protection for information and data | Preventive | |
| Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to create a credit report. CC ID 15297 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to perform a contract. CC ID 00139 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent for public economic interests. CC ID 00148 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 | Privacy protection for information and data | Preventive | |
| Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 | Privacy protection for information and data | Preventive | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 | Privacy protection for information and data | Preventive | |
| Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 | Privacy protection for information and data | Preventive | |
| Limit the redisclosure and reuse of restricted data. CC ID 00168 | Privacy protection for information and data | Preventive | |
| Refrain from redisclosing or reusing restricted data. CC ID 00169 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data when the data subject consents. CC ID 00171 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to protect public revenue. CC ID 00173 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Privacy protection for information and data | Preventive | |
| Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 | Privacy protection for information and data | Preventive | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Privacy protection for information and data | Preventive | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Preventive | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Preventive | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Preventive | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Preventive | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Preventive | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Preventive | |
| Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Preventive | |
| Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Privacy protection for information and data | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Privacy protection for information and data | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Privacy protection for information and data | Preventive | |
| Refrain from collecting personal data, as necessary. CC ID 15269 | Privacy protection for information and data | Preventive | |
| Use personal data for specified purposes. CC ID 11831 | Privacy protection for information and data | Preventive | |
| Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Privacy protection for information and data | Preventive | |
| Provide explicit consent that is clear and unambiguous. CC ID 00181 | Privacy protection for information and data | Preventive | |
| Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Privacy protection for information and data | Preventive | |
| Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Privacy protection for information and data | Preventive | |
| Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Preventive | |
| Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Preventive | |
| Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Preventive | |
| Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Preventive | |
| Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Preventive | |
| Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Preventive | |
| Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Preventive | |
| Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Preventive | |
| Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Preventive | |
| Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Preventive | |
| Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Preventive | |
| Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Preventive | |
| Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Preventive | |
| Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Preventive | |
| Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Preventive | |
| Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Preventive | |
| Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Preventive | |
| Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Preventive | |
| Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Preventive | |
| Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Preventive | |
| Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Preventive | |
| Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Preventive | |
| Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Preventive | |
| Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Preventive | |
| Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Preventive | |
| Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Preventive | |
| Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Preventive | |
| Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Preventive | |
| Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Preventive | |
| Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Preventive | |
| Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Preventive | |
| Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Preventive | |
| Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Preventive | |
| Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Preventive | |
| Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Preventive | |
| Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Preventive | |
| Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Preventive | |
| Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Preventive | |
| Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Preventive | |
| Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Preventive | |
| Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Preventive | |
| Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Preventive | |
| Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Preventive | |
| Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Preventive | |
| Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Preventive | |
| Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Preventive | |
| Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Preventive | |
| Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Preventive | |
| Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Preventive | |
| Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Preventive | |
| Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Preventive | |
| Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Preventive | |
| Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Preventive | |
| Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Preventive | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Preventive | |
| Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Preventive | |
| Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Preventive | |
| Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Preventive | |
| Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Preventive | |
| Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Preventive | |
| Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Preventive | |
| Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Preventive | |
| Manage health data collection. CC ID 00050 | Privacy protection for information and data | Preventive | |
| Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Privacy protection for information and data | Preventive | |
| Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Preventive | |
| Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Preventive | |
| Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Preventive | |
| Give special attention to collecting children's data. CC ID 00038 | Privacy protection for information and data | Preventive | |
| Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Preventive | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Preventive | |
| Collect personal data directly from the data subject. CC ID 00011 | Privacy protection for information and data | Preventive | |
| Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Preventive | |
| Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Preventive | |
| Collect restricted data in a fair and lawful manner. CC ID 00010 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Privacy protection for information and data | Preventive | |
| Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent from publicly available information. CC ID 00019 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when needed by law. CC ID 00020 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent to create a credit report. CC ID 15287 | Privacy protection for information and data | Preventive | |
| Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Preventive | |
| Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Preventive | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 | Privacy protection for information and data | Preventive | |
| Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Preventive | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Privacy protection for information and data | Preventive | |
| Collect restricted data when required by law. CC ID 00031 | Privacy protection for information and data | Preventive | |
| Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Privacy protection for information and data | Preventive | |
| Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Privacy protection for information and data | Preventive | |
| Collect restricted data for legal purposes. CC ID 00036 | Privacy protection for information and data | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Preventive | |
| Limit data leakage. CC ID 00356 [Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information. § 8.12 Control] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Detective | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [Data masking should be used in accordance with the organization's topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration. § 8.11 Control] | Privacy protection for information and data | Preventive | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Preventive | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Preventive | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Preventive | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Preventive | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Preventive | |
| Obtain consent from an individual prior to transferring personal data. CC ID 06948 | Privacy protection for information and data | Preventive | |
| Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 | Privacy protection for information and data | Preventive | |
| Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Privacy protection for information and data | Preventive | |
| Prohibit the transfer of personal data when security is inadequate. CC ID 00345 | Privacy protection for information and data | Preventive | |
| Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Privacy protection for information and data | Preventive | |
| Refrain from transferring past the first transfer. CC ID 00347 | Privacy protection for information and data | Preventive | |
| Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Privacy protection for information and data | Preventive | |
| Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Privacy protection for information and data | Preventive | |
| Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Privacy protection for information and data | Preventive | |
| Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Privacy protection for information and data | Preventive | |
| Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Privacy protection for information and data | Preventive | |
| Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Privacy protection for information and data | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Privacy protection for information and data | Preventive | |
| Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Privacy protection for information and data | Preventive | |
| Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Privacy protection for information and data | Preventive | |
| Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Privacy protection for information and data | Preventive | |
| Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Privacy protection for information and data | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Privacy protection for information and data | Preventive | |
| Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 | Privacy protection for information and data | Preventive | |
| Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Privacy protection for information and data | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Privacy protection for information and data | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to downloading software to an individual's computer. CC ID 06951 | Privacy protection for information and data | Preventive | |
| Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 | Privacy protection for information and data | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Preventive | |
| Implement procedures to file privacy rights violation complaints. CC ID 00476 | Privacy protection for information and data | Corrective | |
| Change or destroy any personal data that is incorrect. CC ID 00462 | Privacy protection for information and data | Corrective | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Preventive | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Corrective | |
| Notify individuals of their right to challenge personal data. CC ID 00457 | Privacy protection for information and data | Preventive | |
| Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Privacy protection for information and data | Preventive | |
| Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Privacy protection for information and data | Preventive | |
| Investigate the disputed accuracy of personal data. CC ID 00461 | Privacy protection for information and data | Preventive | |
| Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 | Privacy protection for information and data | Corrective | |
| Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 | Privacy protection for information and data | Corrective | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Preventive | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Preventive | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Technical security | Preventive | |
| Employ security guards to provide physical security, as necessary. CC ID 06653 | Physical and environmental protection | Preventive | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Preventive | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Preventive | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 | Operational management | Preventive | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Operational management | Preventive | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. § 5.24 Control] | Operational management | Preventive | |
| Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Preventive | |
| Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Operational management | Preventive | |
| Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Operational management | Preventive | |
| Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Operational management | Preventive | |
| Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Operational management | Preventive | |
| Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Operational management | Preventive | |
| Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Operational management | Preventive | |
| Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Operational management | Preventive | |
| Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Operational management | Preventive | |
| Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Operational management | Preventive | |
| Assign the review of custom code changes to individuals other than the code author. CC ID 06291 | Systems design, build, and implementation | Preventive | |
| Include roles and responsibilities in the registration notice. CC ID 16803 | Privacy protection for information and data | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 | Privacy protection for information and data | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain organizational objectives. CC ID 09959 | Leadership and high level objectives | Preventive | |
| Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an information classification standard. CC ID 00601 [Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements. § 5.12 Control] | Leadership and high level objectives | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
| Establish and maintain an Authority Document list. CC ID 07113 [{legal requirement}{statutory requirement}{regulatory requirement} Legal, statutory, regulatory and contractual requirements relevant to information security and the organization's approach to meet these requirements should be identified, documented and kept up to date. § 5.31 Control] | Leadership and high level objectives | Preventive | |
| Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Detective | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Preventive | |
| Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Preventive | |
| Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Preventive | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Preventive | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Corrective | |
| Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Preventive | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Preventive | |
| Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Preventive | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Preventive | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Preventive | |
| Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Detective | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Corrective | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. § 8.9 Control] | Monitoring and measurement | Detective | |
| Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
| Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 [The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. § 5.22 Control] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management. § 8.34 Control] | Audits and risk management | Preventive | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Audits and risk management | Preventive | |
| Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Preventive | |
| Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Preventive | |
| Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Preventive | |
| Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Preventive | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Preventive | |
| Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Preventive | |
| Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Preventive | |
| Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Preventive | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Preventive | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Preventive | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Preventive | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Preventive | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Preventive | |
| Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Preventive | |
| Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Preventive | |
| Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Preventive | |
| Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Preventive | |
| Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Preventive | |
| Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Preventive | |
| Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Preventive | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Preventive | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Detective | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Preventive | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Preventive | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Preventive | |
| Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Preventive | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Preventive | |
| Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Preventive | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Preventive | |
| Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Preventive | |
| Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Preventive | |
| Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Preventive | |
| Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Preventive | |
| Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Preventive | |
| Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Preventive | |
| Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Preventive | |
| Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Preventive | |
| Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Preventive | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Preventive | |
| Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Preventive | |
| Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Preventive | |
| Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Preventive | |
| Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 | Audits and risk management | Preventive | |
| Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Preventive | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Preventive | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Corrective | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 [The full life cycle of identities should be managed. § 5.16 Control] | Technical security | Preventive | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 | Technical security | Preventive | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Preventive | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Preventive | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Technical security | Preventive | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Preventive | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Technical security | Preventive | |
| Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Technical security | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
| Include guidance for how users should protect their authentication credentials in the access control program. CC ID 11929 [Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information. § 5.17 Control] | Technical security | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. § 5.18 Control] | Technical security | Preventive | |
| Inventory all user accounts. CC ID 13732 | Technical security | Preventive | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Preventive | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Preventive | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Preventive | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Preventive | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Technical security | Preventive | |
| Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Technical security | Preventive | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Preventive | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Technical security | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Preventive | |
| Document the business need justification for authentication data storage. CC ID 06325 | Technical security | Preventive | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Technical security | Preventive | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. § 8.5 Control] | Technical security | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Preventive | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 [Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. § 8.9 Control] | Technical security | Preventive | |
| Establish, implement, and maintain network segmentation requirements. CC ID 16380 | Technical security | Preventive | |
| Establish, implement, and maintain a network security policy. CC ID 06440 [Networks and network devices should be secured, managed and controlled to protect information in systems and applications. § 8.20 Control] | Technical security | Preventive | |
| Include compliance requirements in the network security policy. CC ID 14205 | Technical security | Preventive | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Technical security | Preventive | |
| Include management commitment in the network security policy. CC ID 14203 | Technical security | Preventive | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Technical security | Preventive | |
| Include the scope in the network security policy. CC ID 14201 | Technical security | Preventive | |
| Include the purpose in the network security policy. CC ID 14200 | Technical security | Preventive | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 | Technical security | Preventive | |
| Establish, implement, and maintain a wireless networking policy. CC ID 06732 | Technical security | Preventive | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Technical security | Preventive | |
| Maintain up-to-date network diagrams. CC ID 00531 | Technical security | Preventive | |
| Include the date of the most recent update on the network diagram. CC ID 14319 | Technical security | Preventive | |
| Include the organization's name in the network diagram. CC ID 14318 | Technical security | Preventive | |
| Include Internet Protocol addresses in the network diagram. CC ID 16244 | Technical security | Preventive | |
| Include Domain Name System names in the network diagram. CC ID 16240 | Technical security | Preventive | |
| Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Technical security | Preventive | |
| Maintain up-to-date data flow diagrams. CC ID 10059 | Technical security | Preventive | |
| Establish, implement, and maintain a sensitive information inventory. CC ID 13736 | Technical security | Detective | |
| Include information flows to third parties in the data flow diagram. CC ID 13185 | Technical security | Preventive | |
| Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Technical security | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. § 5.14 Control] | Technical security | Preventive | |
| Establish, implement, and maintain a document printing policy. CC ID 14384 | Technical security | Preventive | |
| Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396 | Technical security | Preventive | |
| Establish, implement, and maintain information flow procedures. CC ID 04542 [Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. § 5.14 Control] | Technical security | Preventive | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 | Technical security | Preventive | |
| Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097 [Access to external websites should be managed to reduce exposure to malicious content. § 8.23 Control] | Technical security | Preventive | |
| Revoke membership in the whitelist, as necessary. CC ID 13827 | Technical security | Corrective | |
| Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 | Technical security | Preventive | |
| Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 | Technical security | Preventive | |
| Include information security requirements in the remote access and teleworking program. CC ID 15704 | Technical security | Preventive | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented. § 8.24 Control] | Technical security | Preventive | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Technical security | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented. § 8.24 Control] | Technical security | Preventive | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Technical security | Preventive | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Technical security | Preventive | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Technical security | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Preventive | |
| Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Technical security | Preventive | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Technical security | Preventive | |
| Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Technical security | Preventive | |
| Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Technical security | Preventive | |
| Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Technical security | Preventive | |
| Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Technical security | Preventive | |
| Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Technical security | Preventive | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Technical security | Preventive | |
| Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Technical security | Preventive | |
| Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Technical security | Preventive | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Technical security | Preventive | |
| Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Technical security | Preventive | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [Protection against malware should be implemented and supported by appropriate user awareness. § 8.7 Control] | Technical security | Preventive | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Technical security | Corrective | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 [Security perimeters should be defined and used to protect areas that contain information and other associated assets. § 7.1 Control Physical security for offices, rooms and facilities should be designed and implemented. § 7.3 Control] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Preventive | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Preventive | |
| Define communication methods for reporting crimes. CC ID 06349 | Physical and environmental protection | Preventive | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Preventive | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Preventive | |
| Post and maintain security signage for all facilities. CC ID 02201 | Physical and environmental protection | Preventive | |
| Identify and document physical access controls for all physical entry points. CC ID 01637 [Secure areas should be protected by appropriate entry controls and access points. § 7.2 Control] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Physical and environmental protection | Preventive | |
| Escort visitors within the facility, as necessary. CC ID 06417 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Physical and environmental protection | Preventive | |
| Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Physical and environmental protection | Preventive | |
| Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical identification procedures. CC ID 00713 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Preventive | |
| Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Corrective | |
| Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Physical and environmental protection | Preventive | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Preventive | |
| Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Preventive | |
| Include an identity registration process in the identification issuance procedures. CC ID 11671 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Physical and environmental protection | Preventive | |
| Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Preventive | |
| Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 [Security measures for working in secure areas should be designed and implemented. § 7.6 Control] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Physical and environmental protection | Preventive | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Preventive | |
| Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Physical and environmental protection | Preventive | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Preventive | |
| Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a physical access log. CC ID 12080 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security threat reports. CC ID 02207 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a facility wall standard. CC ID 06692 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Preventive | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Preventive | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Preventive | |
| Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Preventive | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Preventive | |
| Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Preventive | |
| Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200 | Physical and environmental protection | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Preventive | |
| Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [{be accessible} Information stored on, processed by or accessible via user endpoint devices should be protected. § 8.1 Control] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a locking screen saver policy. CC ID 06717 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Physical and environmental protection | Preventive | |
| Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Physical and environmental protection | Preventive | |
| Include legal requirements in the mobile device security guidelines. CC ID 12291 | Physical and environmental protection | Preventive | |
| Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Physical and environmental protection | Preventive | |
| Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Physical and environmental protection | Preventive | |
| Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain asset return procedures. CC ID 04537 [Personnel and other interested parties as appropriate should return all the organization's assets in their possession upon change or termination of their employment, contract or agreement. § 5.11 Control] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain open storage container procedures. CC ID 02198 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a clean desk policy. CC ID 06534 [Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced. § 7.7 Control] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain contact card reader security guidelines. CC ID 06588 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain clean energy standards. CC ID 16285 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain environmental control procedures. CC ID 12246 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain facility maintenance procedures. CC ID 00710 | Physical and environmental protection | Preventive | |
| Define selection criteria for facility locations. CC ID 06351 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain facility demolition procedures. CC ID 16133 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain work environment requirements. CC ID 06613 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain system cleanliness requirements. CC ID 06614 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain organizational facility continuity plans. CC ID 02224 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. § 5.30 Control] | Operational and Systems Continuity | Preventive | |
| Include emergency operating procedures in the continuity plan. CC ID 11694 | Operational and Systems Continuity | Preventive | |
| Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369 | Operational and Systems Continuity | Preventive | |
| Define and prioritize critical business functions. CC ID 00736 | Operational and Systems Continuity | Detective | |
| Review and prioritize the importance of each business process. CC ID 11689 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 | Operational and Systems Continuity | Preventive | |
| Define and prioritize critical business records. CC ID 11687 | Operational and Systems Continuity | Preventive | |
| Include the protection of personnel in the continuity plan. CC ID 06378 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical personnel list. CC ID 00739 | Operational and Systems Continuity | Detective | |
| Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 | Operational and Systems Continuity | Detective | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 | Operational and Systems Continuity | Preventive | |
| Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 | Operational and Systems Continuity | Preventive | |
| Include workstation continuity procedures in the continuity plan. CC ID 01378 | Operational and Systems Continuity | Preventive | |
| Include server continuity procedures in the continuity plan. CC ID 01379 | Operational and Systems Continuity | Preventive | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Operational and Systems Continuity | Preventive | |
| Include near-line capabilities in the continuity plan. CC ID 01383 | Operational and Systems Continuity | Preventive | |
| Include online capabilities in the continuity plan. CC ID 11690 | Operational and Systems Continuity | Preventive | |
| Include mainframe continuity procedures in the continuity plan. CC ID 01382 | Operational and Systems Continuity | Preventive | |
| Include telecommunications continuity procedures in the continuity plan. CC ID 11691 | Operational and Systems Continuity | Preventive | |
| Include system continuity procedures in the continuity plan. CC ID 01268 | Operational and Systems Continuity | Preventive | |
| Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 | Operational and Systems Continuity | Detective | |
| Include Local Area Network continuity procedures in the continuity plan. CC ID 01381 | Operational and Systems Continuity | Preventive | |
| Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294 | Operational and Systems Continuity | Preventive | |
| Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396 | Operational and Systems Continuity | Preventive | |
| Include emergency power continuity procedures in the continuity plan. CC ID 01254 | Operational and Systems Continuity | Preventive | |
| Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 | Operational and Systems Continuity | Preventive | |
| Designate an alternate facility in the continuity plan. CC ID 00742 | Operational and Systems Continuity | Detective | |
| Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391 | Operational and Systems Continuity | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Preventive | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Operational and Systems Continuity | Preventive | |
| Include naming conventions in the backup policy. CC ID 16218 | Operational and Systems Continuity | Preventive | |
| Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 | Operational and Systems Continuity | Preventive | |
| Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 | Operational and Systems Continuity | Preventive | |
| Log the execution of each backup. CC ID 00956 | Operational and Systems Continuity | Preventive | |
| Digitally sign disk images, as necessary. CC ID 06814 | Operational and Systems Continuity | Preventive | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 | Operational and Systems Continuity | Preventive | |
| Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 | Operational and Systems Continuity | Preventive | |
| Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 | Operational and Systems Continuity | Preventive | |
| Minimize system continuity requirements. CC ID 00753 | Operational and Systems Continuity | Preventive | |
| Include purchasing insurance in the continuity plan. CC ID 00762 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Operational and Systems Continuity | Detective | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Operational and Systems Continuity | Preventive | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Operational and Systems Continuity | Detective | |
| Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Preventive | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Preventive | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 [Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function. § 6.3 Control] | Human Resources management | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 [Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization. § 5.4 Control Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. § 5.1 Control] | Human Resources management | Preventive | |
| Establish, implement, and maintain a Code of Conduct. CC ID 04897 | Human Resources management | Preventive | |
| Establish, implement, and maintain a capacity management plan. CC ID 11751 | Operational management | Preventive | |
| Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [The use of resources should be monitored and adjusted in line with current and expected capacity requirements. § 8.6 Control] | Operational management | Preventive | |
| Establish, implement, and maintain cloud service agreements. CC ID 13157 | Operational management | Preventive | |
| Include the asset removal policy in the cloud service agreement. CC ID 13161 | Operational management | Preventive | |
| Include cloud security requirements in the cloud management procedures. CC ID 16366 | Operational management | Preventive | |
| Establish, implement, and maintain a cloud service usage standard. CC ID 13143 | Operational management | Preventive | |
| Include the roles and responsibilities of cloud service users in the cloud service usage standard. CC ID 13984 | Operational management | Preventive | |
| Include information security requirements in the cloud service usage standard. CC ID 13148 | Operational management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Preventive | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 [The organization should establish and maintain contact with relevant authorities. § 5.5 Control] | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
| Include risk management in the information security program. CC ID 12378 | Operational management | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 [Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain. § 5.21 Control Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier's products or services. § 5.19 Control] | Operational management | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. § 5.1 Control] | Operational management | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 | Operational management | Preventive | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 [Information security roles and responsibilities should be defined and allocated according to the organization needs. § 5.2 Control] | Operational management | Preventive | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [Operating procedures for information processing facilities should be documented and made available to personnel who need them. § 5.37 Control] | Operational management | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Corrective | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Preventive | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 [Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. § 5.10 Control] | Operational management | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. § 5.10 Control] | Operational management | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 [Procedures and measures should be implemented to securely manage software installation on operational systems. § 8.19 Control] | Operational management | Preventive | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Preventive | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [The organization should implement appropriate procedures to protect intellectual property rights. § 5.32 Control] | Operational management | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [{confidentiality agreement} Confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties. § 6.6 Control] | Operational management | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 [{confidentiality agreement} Confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties. § 6.6 Control] | Operational management | Preventive | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Preventive | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 [Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. § 5.14 Control] | Operational management | Preventive | |
| Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Preventive | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Preventive | |
| Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Preventive | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Preventive | |
| Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Preventive | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Preventive | |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Preventive | |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Preventive | |
| Establish, implement, and maintain a network management program. CC ID 13123 [Networks and network devices should be secured, managed and controlled to protect information in systems and applications. § 8.20 Control] | Operational management | Preventive | |
| Include quality of service requirements in the network management program. CC ID 16429 | Operational management | Preventive | |
| Document the network design in the network management program. CC ID 13135 | Operational management | Preventive | |
| Establish, implement, and maintain network documentation. CC ID 16497 | Operational management | Preventive | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 | Operational management | Preventive | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 | Operational management | Preventive | |
| Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Preventive | |
| Include program objectives in the asset management program. CC ID 14413 | Operational management | Preventive | |
| Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Preventive | |
| Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Preventive | |
| Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Operational management | Preventive | |
| Define confidentiality controls. CC ID 01908 | Operational management | Preventive | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 | Operational management | Preventive | |
| Define integrity controls. CC ID 01909 | Operational management | Preventive | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Operational management | Preventive | |
| Define availability controls. CC ID 01911 | Operational management | Preventive | |
| Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Operational management | Preventive | |
| Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Operational management | Preventive | |
| Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Operational management | Preventive | |
| Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Operational management | Preventive | |
| Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Operational management | Preventive | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 | Operational management | Preventive | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Preventive | |
| Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Operational management | Preventive | |
| Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Preventive | |
| Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Preventive | |
| Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Preventive | |
| Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Preventive | |
| Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Preventive | |
| Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Operational management | Preventive | |
| Include network equipment in the Information Technology inventory. CC ID 00693 | Operational management | Preventive | |
| Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Preventive | |
| Include software in the Information Technology inventory. CC ID 00692 | Operational management | Preventive | |
| Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Operational management | Preventive | |
| Establish, implement, and maintain a storage media inventory. CC ID 00694 | Operational management | Preventive | |
| Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Detective | |
| Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 [An inventory of information and other associated assets, including owners, should be developed and maintained. § 5.9 Control] | Operational management | Preventive | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Preventive | |
| Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Preventive | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Preventive | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Preventive | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Preventive | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Preventive | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Preventive | |
| Record the software version in the asset inventory. CC ID 12196 | Operational management | Preventive | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Preventive | |
| Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Preventive | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Preventive | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Preventive | |
| Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Operational management | Preventive | |
| Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Preventive | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Preventive | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Preventive | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Preventive | |
| Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Preventive | |
| Record the department associated with the asset in the asset inventory. CC ID 12084 | Operational management | Preventive | |
| Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Operational management | Preventive | |
| Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Operational management | Preventive | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Preventive | |
| Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Operational management | Preventive | |
| Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Operational management | Preventive | |
| Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Operational management | Preventive | |
| Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Preventive | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 [An inventory of information and other associated assets, including owners, should be developed and maintained. § 5.9 Control] | Operational management | Preventive | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Preventive | |
| Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Preventive | |
| Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Preventive | |
| Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Preventive | |
| Establish, implement, and maintain a software accountability policy. CC ID 00868 | Operational management | Preventive | |
| Establish, implement, and maintain software asset management procedures. CC ID 00895 | Operational management | Preventive | |
| Establish, implement, and maintain software archives procedures. CC ID 00866 | Operational management | Preventive | |
| Establish, implement, and maintain software distribution procedures. CC ID 00894 | Operational management | Preventive | |
| Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Operational management | Preventive | |
| Establish, implement, and maintain software license management procedures. CC ID 06639 | Operational management | Preventive | |
| Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Preventive | |
| Establish, implement, and maintain a system redeployment program. CC ID 06276 | Operational management | Preventive | |
| Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Operational management | Preventive | |
| Redeploy systems to other organizational units, as necessary. CC ID 11452 | Operational management | Preventive | |
| Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Preventive | |
| Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Preventive | |
| Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Operational management | Preventive | |
| Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Preventive | |
| Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information. § 7.13 Control] | Operational management | Preventive | |
| Establish and maintain maintenance reports. CC ID 11749 | Operational management | Preventive | |
| Establish and maintain system inspection reports. CC ID 06346 | Operational management | Preventive | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Preventive | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Preventive | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Preventive | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Preventive | |
| Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Preventive | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Preventive | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Preventive | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Preventive | |
| Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Operational management | Preventive | |
| Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Operational management | Preventive | |
| Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Operational management | Preventive | |
| Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Operational management | Preventive | |
| Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Preventive | |
| Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Preventive | |
| Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Operational management | Preventive | |
| Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Operational management | Preventive | |
| Establish and maintain an unauthorized software list. CC ID 10601 | Operational management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Preventive | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Operational management | Preventive | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 | Operational management | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Operational management | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 | Operational management | Preventive | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Preventive | |
| Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Preventive | |
| Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 | Operational management | Preventive | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Detective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Detective | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Detective | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Corrective | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Preventive | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Corrective | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Detective | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Preventive | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 [{be appropriate} The organization should plan how to maintain information security at an appropriate level during disruption. § 5.29 Control] | Operational management | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Preventive | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Preventive | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Preventive | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Operational management | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 | Operational management | Preventive | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Operational management | Preventive | |
| Include incident management procedures in the Incident Management program. CC ID 12689 | Operational management | Preventive | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Corrective | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Preventive | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Operational management | Preventive | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Preventive | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Preventive | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Preventive | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Preventive | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Operational management | Preventive | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Operational management | Preventive | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Operational management | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner. § 6.8 Control] | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
| Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Preventive | |
| Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Operational management | Preventive | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [Information security incidents should be responded to in accordance with the documented procedures. § 5.26 Control] | Operational management | Detective | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Preventive | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Preventive | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Operational management | Preventive | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 [The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. § 5.28 Control] | Operational management | Preventive | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Operational management | Preventive | |
| Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 [The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. § 5.24 Control The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. § 5.24 Control] | Operational management | Preventive | |
| Establish, implement, and maintain a performance management standard. CC ID 01615 | Operational management | Preventive | |
| Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 [The use of resources should be monitored and adjusted in line with current and expected capacity requirements. § 8.6 Control] | Operational management | Preventive | |
| Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 | Operational management | Preventive | |
| Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023 [Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. § 8.21 Control] | Operational management | Preventive | |
| Include the management requirements for network services in the Service Level Agreement. CC ID 12025 [Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. § 8.21 Control] | Operational management | Preventive | |
| Include the service levels for network services in the Service Level Agreement. CC ID 12024 [Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. § 8.21 Control] | Operational management | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 | Operational management | Preventive | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. § 8.9 Control] | System hardening through configuration management | Preventive | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | System hardening through configuration management | Preventive | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | System hardening through configuration management | Preventive | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | System hardening through configuration management | Preventive | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | System hardening through configuration management | Preventive | |
| Include installed custom software in the baseline configuration. CC ID 13274 | System hardening through configuration management | Preventive | |
| Include network ports in the baseline configuration. CC ID 13273 | System hardening through configuration management | Preventive | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain an authenticator standard. CC ID 01702 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain an authenticator management system. CC ID 12031 [Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information. § 5.17 Control] | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain authenticator procedures. CC ID 12002 | System hardening through configuration management | Preventive | |
| Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717 | System hardening through configuration management | Preventive | |
| Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718 | System hardening through configuration management | Preventive | |
| Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719 | System hardening through configuration management | Preventive | |
| Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720 | System hardening through configuration management | Preventive | |
| Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722 | System hardening through configuration management | Preventive | |
| Configure the "password reuse" setting to organizational standards. CC ID 08724 | System hardening through configuration management | Preventive | |
| Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721 | System hardening through configuration management | Preventive | |
| Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
| Establish, implement, and maintain a record classification scheme. CC ID 00914 | Records management | Preventive | |
| Establish, implement, and maintain a records authentication system. CC ID 11648 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. § 5.33 Control] | Records management | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
| Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 [Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements. § 7.10 Control] | Records management | Preventive | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. § 5.33 Control] | Records management | Preventive | |
| Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 | Records management | Preventive | |
| Maintain disposal records or redeployment records. CC ID 01644 | Records management | Preventive | |
| Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
| Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. § 5.33 Control] | Records management | Preventive | |
| Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 | Records management | Preventive | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 [Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements. § 7.10 Control] | Records management | Preventive | |
| Establish, implement, and maintain security label procedures. CC ID 06747 [An appropriate set of procedures for information labelling should be developed and implementedpan> in accordance with the information classification scheme nd-color:#CBD0E5;" class="term_secondary-verb">adopted by the organization. § 5.13 Control] | Records management | Preventive | |
| Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Preventive | |
| Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Preventive | |
| Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Preventive | |
| Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Preventive | |
| Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Preventive | |
| Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Preventive | |
| Establish the minimum originator requirements for security labels. CC ID 06579 | Records management | Preventive | |
| Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Records management | Preventive | |
| Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Records management | Preventive | |
| Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Records management | Preventive | |
| Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Preventive | |
| Establish, implement, and maintain an information preservation policy. CC ID 16483 | Records management | Preventive | |
| Establish, implement, and maintain information preservation procedures. CC ID 06277 | Records management | Preventive | |
| Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Records management | Preventive | |
| Provide audit trails for all pertinent records. CC ID 00372 | Records management | Detective | |
| Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Records management | Preventive | |
| Include the date and time in the removable storage media log. CC ID 12318 | Records management | Preventive | |
| Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Records management | Preventive | |
| Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Records management | Preventive | |
| Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Records management | Preventive | |
| Include the sender's name in the removable storage media log. CC ID 12752 | Records management | Preventive | |
| Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Records management | Preventive | |
| Include the reason for transfer in the removable storage media log. CC ID 12316 | Records management | Preventive | |
| Document all actions taken when downgrading electronic storage media. CC ID 10622 | Records management | Preventive | |
| Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 | Systems design, build, and implementation | Preventive | |
| Include continuous protection of systems or system components in the security design principles. CC ID 14748 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain project management standards. CC ID 00992 [Information security should be integrated into project management. § 5.8 Control] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a project program documentation standard. CC ID 00995 | Systems design, build, and implementation | Preventive | |
| Include budgeting for projects in the project management standard. CC ID 13136 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain integrated project plans. CC ID 01056 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a project control program. CC ID 01612 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a project test plan. CC ID 01001 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a project team plan. CC ID 06533 | Systems design, build, and implementation | Preventive | |
| Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a project management training plan. CC ID 01002 | Systems design, build, and implementation | Preventive | |
| Specify appropriate tools for the system development project. CC ID 06830 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain outsourced development procedures. CC ID 01141 | Systems design, build, and implementation | Preventive | |
| Establish and maintain a coding manual for secure coding techniques. CC ID 11863 [Rules for the secure development of software and systems should be established and applied. § 8.25 Control] | Systems design, build, and implementation | Preventive | |
| Include all confidentiality, integrity, and availability functions in the system design specification. CC ID 04556 | Systems design, build, and implementation | Preventive | |
| Include the relationships and dependencies between modules in the system design specification. CC ID 04559 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a security policy model document. CC ID 04560 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a system testing policy. CC ID 01102 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 [Security testing processes should be defined and implemented in the development life cycle. § 8.29 Control] | Systems design, build, and implementation | Preventive | |
| Evaluate and document all known code anomalies and code deficiencies. CC ID 06611 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain poor quality material removal procedures. CC ID 06214 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain system acquisition contracts. CC ID 14758 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include security requirements in system acquisition contracts. CC ID 01124 [Information security requirements should be identified, specified and approved when developing or acquiring applications. § 8.26 Control] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include operational requirements in system acquisition contracts. CC ID 00825 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts. CC ID 06890 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include required service levels in system acquisition contracts. CC ID 11652 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include security controls in system acquisition contracts. CC ID 01125 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Obtain system documentation before acquiring products and services. CC ID 01445 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include instructions on how to use the security functions in the user documentation. CC ID 14314 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include security functions in the user documentation. CC ID 14313 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include user responsibilities for maintaining system security in the user documentation. CC ID 14312 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a description of user interactions in the user documentation. CC ID 14311 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Require the information system developer to create a continuous monitoring plan. CC ID 14307 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements. § 5.34 Control] | Privacy protection for information and data | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 | Privacy protection for information and data | Preventive | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Preventive | |
| Include the purpose of the privacy notice in the privacy notice. CC ID 13526 | Privacy protection for information and data | Preventive | |
| Include the processing purpose in the privacy notice. CC ID 16543 | Privacy protection for information and data | Preventive | |
| Include contact information in the privacy notice. CC ID 14432 | Privacy protection for information and data | Preventive | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 | Privacy protection for information and data | Preventive | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Preventive | |
| Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 | Privacy protection for information and data | Preventive | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 | Privacy protection for information and data | Preventive | |
| Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 | Privacy protection for information and data | Preventive | |
| Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 | Privacy protection for information and data | Preventive | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 | Privacy protection for information and data | Preventive | |
| Include disclosure exceptions in the privacy notice. CC ID 13447 | Privacy protection for information and data | Preventive | |
| Include the types of personal data disclosed in the privacy notice. CC ID 13446 | Privacy protection for information and data | Preventive | |
| Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Privacy protection for information and data | Preventive | |
| Specify the time frame that notice will be given. CC ID 00385 | Privacy protection for information and data | Preventive | |
| Include the information about the appeal process in the privacy notice. CC ID 15312 | Privacy protection for information and data | Preventive | |
| Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 | Privacy protection for information and data | Preventive | |
| Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Preventive | |
| Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 | Privacy protection for information and data | Corrective | |
| Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 | Privacy protection for information and data | Preventive | |
| Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 | Privacy protection for information and data | Preventive | |
| Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 | Privacy protection for information and data | Preventive | |
| Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Preventive | |
| Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Privacy protection for information and data | Preventive | |
| Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Privacy protection for information and data | Preventive | |
| Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Privacy protection for information and data | Preventive | |
| Explain the right to opt out in the opt-out notice. CC ID 13462 | Privacy protection for information and data | Preventive | |
| Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Privacy protection for information and data | Preventive | |
| Provide the data subject with a notice of participation procedures. CC ID 06241 | Privacy protection for information and data | Preventive | |
| Publish a description of processing activities in an official register. CC ID 00379 | Privacy protection for information and data | Preventive | |
| Establish and maintain a records request manual. CC ID 00381 | Privacy protection for information and data | Preventive | |
| Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Privacy protection for information and data | Preventive | |
| Define what is included in registration notices. CC ID 00386 | Privacy protection for information and data | Preventive | |
| Include the verification method in the registration notice. CC ID 16798 | Privacy protection for information and data | Preventive | |
| Include the statutory authority in the registration notice. CC ID 16799 | Privacy protection for information and data | Preventive | |
| Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Privacy protection for information and data | Preventive | |
| Include a purpose specification description in the registration notice. CC ID 00388 | Privacy protection for information and data | Preventive | |
| Include information about the dispute resolution body in the registration notice. CC ID 16800 | Privacy protection for information and data | Preventive | |
| Include the data subject category being processed in the registration notice. CC ID 00389 | Privacy protection for information and data | Preventive | |
| Include the time period for data processing in the registration notice. CC ID 00390 | Privacy protection for information and data | Preventive | |
| Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 | Privacy protection for information and data | Preventive | |
| Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Privacy protection for information and data | Preventive | |
| Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Privacy protection for information and data | Preventive | |
| Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Privacy protection for information and data | Preventive | |
| Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Privacy protection for information and data | Preventive | |
| Specify the purpose of the disclosure in the written consent. CC ID 13001 | Privacy protection for information and data | Preventive | |
| Specify which education records may be disclosed in the written consent. CC ID 13000 | Privacy protection for information and data | Preventive | |
| Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Privacy protection for information and data | Preventive | |
| Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Privacy protection for information and data | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Preventive | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 | Privacy protection for information and data | Preventive | |
| Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Privacy protection for information and data | Preventive | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Preventive | |
| Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Privacy protection for information and data | Preventive | |
| Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Privacy protection for information and data | Preventive | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 | Privacy protection for information and data | Preventive | |
| Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Preventive | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Preventive | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 | Privacy protection for information and data | Preventive | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 | Privacy protection for information and data | Preventive | |
| Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Privacy protection for information and data | Preventive | |
| Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Privacy protection for information and data | Preventive | |
| Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Privacy protection for information and data | Preventive | |
| Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Privacy protection for information and data | Preventive | |
| Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Privacy protection for information and data | Preventive | |
| Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Privacy protection for information and data | Preventive | |
| Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Privacy protection for information and data | Preventive | |
| Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 | Privacy protection for information and data | Preventive | |
| Make telephone directory information available to the public. CC ID 08698 | Privacy protection for information and data | Preventive | |
| Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy policy. CC ID 06281 | Privacy protection for information and data | Preventive | |
| Include the data subject's rights in the privacy policy. CC ID 16355 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Privacy protection for information and data | Preventive | |
| Document privacy policies in clearly written and easily understood language. CC ID 00376 | Privacy protection for information and data | Detective | |
| Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Privacy protection for information and data | Preventive | |
| Write privacy notices in the official languages required by law. CC ID 16529 | Privacy protection for information and data | Preventive | |
| Define what is included in the privacy policy. CC ID 00404 | Privacy protection for information and data | Preventive | |
| Define the information being collected in the privacy policy. CC ID 13115 | Privacy protection for information and data | Preventive | |
| Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Privacy protection for information and data | Preventive | |
| Include the means by which information is collected in the privacy policy. CC ID 13114 | Privacy protection for information and data | Preventive | |
| Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 | Privacy protection for information and data | Corrective | |
| Include roles and responsibilities in the privacy policy. CC ID 14669 | Privacy protection for information and data | Preventive | |
| Include management commitment in the privacy policy. CC ID 14668 | Privacy protection for information and data | Preventive | |
| Include coordination amongst entities in the privacy policy. CC ID 14667 | Privacy protection for information and data | Preventive | |
| Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Privacy protection for information and data | Preventive | |
| Include compliance requirements in the privacy policy. CC ID 14666 | Privacy protection for information and data | Preventive | |
| Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Privacy protection for information and data | Preventive | |
| Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 | Privacy protection for information and data | Corrective | |
| Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 | Privacy protection for information and data | Preventive | |
| Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 | Privacy protection for information and data | Preventive | |
| Include a complaint form in the privacy policy. CC ID 12364 | Privacy protection for information and data | Preventive | |
| Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Privacy protection for information and data | Preventive | |
| Include the processing purpose in the privacy policy. CC ID 00406 | Privacy protection for information and data | Preventive | |
| Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Privacy protection for information and data | Preventive | |
| Include the data subject categories being processed in the privacy policy. CC ID 00407 | Privacy protection for information and data | Preventive | |
| Define the retention period for collected information in the privacy policy. CC ID 13116 | Privacy protection for information and data | Preventive | |
| Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 | Privacy protection for information and data | Preventive | |
| Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 | Privacy protection for information and data | Preventive | |
| Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Privacy protection for information and data | Preventive | |
| Include instructions on how to opt-out in the privacy policy. CC ID 00411 | Privacy protection for information and data | Preventive | |
| Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 | Privacy protection for information and data | Preventive | |
| Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 | Privacy protection for information and data | Preventive | |
| Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 | Privacy protection for information and data | Preventive | |
| Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 | Privacy protection for information and data | Preventive | |
| Post the privacy policy in an easily seen location. CC ID 00401 | Privacy protection for information and data | Preventive | |
| Define who will receive the privacy policy. CC ID 00402 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain privacy procedures. CC ID 14665 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy plan. CC ID 14672 | Privacy protection for information and data | Preventive | |
| Include privacy requirements in the privacy plan. CC ID 14699 | Privacy protection for information and data | Preventive | |
| Include the information types in the privacy plan. CC ID 14695 | Privacy protection for information and data | Preventive | |
| Include threats in the privacy plan. CC ID 14694 | Privacy protection for information and data | Preventive | |
| Include roles and responsibilities in the privacy plan. CC ID 14702 | Privacy protection for information and data | Preventive | |
| Include a description of the operational context in the privacy plan. CC ID 14692 | Privacy protection for information and data | Preventive | |
| Include risk assessment results in the privacy plan. CC ID 14701 | Privacy protection for information and data | Preventive | |
| Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Privacy protection for information and data | Preventive | |
| Include security controls in the privacy plan. CC ID 14681 | Privacy protection for information and data | Preventive | |
| Include a description of the operational environment in the privacy plan. CC ID 14679 | Privacy protection for information and data | Preventive | |
| Include network diagrams in the privacy plan. CC ID 14678 | Privacy protection for information and data | Preventive | |
| Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy report. CC ID 14754 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request procedures. CC ID 16546 | Privacy protection for information and data | Preventive | |
| Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 | Privacy protection for information and data | Preventive | |
| Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 | Privacy protection for information and data | Preventive | |
| Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Privacy protection for information and data | Preventive | |
| Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Privacy protection for information and data | Preventive | |
| Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Privacy protection for information and data | Preventive | |
| Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Privacy protection for information and data | Preventive | |
| Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Privacy protection for information and data | Preventive | |
| Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Privacy protection for information and data | Preventive | |
| Include agreement termination information in the disclosure authorization form. CC ID 13437 | Privacy protection for information and data | Preventive | |
| Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Preventive | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Preventive | |
| Submit a safe harbor self-certification letter. CC ID 06871 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 | Privacy protection for information and data | Preventive | |
| Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Privacy protection for information and data | Preventive | |
| Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Privacy protection for information and data | Preventive | |
| Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Privacy protection for information and data | Preventive | |
| Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Privacy protection for information and data | Preventive | |
| Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Privacy protection for information and data | Preventive | |
| Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Privacy protection for information and data | Preventive | |
| Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Privacy protection for information and data | Preventive | |
| Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Privacy protection for information and data | Preventive | |
| Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Privacy protection for information and data | Preventive | |
| Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Privacy protection for information and data | Preventive | |
| Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Privacy protection for information and data | Preventive | |
| Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Privacy protection for information and data | Preventive | |
| Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Privacy protection for information and data | Preventive | |
| Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Privacy protection for information and data | Preventive | |
| Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Privacy protection for information and data | Preventive | |
| Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Privacy protection for information and data | Preventive | |
| Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Privacy protection for information and data | Preventive | |
| Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Privacy protection for information and data | Preventive | |
| Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 | Privacy protection for information and data | Preventive | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Preventive | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Privacy protection for information and data | Preventive | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Preventive | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Privacy protection for information and data | Preventive | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Privacy protection for information and data | Preventive | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Privacy protection for information and data | Preventive | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 | Privacy protection for information and data | Preventive | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Preventive | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Privacy protection for information and data | Preventive | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Privacy protection for information and data | Preventive | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Privacy protection for information and data | Preventive | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Privacy protection for information and data | Preventive | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Preventive | |
| Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Preventive | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Preventive | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Preventive | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Preventive | |
| Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 | Privacy protection for information and data | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Preventive | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Preventive | |
| Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Privacy protection for information and data | Preventive | |
| Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Privacy protection for information and data | Preventive | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Preventive | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Preventive | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Preventive | |
| Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Preventive | |
| Define security breach notification requirement exceptions. CC ID 04797 | Privacy protection for information and data | Preventive | |
| Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Privacy protection for information and data | Preventive | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Preventive | |
| Define opt-out exceptions for disclosing restricted data. CC ID 00159 | Privacy protection for information and data | Preventive | |
| Define how a data subject may give consent. CC ID 00160 | Privacy protection for information and data | Preventive | |
| Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Privacy protection for information and data | Preventive | |
| Document the redisclosing restricted data exceptions. CC ID 00170 | Privacy protection for information and data | Preventive | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 | Privacy protection for information and data | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Preventive | |
| Include cookie management in the privacy framework. CC ID 13809 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain cookie management procedures. CC ID 13810 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Preventive | |
| Post the collection purpose. CC ID 00101 | Privacy protection for information and data | Preventive | |
| Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Preventive | |
| Establish and maintain a personal data definition. CC ID 00028 | Privacy protection for information and data | Preventive | |
| Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Preventive | |
| Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Preventive | |
| Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Preventive | |
| Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Preventive | |
| Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Preventive | |
| Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Preventive | |
| Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Preventive | |
| Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Preventive | |
| Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data collector's name and contact information. CC ID 00024 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 [Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. § 5.10 Control] | Privacy protection for information and data | Preventive | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Preventive | |
| Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Privacy protection for information and data | Preventive | |
| Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 | Privacy protection for information and data | Preventive | |
| Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 | Privacy protection for information and data | Preventive | |
| Document transfer disagreements by the data subject in writing. CC ID 00348 | Privacy protection for information and data | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Privacy protection for information and data | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy impact assessment. CC ID 13712 | Privacy protection for information and data | Preventive | |
| Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Privacy protection for information and data | Preventive | |
| Include how to grant consent in the privacy impact assessment. CC ID 15519 | Privacy protection for information and data | Preventive | |
| Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Privacy protection for information and data | Preventive | |
| Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Privacy protection for information and data | Preventive | |
| Include data handling procedures in the privacy impact assessment. CC ID 15516 | Privacy protection for information and data | Preventive | |
| Include the intended use of information in the privacy impact assessment. CC ID 15515 | Privacy protection for information and data | Preventive | |
| Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Privacy protection for information and data | Preventive | |
| File privacy rights violation complaints in writing. CC ID 00477 | Privacy protection for information and data | Corrective | |
| Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Privacy protection for information and data | Corrective | |
| Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 | Privacy protection for information and data | Preventive | |
| Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 | Privacy protection for information and data | Preventive | |
| Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 | Privacy protection for information and data | Preventive | |
| Document unresolved challenges. CC ID 13568 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Privacy protection for information and data | Preventive | |
| Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Privacy protection for information and data | Preventive | |
| Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Privacy protection for information and data | Preventive | |
| Include the allegations against the organization in the notice of investigation. CC ID 13031 | Privacy protection for information and data | Preventive | |
| Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 | Privacy protection for information and data | Corrective | |
| Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 | Privacy protection for information and data | Detective | |
| Define the organization's liability based on the applicable law. CC ID 00504 | Privacy protection for information and data | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Preventive | |
| Define the appeal process based on the applicable law. CC ID 00506 | Privacy protection for information and data | Preventive | |
| Provide notice of proposed penalties. CC ID 06216 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 [Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. § 5.14 Control] | Third Party and supply chain oversight | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 [The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. § 5.22 Control] | Third Party and supply chain oversight | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Preventive | |
| Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 [The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. § 5.22 Control Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. § 8.21 Control] | Third Party and supply chain oversight | Detective | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship. § 5.20 Control] | Third Party and supply chain oversight | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Monitoring and measurement | Detective | |
| Define roles for information systems. CC ID 12454 | Technical security | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Preventive | |
| Change authenticators after personnel status changes. CC ID 12284 | Technical security | Preventive | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 | Technical security | Preventive | |
| Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Technical security | Preventive | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Preventive | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Preventive | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Preventive | |
| Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Operational and Systems Continuity | Preventive | |
| Perform a background check during personnel screening. CC ID 11758 [Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. § 6.1 Control] | Human Resources management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Preventive | |
| Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties. § 6.5 Control] | Human Resources management | Preventive | |
| Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties. § 6.5 Control The employment contractual agreements should state the personnel's and the organization's responsibilities for information security. § 6.2 Control] | Human Resources management | Preventive | |
| Assign an information owner to organizational assets, as necessary. CC ID 12729 | Operational management | Preventive | |
| Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Operational management | Preventive | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Preventive | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 | Operational management | Preventive | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Corrective | |
| Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Operational management | Preventive | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 | Privacy protection for information and data | Preventive | |
| Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 | Privacy protection for information and data | Preventive | |
| Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Privacy protection for information and data | Preventive | |
| Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 | Privacy protection for information and data | Preventive | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Privacy protection for information and data | Preventive | |
| Review compliance with the organization's privacy objectives. CC ID 13490 | Privacy protection for information and data | Detective | |
| Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Privacy protection for information and data | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Monitoring and measurement | Corrective | |
| Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Detective | |
| Identify and document intelligence collection shortfalls. CC ID 14078 | Monitoring and measurement | Detective | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Preventive | |
| Verify proof of identity records. CC ID 13761 | Technical security | Detective | |
| Scan for malicious code, as necessary. CC ID 11941 | Technical security | Detective | |
| Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Detective | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Detective | |
| Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 | Physical and environmental protection | Detective | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Detective | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Detective | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Detective | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Preventive | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Detective | |
| Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Detective | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Detective | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Detective | |
| Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 | Operational management | Detective | |
| Identify potential sources of digital forensic evidence. CC ID 08651 [The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. § 5.28 Control] | Operational management | Preventive | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Detective | |
| Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Detective | |
| Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Detective | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 [Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. § 8.15 Control] | Monitoring and measurement | Detective | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. § 8.15 Control] | Monitoring and measurement | Preventive | |
| Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Preventive | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 | Monitoring and measurement | Detective | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Corrective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Detective | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Preventive | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 | Monitoring and measurement | Detective | |
| Log account usage to determine dormant accounts. CC ID 12118 | Monitoring and measurement | Detective | |
| Log account usage times. CC ID 07099 | Monitoring and measurement | Detective | |
| Log Internet Protocol addresses used during logon. CC ID 07100 | Monitoring and measurement | Detective | |
| Protect logs from unauthorized activity. CC ID 01345 [Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. § 8.15 Control] | Monitoring and measurement | Preventive | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 [Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. § 8.15 Control] | Monitoring and measurement | Preventive | |
| Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Technical security | Preventive | |
| Establish and maintain a visitor log. CC ID 00715 | Physical and environmental protection | Preventive | |
| Record the visitor's name in the visitor log. CC ID 00557 | Physical and environmental protection | Preventive | |
| Record the visitor's organization in the visitor log. CC ID 12121 | Physical and environmental protection | Preventive | |
| Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Physical and environmental protection | Preventive | |
| Retain all records in the visitor log as prescribed by law. CC ID 00572 | Physical and environmental protection | Preventive | |
| Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Physical and environmental protection | Preventive | |
| Log when the vault is accessed. CC ID 06725 | Physical and environmental protection | Detective | |
| Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Detective | |
| Store facility access logs in off-site storage. CC ID 06958 | Physical and environmental protection | Preventive | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Preventive | |
| Log the transfer of removable storage media. CC ID 12322 | Physical and environmental protection | Preventive | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Preventive | |
| Log important conversations conducted during emergencies with third parties. CC ID 12763 | Operational and Systems Continuity | Preventive | |
| Log the performance of all remote maintenance. CC ID 13202 | Operational management | Preventive | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Corrective | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Preventive | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Corrective | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Preventive | |
| Establish, implement, and maintain a removable storage media log. CC ID 12317 | Records management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Preventive | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Preventive | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Detective | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Detective | |
Maintenance | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Use system components only when third party support is available. CC ID 10644 | Operational management | Preventive | |
| Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Operational management | Preventive | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Preventive | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Preventive | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Preventive | |
| Restart systems on a periodic basis. CC ID 16498 | Operational management | Preventive | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Preventive | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. § 8.16 Control] | Monitoring and measurement | Detective | |
| Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitoring and measurement | Detective | |
| Monitor systems for Denial of Service attacks. CC ID 01222 | Monitoring and measurement | Detective | |
| Monitor systems for unauthorized data transfers. CC ID 12971 | Monitoring and measurement | Preventive | |
| Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitoring and measurement | Detective | |
| Detect unauthorized access to systems. CC ID 06798 | Monitoring and measurement | Detective | |
| Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitoring and measurement | Detective | |
| Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitoring and measurement | Detective | |
| Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitoring and measurement | Detective | |
| Monitor systems for unauthorized mobile code. CC ID 10034 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 | Monitoring and measurement | Detective | |
| Monitor for and report when a software configuration is updated. CC ID 06746 | Monitoring and measurement | Detective | |
| Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 | Monitoring and measurement | Detective | |
| Monitor for firmware updates absent authorization. CC ID 10675 | Monitoring and measurement | Detective | |
| Implement file integrity monitoring. CC ID 01205 | Monitoring and measurement | Detective | |
| Monitor for software configurations updates absent authorization. CC ID 10676 | Monitoring and measurement | Preventive | |
| Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitoring and measurement | Preventive | |
| Monitor and evaluate user account activity. CC ID 07066 | Monitoring and measurement | Detective | |
| Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 | Monitoring and measurement | Detective | |
| Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 | Monitoring and measurement | Detective | |
| Log account usage durations. CC ID 12117 | Monitoring and measurement | Detective | |
| Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 | Monitoring and measurement | Detective | |
| Enforce information flow control. CC ID 11781 | Technical security | Preventive | |
| Monitor and evaluate all remote access usage. CC ID 00563 | Technical security | Detective | |
| Log and react to all malicious code activity. CC ID 07072 | Technical security | Detective | |
| Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Physical and environmental protection | Preventive | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 [Premises should be continuously monitored for unauthorized physical access. § 7.4 Control] | Physical and environmental protection | Detective | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Preventive | |
| Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Physical and environmental protection | Detective | |
| Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Physical and environmental protection | Detective | |
| Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Physical and environmental protection | Detective | |
| Monitor for alarmed security doors being propped open. CC ID 06684 | Physical and environmental protection | Detective | |
| Monitor the location of distributed assets. CC ID 11684 | Physical and environmental protection | Detective | |
| Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 | Physical and environmental protection | Corrective | |
| Monitor and review environmental protections. CC ID 12571 | Physical and environmental protection | Detective | |
| Install and maintain an environment control monitoring system. CC ID 06370 | Physical and environmental protection | Detective | |
| Monitor managing cloud services. CC ID 13150 | Operational management | Detective | |
| Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Corrective | |
| Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Corrective | |
| Automate software license monitoring, as necessary. CC ID 07057 | Operational management | Preventive | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Detective | |
| Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Corrective | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Detective | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 [Knowledge gained from information security incidents should be used to strengthen and improve the information security controls. § 5.27 Control] | Operational management | Preventive | |
| Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Records management | Detective | |
| Supervise and monitor outsourced development projects. CC ID 01096 [The organization should direct, monitor and review the activities related to outsourced system development. § 8.30 Control] | Systems design, build, and implementation | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Corrective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Detective | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Detective | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Preventive | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Preventive | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Preventive | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 | Third Party and supply chain oversight | Detective | |
Physical and Environmental Protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Protect the facility from crime. CC ID 06347 | Physical and environmental protection | Preventive | |
| Protect facilities from eavesdropping. CC ID 02222 | Physical and environmental protection | Preventive | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Detective | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Preventive | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Preventive | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Preventive | |
| Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and environmental protection | Preventive | |
| Inspect items brought into the facility. CC ID 06341 | Physical and environmental protection | Preventive | |
| Maintain all physical security systems. CC ID 02206 | Physical and environmental protection | Preventive | |
| Maintain all security alarm systems. CC ID 11669 | Physical and environmental protection | Preventive | |
| Control physical access to (and within) the facility. CC ID 01329 | Physical and environmental protection | Preventive | |
| Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and environmental protection | Preventive | |
| Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and environmental protection | Detective | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Preventive | |
| Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and environmental protection | Preventive | |
| Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and environmental protection | Corrective | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Preventive | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Preventive | |
| Manage visitor identification inside the facility. CC ID 11670 | Physical and environmental protection | Preventive | |
| Secure unissued visitor identification badges. CC ID 06712 | Physical and environmental protection | Preventive | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Preventive | |
| Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and environmental protection | Preventive | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Preventive | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Preventive | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Preventive | |
| Prevent tailgating through physical entry points. CC ID 06685 | Physical and environmental protection | Preventive | |
| Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and environmental protection | Preventive | |
| Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and environmental protection | Preventive | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Preventive | |
| Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and environmental protection | Preventive | |
| Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and environmental protection | Preventive | |
| Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and environmental protection | Preventive | |
| Screen incoming mail and deliveries. CC ID 06719 | Physical and environmental protection | Preventive | |
| Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and environmental protection | Preventive | |
| Establish a security room, if necessary. CC ID 00738 | Physical and environmental protection | Preventive | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and environmental protection | Preventive | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Preventive | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Preventive | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Detective | |
| Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and environmental protection | Preventive | |
| Monitor physical entry point alarms. CC ID 01639 | Physical and environmental protection | Detective | |
| Build and maintain fencing, as necessary. CC ID 02235 | Physical and environmental protection | Preventive | |
| Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and environmental protection | Preventive | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Preventive | |
| Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [{be secure} Equipment should be sited securely and protected. § 7.8 Control] | Physical and environmental protection | Preventive | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Preventive | |
| Restrict physical access to distributed assets. CC ID 11865 [{physical access} Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. § 5.15 Control] | Physical and environmental protection | Preventive | |
| House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 | Physical and environmental protection | Preventive | |
| Protect electronic storage media with physical access controls. CC ID 00720 [{physical access} Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. § 5.15 Control] | Physical and environmental protection | Preventive | |
| Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 | Physical and environmental protection | Preventive | |
| Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 | Physical and environmental protection | Preventive | |
| Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 | Physical and environmental protection | Preventive | |
| Protect the combinations for all combination locks. CC ID 02199 | Physical and environmental protection | Preventive | |
| Establish and maintain eavesdropping protection for vaults. CC ID 02231 | Physical and environmental protection | Preventive | |
| Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Preventive | |
| Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 | Physical and environmental protection | Preventive | |
| Control the removal of assets through physical entry points and physical exit points. CC ID 11681 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 [Off-site assets should be protected. § 7.9 Control] | Physical and environmental protection | Preventive | |
| Attach asset location technologies to distributed assets. CC ID 10626 | Physical and environmental protection | Detective | |
| Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and environmental protection | Preventive | |
| Unpair missing Bluetooth devices. CC ID 12428 | Physical and environmental protection | Corrective | |
| Secure workstations to desks with security cables. CC ID 04724 | Physical and environmental protection | Preventive | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Preventive | |
| Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and environmental protection | Preventive | |
| Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and environmental protection | Preventive | |
| Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 | Physical and environmental protection | Preventive | |
| Secure system components from unauthorized viewing. CC ID 01437 | Physical and environmental protection | Preventive | |
| Identify customer property within the organizational facility. CC ID 06612 | Physical and environmental protection | Preventive | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Preventive | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 [Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented. § 7.5 Control] | Physical and environmental protection | Preventive | |
| Protect power equipment and power cabling from damage or destruction. CC ID 01438 [{power cabling} Cables carrying power, data or supporting information services should be protected from interception, interference or damage. § 7.12 Control] | Physical and environmental protection | Preventive | |
| Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676 | Physical and environmental protection | Preventive | |
| Design the Information Technology facility with consideration given to natural disasters and man-made disasters. CC ID 00712 | Physical and environmental protection | Preventive | |
| Design the Information Technology facility with a low profile. CC ID 16140 | Physical and environmental protection | Preventive | |
| Prohibit signage indicating computer room location and uses. CC ID 06343 | Physical and environmental protection | Preventive | |
| Require critical facilities to have adequate room for facility maintenance. CC ID 06361 | Physical and environmental protection | Preventive | |
| Require critical facilities to have adequate room for evacuation. CC ID 11686 | Physical and environmental protection | Preventive | |
| Build critical facilities according to applicable building codes. CC ID 06366 | Physical and environmental protection | Preventive | |
| Build critical facilities with fire resistant materials. CC ID 06365 | Physical and environmental protection | Preventive | |
| Build critical facilities with materials that limit electromagnetic interference. CC ID 16131 | Physical and environmental protection | Preventive | |
| Build critical facilities with water-resistant materials. CC ID 11679 | Physical and environmental protection | Preventive | |
| Monitor operational conditions at unmanned facilities. CC ID 06327 | Physical and environmental protection | Preventive | |
| Inspect and maintain the facility and supporting assets. CC ID 06345 | Physical and environmental protection | Preventive | |
| Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141 | Physical and environmental protection | Preventive | |
| House system components in areas where the physical damage potential is minimized. CC ID 01623 [{be secure} Equipment should be sited securely and protected. § 7.8 Control] | Physical and environmental protection | Preventive | |
| Install and maintain smoke detectors. CC ID 15264 | Physical and environmental protection | Preventive | |
| Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888 | Physical and environmental protection | Preventive | |
| Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362 | Physical and environmental protection | Preventive | |
| Install and maintain seismic detectors in critical facilities. CC ID 06364 | Physical and environmental protection | Detective | |
| Protect physical assets against static electricity, as necessary. CC ID 06363 | Physical and environmental protection | Preventive | |
| Install and maintain emergency lighting for use in a power failure. CC ID 01440 | Physical and environmental protection | Preventive | |
| Install and maintain lightning protection mechanisms in critical facilities. CC ID 06367 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain pest control systems in organizational facilities. CC ID 16139 | Physical and environmental protection | Preventive | |
| Protect air intakes into the organizational facility. CC ID 02211 | Physical and environmental protection | Preventive | |
| Install and maintain water detection devices. CC ID 11678 | Physical and environmental protection | Preventive | |
| Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 | Operational and Systems Continuity | Preventive | |
| Install and maintain dedicated power lines to critical facilities. CC ID 06357 | Operational and Systems Continuity | Preventive | |
| Install electro-magnetic shielding around all electrical cabling. CC ID 06358 [{power cabling} Cables carrying power, data or supporting information services should be protected from interception, interference or damage. § 7.12 Control] | Operational and Systems Continuity | Preventive | |
| Install electrical grounding equipment. CC ID 06359 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 | Operational and Systems Continuity | Corrective | |
| Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 | Operational and Systems Continuity | Preventive | |
| Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Operational and Systems Continuity | Preventive | |
| Protect clients' hosted environments. CC ID 11862 | Operational management | Preventive | |
| Conduct environmental surveys. CC ID 00690 | Operational management | Preventive | |
| Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Operational management | Preventive | |
| Control and monitor all maintenance tools. CC ID 01432 | Operational management | Detective | |
| Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Preventive | |
| Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Corrective | |
| Place printed records awaiting destruction into secure containers. CC ID 12464 | Records management | Preventive | |
| Destroy printed records so they cannot be reconstructed. CC ID 11779 | Records management | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Detective | |
| Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Monitoring and measurement | Preventive | |
| Collect threat intelligence, as necessary. CC ID 14064 [Information relating to information security threats should be collected and analysed to produce threat intelligence. § 5.7 Control] | Monitoring and measurement | Detective | |
| Evaluate cyber threat intelligence. CC ID 12747 [Information relating to information security threats should be collected and analysed to produce threat intelligence. § 5.7 Control] | Monitoring and measurement | Detective | |
| Implement digital identification processes. CC ID 13731 | Technical security | Preventive | |
| Implement identity proofing processes. CC ID 13719 | Technical security | Preventive | |
| Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Technical security | Preventive | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Technical security | Preventive | |
| Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Technical security | Detective | |
| Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Technical security | Preventive | |
| Interact with the data subject when performing remote proofing. CC ID 13777 | Technical security | Detective | |
| Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Technical security | Preventive | |
| View all applicant actions when performing remote proofing. CC ID 13804 | Technical security | Detective | |
| Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Technical security | Preventive | |
| Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Technical security | Detective | |
| Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Technical security | Detective | |
| Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Technical security | Preventive | |
| Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Technical security | Preventive | |
| Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Technical security | Detective | |
| Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Technical security | Preventive | |
| Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Technical security | Preventive | |
| Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Technical security | Detective | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Technical security | Detective | |
| Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Technical security | Detective | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Technical security | Detective | |
| Allow records that relate to the data subject as proof of identity. CC ID 13772 | Technical security | Preventive | |
| Conduct in-person proofing with physical interactions. CC ID 13775 | Technical security | Detective | |
| Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Technical security | Preventive | |
| Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Technical security | Preventive | |
| Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Technical security | Preventive | |
| Refrain from approving attributes in the identity proofing process. CC ID 13716 | Technical security | Preventive | |
| Reperform the identity proofing process for each individual, as necessary. CC ID 13762 | Technical security | Detective | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Preventive | |
| Enforce the network segmentation requirements. CC ID 16381 | Technical security | Preventive | |
| Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Technical security | Detective | |
| Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Technical security | Detective | |
| Assign virtual escorting to authorized personnel. CC ID 16440 | Technical security | Preventive | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Preventive | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Preventive | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Preventive | |
| Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Corrective | |
| Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Preventive | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Preventive | |
| Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Physical and environmental protection | Preventive | |
| Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Physical and environmental protection | Preventive | |
| Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Physical and environmental protection | Preventive | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Corrective | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Corrective | |
| Conduct fire drills, as necessary. CC ID 13985 | Physical and environmental protection | Preventive | |
| Employ environmental protections. CC ID 12570 | Physical and environmental protection | Preventive | |
| Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 | Operational and Systems Continuity | Corrective | |
| Perform backup procedures for in scope systems. CC ID 11692 | Operational and Systems Continuity | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
| Establish, implement, and maintain a migration process and/or strategy to transfer systems from one asset to another. CC ID 16384 | Operational management | Preventive | |
| Define and enforce the deployment requirements for applications and virtual network devices in a public cloud. CC ID 16383 | Operational management | Preventive | |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 [Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. § 5.1 Control] | Operational management | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Operational management | Preventive | |
| Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Operational management | Preventive | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Preventive | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Corrective | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Corrective | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Corrective | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
| Conduct incident investigations, as necessary. CC ID 13826 | Operational management | Detective | |
| Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Records management | Preventive | |
| Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Preventive | |
| Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Records management | Preventive | |
| Identify electronic storage media that require downgrading. CC ID 10620 | Records management | Detective | |
| Downgrade electronic storage media, as necessary. CC ID 10621 | Records management | Corrective | |
| Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 | Systems design, build, and implementation | Preventive | |
| Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897 | Systems design, build, and implementation | Preventive | |
| Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 | Systems design, build, and implementation | Preventive | |
| Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 | Systems design, build, and implementation | Preventive | |
| Include system performance in the scope of system testing. CC ID 12624 | Systems design, build, and implementation | Preventive | |
| Include security controls in the scope of system testing. CC ID 12623 | Systems design, build, and implementation | Preventive | |
| Include business logic in the scope of system testing. CC ID 12622 | Systems design, build, and implementation | Preventive | |
| Document attempts to obtain system documentation. CC ID 14284 | Acquisition or sale of facilities, technology, and services | Corrective | |
| Require a data protection impact assessment when profiling the data subject. CC ID 12680 | Privacy protection for information and data | Detective | |
| Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Privacy protection for information and data | Preventive | |
| Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data retention period for personal data. CC ID 12587 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the adequacy decision. CC ID 12586 | Privacy protection for information and data | Preventive | |
| Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 | Privacy protection for information and data | Preventive | |
| Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Preventive | |
| Provide shareholders access to electronic messages via electronic means. CC ID 11855 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 | Privacy protection for information and data | Preventive | |
| Align the enterprise architecture with the privacy plan. CC ID 14705 | Privacy protection for information and data | Preventive | |
| Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Privacy protection for information and data | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Privacy protection for information and data | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Preventive | |
| Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Privacy protection for information and data | Detective | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Preventive | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Corrective | |
| Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 | Privacy protection for information and data | Preventive | |
| Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 | Privacy protection for information and data | Preventive | |
| Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 | Privacy protection for information and data | Preventive | |
| Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Preventive | |
| Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Third Party and supply chain oversight | Preventive | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Technical security | Preventive | |
| Retain video events according to Records Management procedures. CC ID 06304 | Physical and environmental protection | Preventive | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements. § 7.10 Control] | Physical and environmental protection | Preventive | |
| Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 | Physical and environmental protection | Preventive | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 | Physical and environmental protection | Preventive | |
| Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Preventive | |
| Control the storage of restricted storage media. CC ID 00965 | Physical and environmental protection | Preventive | |
| Identify all critical business records. CC ID 00737 | Operational and Systems Continuity | Detective | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Preventive | |
| Include source code in the asset inventory. CC ID 14858 | Operational management | Preventive | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Operational management | Preventive | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 [The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. § 5.28 Control] | Operational management | Preventive | |
| Degauss as a method of sanitizing electronic storage media. CC ID 00973 | Records management | Preventive | |
| Manage the disposition status for all records. CC ID 00972 | Records management | Preventive | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 [Information stored in information systems, devices or in any other storage media should be deleted when no longer required. § 8.10 Control] | Records management | Preventive | |
| Protect records from loss in accordance with applicable requirements. CC ID 12007 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. § 5.33 Control] | Records management | Preventive | |
| Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Detective | |
| Establish and maintain access controls for all records. CC ID 00371 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. § 5.33 Control] | Records management | Preventive | |
| Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records management | Preventive | |
| Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Preventive | |
| Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records management | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Preventive | |
| Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Privacy protection for information and data | Preventive | |
| Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Privacy protection for information and data | Preventive | |
| Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Privacy protection for information and data | Corrective | |
| Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Privacy protection for information and data | Corrective | |
| Grant access to education records in support of educational program audits. CC ID 13032 | Privacy protection for information and data | Preventive | |
| Grant access to education records in support of external requirements. CC ID 13033 | Privacy protection for information and data | Preventive | |
| Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Privacy protection for information and data | Preventive | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Corrective | |
| Refrain from processing restricted data, as necessary. CC ID 12551 | Privacy protection for information and data | Preventive | |
| Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Privacy protection for information and data | Preventive | |
| Include the data processor's contact information in the record of processing activities. CC ID 12657 | Privacy protection for information and data | Preventive | |
| Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Privacy protection for information and data | Preventive | |
| Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Privacy protection for information and data | Preventive | |
| Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Privacy protection for information and data | Preventive | |
| Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Privacy protection for information and data | Preventive | |
| Include the personal data processing categories in the record of processing activities. CC ID 12661 | Privacy protection for information and data | Preventive | |
| Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Privacy protection for information and data | Preventive | |
| Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Privacy protection for information and data | Preventive | |
| Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Privacy protection for information and data | Preventive | |
| Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Privacy protection for information and data | Preventive | |
| Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Privacy protection for information and data | Preventive | |
| Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Privacy protection for information and data | Preventive | |
| Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Privacy protection for information and data | Preventive | |
| Include the data controller's contact information in the record of processing activities. CC ID 12637 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 | Privacy protection for information and data | Preventive | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Privacy protection for information and data | Preventive | |
| Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Privacy protection for information and data | Preventive | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Review and prioritize the importance of each business unit. CC ID 01165 | Operational and Systems Continuity | Preventive | |
| Document the mean time to failure for system components. CC ID 10684 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 | Operational and Systems Continuity | Preventive | |
| Include evacuation procedures in the continuity plan. CC ID 12773 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. § 8.13 Control] | Operational and Systems Continuity | Preventive | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 | Operational and Systems Continuity | Preventive | |
| Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 | Operational and Systems Continuity | Detective | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Operational and Systems Continuity | Preventive | |
| Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 | Operational and Systems Continuity | Preventive | |
| Back up all records. CC ID 11974 | Operational and Systems Continuity | Preventive | |
| Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Operational and Systems Continuity | Preventive | |
| Validate information security continuity controls regularly. CC ID 12008 | Operational and Systems Continuity | Preventive | |
| Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Preventive | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Install and maintain power distribution boards. CC ID 16486 | Physical and environmental protection | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Preventive | |
| Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Preventive | |
| Review each system's operational readiness. CC ID 06275 | Operational management | Preventive | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 | Systems design, build, and implementation | Preventive | |
| Include information security throughout the system development life cycle. CC ID 12042 [Information security requirements should be identified, specified and approved when developing or acquiring applications. § 8.26 Control] | Systems design, build, and implementation | Preventive | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain security design principles. CC ID 14718 [Principles for engineering secure systems should be established, documented, maintained and applied to any information system development activities. § 8.27 Control Rules for the secure development of software and systems should be established and applied. § 8.25 Control] | Systems design, build, and implementation | Preventive | |
| Include reduced complexity of systems or system components in the security design principles. CC ID 14753 | Systems design, build, and implementation | Preventive | |
| Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 | Systems design, build, and implementation | Preventive | |
| Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751 | Systems design, build, and implementation | Preventive | |
| Include modularity and layering of systems or system components in the security design principles. CC ID 14750 | Systems design, build, and implementation | Preventive | |
| Include secure evolvability of systems or system components in the security design principles. CC ID 14749 | Systems design, build, and implementation | Preventive | |
| Include least common mechanisms between systems or system components in the security design principles. CC ID 14747 | Systems design, build, and implementation | Preventive | |
| Include secure system modification of systems or system components in the security design principles. CC ID 14746 | Systems design, build, and implementation | Preventive | |
| Include clear abstractions of systems or system components in the security design principles. CC ID 14745 | Systems design, build, and implementation | Preventive | |
| Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 | Systems design, build, and implementation | Preventive | |
| Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743 | Systems design, build, and implementation | Preventive | |
| Include least privilege of systems or system components in the security design principles. CC ID 14742 | Systems design, build, and implementation | Preventive | |
| Include minimized sharing of systems or system components in the security design principles. CC ID 14741 | Systems design, build, and implementation | Preventive | |
| Include acceptable security of systems or system components in the security design principles. CC ID 14740 | Systems design, build, and implementation | Preventive | |
| Include minimized security elements in systems or system components in the security design principles. CC ID 14739 | Systems design, build, and implementation | Preventive | |
| Include hierarchical protection in systems or system components in the security design principles. CC ID 14738 | Systems design, build, and implementation | Preventive | |
| Include self-analysis of systems or system components in the security design principles. CC ID 14737 | Systems design, build, and implementation | Preventive | |
| Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736 | Systems design, build, and implementation | Preventive | |
| Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735 | Systems design, build, and implementation | Preventive | |
| Include secure distributed composition of systems or system components in the security design principles. CC ID 14734 | Systems design, build, and implementation | Preventive | |
| Include minimization of systems or system components in the security design principles. CC ID 14733 | Systems design, build, and implementation | Preventive | |
| Include secure defaults in systems or system components in the security design principles. CC ID 14732 | Systems design, build, and implementation | Preventive | |
| Include trusted communications channels for systems or system components in the security design principles. CC ID 14731 | Systems design, build, and implementation | Preventive | |
| Include economic security in systems or system components in the security design principles. CC ID 14730 | Systems design, build, and implementation | Preventive | |
| Include trusted components of systems or system components in the security design principles. CC ID 14729 | Systems design, build, and implementation | Preventive | |
| Include procedural rigor in systems or system components in the security design principles. CC ID 14728 | Systems design, build, and implementation | Preventive | |
| Include accountability and traceability of systems or system components in the security design principles. CC ID 14727 | Systems design, build, and implementation | Preventive | |
| Include hierarchical trust in systems or system components in the security design principles. CC ID 14726 | Systems design, build, and implementation | Preventive | |
| Include sufficient documentation for systems or system components in the security design principles. CC ID 14725 | Systems design, build, and implementation | Preventive | |
| Include performance security of systems or system components in the security design principles. CC ID 14724 | Systems design, build, and implementation | Preventive | |
| Include human factored security in systems or system components in the security design principles. CC ID 14723 | Systems design, build, and implementation | Preventive | |
| Include secure metadata management of systems or system components in the security design principles. CC ID 14722 | Systems design, build, and implementation | Preventive | |
| Include predicate permission of systems or system components in the security design principles. CC ID 14721 | Systems design, build, and implementation | Preventive | |
| Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 | Systems design, build, and implementation | Preventive | |
| Formally approve the initiation of each project phase. CC ID 00997 | Systems design, build, and implementation | Detective | |
| Identify accreditation tasks. CC ID 00999 | Systems design, build, and implementation | Detective | |
| Separate the design and development environment from the production environment. CC ID 06088 [{development environment}{test environment} Development, testing and production environments should be separated and secured. § 8.31 Control] | Systems design, build, and implementation | Preventive | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems design, build, and implementation | Preventive | |
| Develop new products based on best practices. CC ID 01095 | Systems design, build, and implementation | Preventive | |
| Develop new products based on secure coding techniques. CC ID 11733 [Secure coding principles should be applied to software development. § 8.28 Control] | Systems design, build, and implementation | Preventive | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems design, build, and implementation | Preventive | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems design, build, and implementation | Preventive | |
| Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 | Systems design, build, and implementation | Preventive | |
| Address known coding vulnerabilities as a part of secure coding techniques. CC ID 12493 | Systems design, build, and implementation | Corrective | |
| Control the test data used in the development environment. CC ID 12013 [Test information should be appropriately selected, protected and managed. § 8.33 Control] | Systems design, build, and implementation | Preventive | |
| Select the test data carefully. CC ID 12011 [Test information should be appropriately selected, protected and managed. § 8.33 Control] | Systems design, build, and implementation | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Detective | |
| Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Monitoring and measurement | Detective | |
| Allow expected changes during file integrity monitoring. CC ID 12090 | Monitoring and measurement | Preventive | |
| Develop and maintain a usage profile for each user account. CC ID 07067 | Monitoring and measurement | Preventive | |
| Perform vulnerability scans, as necessary. CC ID 11637 | Monitoring and measurement | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [Information about technical vulnerabilities of information systems in use should be obtained, the organization's exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. § 8.8 Control] | Monitoring and measurement | Detective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 [Information about technical vulnerabilities of information systems in use should be obtained, the organization's exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. § 8.8 Control] | Monitoring and measurement | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Detective | |
| Correct or mitigate vulnerabilities. CC ID 12497 [Information about technical vulnerabilities of information systems in use should be obtained, the organization's exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. § 8.8 Control] | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain a Technical Surveillance Countermeasures program. CC ID 11401 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696 | Monitoring and measurement | Preventive | |
| Establish the requirements for Identity Assurance Levels. CC ID 13857 | Technical security | Preventive | |
| Establish, implement, and maintain federated identity systems. CC ID 13837 | Technical security | Preventive | |
| Authenticate all systems in a federated identity system. CC ID 13835 | Technical security | Preventive | |
| Send and receive authentication assertions, as necessary. CC ID 13839 | Technical security | Preventive | |
| Make the assertion reference for authentication assertions single-use. CC ID 13843 | Technical security | Preventive | |
| Validate the issuer in the authentication assertion. CC ID 13878 | Technical security | Detective | |
| Limit the lifetime of the assertion reference. CC ID 13874 | Technical security | Preventive | |
| Refrain from using authentication assertions that have expired. CC ID 13872 | Technical security | Preventive | |
| Protect the authentication assertion from unauthorized access or unauthorized disclosure. CC ID 16836 | Technical security | Preventive | |
| Include the issuer identifier in the authentication assertion. CC ID 13865 | Technical security | Preventive | |
| Include attribute metadata in the authentication assertion. CC ID 13856 | Technical security | Preventive | |
| Include the authentication time in the authentication assertion. CC ID 13855 | Technical security | Preventive | |
| Validate each element within the authentication assertion. CC ID 13853 | Technical security | Preventive | |
| Validate the timestamp in the authentication assertion. CC ID 13875 | Technical security | Detective | |
| Validate the digital signature in the authentication assertion. CC ID 13869 | Technical security | Detective | |
| Validate the signature validation element in the authentication assertion. CC ID 13867 | Technical security | Detective | |
| Validate the audience restriction element in the authentication assertion. CC ID 13866 | Technical security | Detective | |
| Include the subject in the authentication assertion. CC ID 13852 | Technical security | Preventive | |
| Include the target audience in the authentication assertion. CC ID 13851 | Technical security | Preventive | |
| Include audience restrictions in the authentication assertion. CC ID 13870 | Technical security | Preventive | |
| Include the issue date in the authentication assertion. CC ID 13850 | Technical security | Preventive | |
| Revoke authentication assertions, as necessary. CC ID 16534 | Technical security | Preventive | |
| Include the expiration date in the authentication assertion. CC ID 13849 | Technical security | Preventive | |
| Include identifiers in the authentication assertion. CC ID 13848 | Technical security | Preventive | |
| Include digital signatures in the authentication assertion. CC ID 13847 | Technical security | Preventive | |
| Include key binding in the authentication assertion. CC ID 13846 | Technical security | Preventive | |
| Include attribute references in the authentication assertion. CC ID 13845 | Technical security | Preventive | |
| Include attribute values in the authentication assertion. CC ID 13844 | Technical security | Preventive | |
| Limit the use of the assertion reference to a single organization. CC ID 13841 | Technical security | Preventive | |
| Request attribute references instead of attribute values during the presentation of an authentication assertion. CC ID 13840 | Technical security | Preventive | |
| Define the assertion level for authentication assertions. CC ID 13873 | Technical security | Preventive | |
| Refrain from assigning assertion levels for authentication assertions when not defined. CC ID 13879 | Technical security | Preventive | |
| Authenticate systems referenced in the whitelist. CC ID 13838 | Technical security | Preventive | |
| Place nonmembers of whitelists and blacklists into a gray area until a runtime decision is made during the authentication assertion. CC ID 13854 | Technical security | Preventive | |
| Require runtime decisions regarding authentication for organizations that are excluded from the whitelist. CC ID 13842 | Technical security | Preventive | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Preventive | |
| Identify information system users. CC ID 12081 | Technical security | Detective | |
| Review user accounts. CC ID 00525 | Technical security | Detective | |
| Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 | Technical security | Detective | |
| Review shared accounts. CC ID 11840 | Technical security | Detective | |
| Control access rights to organizational assets. CC ID 00004 [{physical access} Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. § 5.15 Control Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. § 5.18 Control The allocation and use of privileged access rights should be restricted and managed. § 8.2 Control Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. § 8.3 Control] | Technical security | Preventive | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Preventive | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical security | Preventive | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 [The allocation and use of privileged access rights should be restricted and managed. § 8.2 Control] | Technical security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Preventive | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Preventive | |
| Include all system components in the access control system. CC ID 11939 | Technical security | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Preventive | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 | Technical security | Preventive | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Preventive | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Preventive | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Preventive | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Preventive | |
| Control user privileges. CC ID 11665 [Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. § 5.18 Control] | Technical security | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 [Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. § 5.18 Control] | Technical security | Preventive | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical security | Preventive | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical security | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical security | Preventive | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 | Technical security | Preventive | |
| Automate access control methods, as necessary. CC ID 11838 | Technical security | Preventive | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Preventive | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical security | Preventive | |
| Remove inactive user accounts, as necessary. CC ID 00517 | Technical security | Corrective | |
| Remove temporary user accounts, as necessary. CC ID 11839 | Technical security | Corrective | |
| Enforce the password policy. CC ID 16347 | Technical security | Preventive | |
| Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical security | Preventive | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 | Technical security | Preventive | |
| Protect and manage biometric systems and biometric data. CC ID 01261 | Technical security | Preventive | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Preventive | |
| Require proper authentication for user identifiers. CC ID 11785 | Technical security | Preventive | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical security | Preventive | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical security | Preventive | |
| Identify and control all network access controls. CC ID 00529 | Technical security | Preventive | |
| Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical security | Preventive | |
| Review and approve information exchange system connections. CC ID 07143 | Technical security | Preventive | |
| Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 | Technical security | Preventive | |
| Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107 | Technical security | Preventive | |
| Block uncategorized sites using URL filtering. CC ID 12140 | Technical security | Preventive | |
| Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139 | Technical security | Detective | |
| Control all methods of remote access and teleworking. CC ID 00559 [{remote working arrangement} Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization's premises. § 6.7 Control] | Technical security | Preventive | |
| Refrain from allowing remote users to copy files to remote devices. CC ID 06792 | Technical security | Preventive | |
| Control remote access through a network access control. CC ID 01421 | Technical security | Preventive | |
| Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324 | Technical security | Preventive | |
| Employ multifactor authentication for remote access to the organization's network. CC ID 12505 | Technical security | Preventive | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Preventive | |
| Limit the source addresses from which remote administration is performed. CC ID 16393 | Technical security | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Preventive | |
| Make key usage for data fields unique for each device. CC ID 04828 | Technical security | Preventive | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Preventive | |
| Bind keys to each identity. CC ID 12337 | Technical security | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Preventive | |
| Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical security | Preventive | |
| Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical security | Preventive | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical security | Preventive | |
| Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical security | Preventive | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical security | Preventive | |
| Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical security | Preventive | |
| Install and maintain container security solutions. CC ID 16178 | Technical security | Preventive | |
| Protect the system against replay attacks. CC ID 04552 | Technical security | Preventive | |
| Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical security | Detective | |
| Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical security | Corrective | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Preventive | |
| Secure unissued access mechanisms. CC ID 06713 | Physical and environmental protection | Preventive | |
| Change cipher lock codes, as necessary. CC ID 06651 | Physical and environmental protection | Preventive | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Physical and environmental protection | Preventive | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Corrective | |
| Establish, implement, and maintain a clear screen policy. CC ID 12436 [Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced. § 7.7 Control] | Physical and environmental protection | Preventive | |
| Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 | Physical and environmental protection | Preventive | |
| Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 | Physical and environmental protection | Preventive | |
| Remotely control operational conditions at unmanned facilities. CC ID 11680 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Human Resources management | Preventive | |
| Refrain from implementing network elements in a public cloud. CC ID 16382 | Operational management | Preventive | |
| Establish, implement, and maintain cloud management procedures. CC ID 13149 | Operational management | Preventive | |
| Use strong data encryption when storing information within a cloud service. CC ID 16411 | Operational management | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive | |
| Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Operational management | Preventive | |
| Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Preventive | |
| Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Detective | |
| Prevent users from disabling required software. CC ID 16417 | Operational management | Preventive | |
| Control remote maintenance according to the system's asset classification. CC ID 01433 | Operational management | Preventive | |
| Approve all remote maintenance sessions. CC ID 10615 | Operational management | Preventive | |
| Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Operational management | Preventive | |
| Employ dedicated systems during system maintenance. CC ID 12108 | Operational management | Preventive | |
| Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Operational management | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Preventive | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Corrective | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Corrective | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Corrective | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Corrective | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Corrective | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Corrective | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Operational management | Preventive | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Corrective | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Corrective | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Corrective | |
| Restrict and control the use of privileged utility programs. CC ID 12030 [The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled. § 8.18 Control] | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Preventive | |
| Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Records management | Preventive | |
| Implement and maintain high availability storage, as necessary. CC ID 00952 | Records management | Preventive | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Preventive | |
| Provide encryption for different types of electronic storage media. CC ID 00945 | Records management | Preventive | |
| Protect application program libraries. CC ID 11762 [{read access}{software development tool} Read and write access to source code, development tools and software libraries should be appropriately managed. § 8.4 Control] | Systems design, build, and implementation | Preventive | |
| Establish and maintain access rights to source code based upon least privilege. CC ID 06962 [{read access}{software development tool} Read and write access to source code, development tools and software libraries should be appropriately managed. § 8.4 Control] | Systems design, build, and implementation | Preventive | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Systems design, build, and implementation | Preventive | |
| Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 | Systems design, build, and implementation | Preventive | |
| Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937 | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 | Systems design, build, and implementation | Preventive | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding usernames in source code. CC ID 06561 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Systems design, build, and implementation | Preventive | |
| Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 | Systems design, build, and implementation | Preventive | |
| Control user account management through secure coding techniques in source code. CC ID 11909 | Systems design, build, and implementation | Preventive | |
| Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 | Systems design, build, and implementation | Preventive | |
| Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 | Systems design, build, and implementation | Preventive | |
| Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 | Systems design, build, and implementation | Preventive | |
| Standardize Application Programming Interfaces. CC ID 12167 | Systems design, build, and implementation | Preventive | |
| Protect test data in the development environment. CC ID 12014 [Test information should be appropriately selected, protected and managed. § 8.33 Control] | Systems design, build, and implementation | Preventive | |
| Include the cost effectiveness of security controls in system acquisition contracts. CC ID 11653 | Acquisition or sale of facilities, technology, and services | Detective | |
| Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Privacy protection for information and data | Preventive | |
| Display warning screens and confirmation screens for all payment transactions. CC ID 06409 | Privacy protection for information and data | Preventive | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Preventive | |
| Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Preventive | |
| Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management. § 8.34 Control] | Audits and risk management | Detective | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Detective | |
| Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560 | Technical security | Detective | |
| Test cryptographic key management applications, as necessary. CC ID 04829 | Technical security | Detective | |
| Test all removable storage media for viruses and malicious code. CC ID 11861 | Technical security | Detective | |
| Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Technical security | Detective | |
| Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Physical and environmental protection | Preventive | |
| Implement operational requirements for card readers. CC ID 02225 | Physical and environmental protection | Preventive | |
| Test locks for physical security vulnerabilities. CC ID 04880 | Physical and environmental protection | Detective | |
| Test and inspect assets under full load working conditions. CC ID 06356 | Physical and environmental protection | Detective | |
| Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397 | Operational and Systems Continuity | Detective | |
| Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399 | Operational and Systems Continuity | Detective | |
| Require telecommunications service providers to have adequate continuity plans. CC ID 01400 | Operational and Systems Continuity | Detective | |
| Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 | Operational and Systems Continuity | Detective | |
| Test backup media for media integrity and information integrity, as necessary. CC ID 01401 [Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. § 8.13 Control] | Operational and Systems Continuity | Detective | |
| Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 | Operational and Systems Continuity | Detective | |
| Test each restored system for media integrity and information integrity. CC ID 01920 | Operational and Systems Continuity | Detective | |
| Include stakeholders when testing restored systems, as necessary. CC ID 13066 | Operational and Systems Continuity | Corrective | |
| Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370 | Operational and Systems Continuity | Detective | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Preventive | |
| Test the continuity plan, as necessary. CC ID 00755 [ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. § 5.30 Control] | Operational and Systems Continuity | Detective | |
| Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Operational and Systems Continuity | Preventive | |
| Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Operational and Systems Continuity | Preventive | |
| Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Operational and Systems Continuity | Preventive | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Operational and Systems Continuity | Preventive | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Detective | |
| Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 | Operational and Systems Continuity | Detective | |
| Analyze system interdependence during continuity plan tests. CC ID 13082 | Operational and Systems Continuity | Detective | |
| Validate the evacuation plans during continuity plan tests. CC ID 12760 | Operational and Systems Continuity | Preventive | |
| Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Detective | |
| Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 | Operational and Systems Continuity | Preventive | |
| Review all third party's continuity plan test results. CC ID 01365 | Operational and Systems Continuity | Detective | |
| Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Operational and Systems Continuity | Detective | |
| Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Operational and Systems Continuity | Detective | |
| Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Operational and Systems Continuity | Detective | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 | Human Resources management | Detective | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Preventive | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [Conflicting duties and conflicting areas of responsibility should be segregated. § 5.3 Control] | Human Resources management | Detective | |
| Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Operational management | Detective | |
| Conduct maintenance with authorized personnel. CC ID 01434 | Operational management | Detective | |
| Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Operational management | Detective | |
| Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Operational management | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [The organization should assess information security events and decide if they are to be categorized as information security incidents. § 5.25 Control Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. § 8.16 Control] | Operational management | Corrective | |
| Test incident monitoring procedures. CC ID 13194 | Operational management | Detective | |
| Open a priority incident request after a security breach is detected. CC ID 04838 | Operational management | Corrective | |
| Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Operational management | Corrective | |
| Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 | Records management | Detective | |
| Maintain media sanitization equipment in operational condition. CC ID 00721 | Records management | Detective | |
| Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Records management | Detective | |
| Test the storage media downgrade for correct performance. CC ID 10623 | Records management | Detective | |
| Perform a risk assessment for each system development project. CC ID 01000 | Systems design, build, and implementation | Detective | |
| Conduct a post implementation review when the system design project ends. CC ID 01003 | Systems design, build, and implementation | Detective | |
| Implement security controls in development endpoints. CC ID 16389 | Systems design, build, and implementation | Preventive | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 | Systems design, build, and implementation | Detective | |
| Restrict production data from being used in the test environment. CC ID 01103 | Systems design, build, and implementation | Detective | |
| Test all software changes before promoting the system to a production environment. CC ID 01106 | Systems design, build, and implementation | Detective | |
| Test security functionality during the development process. CC ID 12015 | Systems design, build, and implementation | Preventive | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 | Systems design, build, and implementation | Detective | |
| Review and test source code. CC ID 01086 | Systems design, build, and implementation | Detective | |
| Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292 | Systems design, build, and implementation | Corrective | |
| Approve all custom code test results before code is released. CC ID 06293 | Systems design, build, and implementation | Detective | |
| Provide a Configuration Management plan by the Information System developer for all newly acquired assets. CC ID 01446 | Acquisition or sale of facilities, technology, and services | Detective | |
| Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired assets. CC ID 01447 | Acquisition or sale of facilities, technology, and services | Detective | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Detective | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Detective | |
| Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Detective | |
| Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 | Privacy protection for information and data | Detective | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. § 5.22 Control] | Third Party and supply chain oversight | Detective | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 | Third Party and supply chain oversight | Detective | |
Training | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include updates on emerging issues in the security awareness program. CC ID 13184 [Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function. § 6.3 Control] | Human Resources management | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 [Protection against malware should be implemented and supported by appropriate user awareness. § 8.7 Control] | Human Resources management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Establish/Maintain Documentation | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Log Management | |
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Monitoring and measurement | Investigate | |
| Perform vulnerability assessments, as necessary. CC ID 11828 [Information about technical vulnerabilities of information systems in use should be obtained, the organization's exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. § 8.8 Control] | Monitoring and measurement | Technical Security | |
| Correct or mitigate vulnerabilities. CC ID 12497 [Information about technical vulnerabilities of information systems in use should be obtained, the organization's exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. § 8.8 Control] | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Technical Security | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Establish/Maintain Documentation | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Communicate | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 | Technical security | Behavior | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Technical security | Behavior | |
| Remove inactive user accounts, as necessary. CC ID 00517 | Technical security | Technical Security | |
| Remove temporary user accounts, as necessary. CC ID 11839 | Technical security | Technical Security | |
| Revoke membership in the whitelist, as necessary. CC ID 13827 | Technical security | Establish/Maintain Documentation | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Technical security | Data and Information Management | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Technical security | Data and Information Management | |
| Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Process or Activity | |
| Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Communicate | |
| Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310 | Technical security | Establish/Maintain Documentation | |
| Incorporate the malicious code analysis into the patch management program. CC ID 10673 | Technical security | Technical Security | |
| Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and environmental protection | Physical and Environmental Protection | |
| Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Establish/Maintain Documentation | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Technical Security | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Process or Activity | |
| Unpair missing Bluetooth devices. CC ID 12428 | Physical and environmental protection | Physical and Environmental Protection | |
| Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Process or Activity | |
| Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 | Operational and Systems Continuity | Configuration | |
| Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 | Operational and Systems Continuity | Process or Activity | |
| Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Include stakeholders when testing restored systems, as necessary. CC ID 13066 | Operational and Systems Continuity | Testing | |
| Identify who can speak to the media in the emergency communications procedures. CC ID 12761 | Operational and Systems Continuity | Communicate | |
| Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation. § 6.4 Control] | Human Resources management | Behavior | |
| Measure policy compliance when reviewing the internal control framework. CC ID 06442 [Compliance with the organization's information security policy, topic-specific policies, rules and standards should be regularly reviewed. § 5.36 Control] | Operational management | Actionable Reports or Measurements | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Establish/Maintain Documentation | |
| Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 | Operational management | Monitor and Evaluate Occurrences | |
| Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 | Operational management | Monitor and Evaluate Occurrences | |
| Refrain from protecting physical assets when no longer required. CC ID 13484 | Operational management | Physical and Environmental Protection | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 | Operational management | Monitor and Evaluate Occurrences | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Monitor and Evaluate Occurrences | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Process or Activity | |
| Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Behavior | |
| Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Process or Activity | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Process or Activity | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Technical Security | |
| Refrain from accessing compromised systems. CC ID 01752 | Operational management | Technical Security | |
| Isolate compromised systems from the network. CC ID 01753 | Operational management | Technical Security | |
| Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 | Operational management | Log Management | |
| Change authenticators after a security incident has been detected. CC ID 06789 | Operational management | Technical Security | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [The organization should assess information security events and decide if they are to be categorized as information security incidents. § 5.25 Control Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. § 8.16 Control] | Operational management | Testing | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Monitor and Evaluate Occurrences | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Data and Information Management | |
| Share data loss event information with the media. CC ID 01759 | Operational management | Behavior | |
| Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Establish/Maintain Documentation | |
| Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Data and Information Management | |
| Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Behavior | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Behavior | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Establish/Maintain Documentation | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Behavior | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Behavior | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Behavior | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Behavior | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Behavior | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Establish/Maintain Documentation | |
| Change wireless access variables after a data loss event has been detected. CC ID 01756 | Operational management | Technical Security | |
| Eradicate the cause of the incident after the incident has been contained. CC ID 01757 | Operational management | Business Processes | |
| Implement security controls for personnel that have accessed information absent authorization. CC ID 10611 | Operational management | Human Resources Management | |
| Re-image compromised systems with secure builds. CC ID 12086 | Operational management | Technical Security | |
| Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858 | Operational management | Establish/Maintain Documentation | |
| Include the organizational functions affected by disruption in the Incident Management audit log. CC ID 12238 | Operational management | Log Management | |
| Open a priority incident request after a security breach is detected. CC ID 04838 | Operational management | Testing | |
| Activate the incident response notification procedures after a security breach is detected. CC ID 04839 | Operational management | Testing | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 | Operational management | Communicate | |
| Respond when an integrity violation is detected, as necessary. CC ID 10678 | Operational management | Technical Security | |
| Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 | Operational management | Technical Security | |
| Restart systems when an integrity violation is detected, as necessary. CC ID 10680 | Operational management | Technical Security | |
| Change the authenticator for shared accounts when the group membership changes. CC ID 14249 | System hardening through configuration management | Business Processes | |
| Configure the look-up secret authenticator to dispose of memorized secrets after their use. CC ID 13817 | System hardening through configuration management | Configuration | |
| Downgrade electronic storage media, as necessary. CC ID 10621 | Records management | Process or Activity | |
| Address known coding vulnerabilities as a part of secure coding techniques. CC ID 12493 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Correct code anomalies and code deficiencies in custom code and retest before release. CC ID 06292 | Systems design, build, and implementation | Testing | |
| Document attempts to obtain system documentation. CC ID 14284 | Acquisition or sale of facilities, technology, and services | Process or Activity | |
| Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Privacy protection for information and data | Records Management | |
| Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Privacy protection for information and data | Records Management | |
| Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate private communications when required by law. CC ID 14335 | Privacy protection for information and data | Communicate | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Communicate | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Records Management | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Communicate | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Communicate | |
| Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 | Privacy protection for information and data | Communicate | |
| Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Privacy protection for information and data | Communicate | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Process or Activity | |
| Implement procedures to file privacy rights violation complaints. CC ID 00476 | Privacy protection for information and data | Data and Information Management | |
| File privacy rights violation complaints in writing. CC ID 00477 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 | Privacy protection for information and data | Behavior | |
| File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Privacy protection for information and data | Behavior | |
| Change or destroy any personal data that is incorrect. CC ID 00462 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Behavior | |
| Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 | Privacy protection for information and data | Behavior | |
| Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 | Privacy protection for information and data | Behavior | |
| Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 | Privacy protection for information and data | Data and Information Management | |
| Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Privacy protection for information and data | Business Processes | |
| Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Privacy protection for information and data | Communicate | |
| Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Privacy protection for information and data | Behavior | |
| Order the organization to change to be in compliance with applicable law. CC ID 00499 | Privacy protection for information and data | Behavior | |
| Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Privacy protection for information and data | Behavior | |
| Award damages based on applicable law. CC ID 00501 | Privacy protection for information and data | Behavior | |
| Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 | Privacy protection for information and data | Data and Information Management | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Log Management | |
| Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents. § 8.16 Control] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for Denial of Service attacks. CC ID 01222 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Monitoring and measurement | Human Resources Management | |
| Detect unauthorized access to systems. CC ID 06798 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 [Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. § 8.15 Control] | Monitoring and measurement | Log Management | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 | Monitoring and measurement | Log Management | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Log Management | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Technical Security | |
| Enable logging for all systems that meet a traceability criteria. CC ID 00640 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 [Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. § 8.9 Control] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 | Monitoring and measurement | Process or Activity | |
| Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for and report when a software configuration is updated. CC ID 06746 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor for firmware updates absent authorization. CC ID 10675 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Implement file integrity monitoring. CC ID 01205 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Identify unauthorized modifications during file integrity monitoring. CC ID 12096 | Monitoring and measurement | Technical Security | |
| Monitor and evaluate user account activity. CC ID 07066 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Log account usage to determine dormant accounts. CC ID 12118 | Monitoring and measurement | Log Management | |
| Log account usage times. CC ID 07099 | Monitoring and measurement | Log Management | |
| Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Log account usage durations. CC ID 12117 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 | Monitoring and measurement | Communicate | |
| Log Internet Protocol addresses used during logon. CC ID 07100 | Monitoring and measurement | Log Management | |
| Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 | Monitoring and measurement | Communicate | |
| Perform vulnerability scans, as necessary. CC ID 11637 | Monitoring and measurement | Technical Security | |
| Identify and document security vulnerabilities. CC ID 11857 [Information about technical vulnerabilities of information systems in use should be obtained, the organization's exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. § 8.8 Control] | Monitoring and measurement | Technical Security | |
| Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Investigate | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Technical Security | |
| Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Actionable Reports or Measurements | |
| Collect threat intelligence, as necessary. CC ID 14064 [Information relating to information security threats should be collected and analysed to produce threat intelligence. § 5.7 Control] | Monitoring and measurement | Process or Activity | |
| Identify and document intelligence collection shortfalls. CC ID 14078 | Monitoring and measurement | Investigate | |
| Evaluate cyber threat intelligence. CC ID 12747 [Information relating to information security threats should be collected and analysed to produce threat intelligence. § 5.7 Control] | Monitoring and measurement | Process or Activity | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management. § 8.34 Control] | Audits and risk management | Testing | |
| Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Technical security | Process or Activity | |
| Interact with the data subject when performing remote proofing. CC ID 13777 | Technical security | Process or Activity | |
| View all applicant actions when performing remote proofing. CC ID 13804 | Technical security | Process or Activity | |
| Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Technical security | Process or Activity | |
| Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Technical security | Process or Activity | |
| Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Technical security | Process or Activity | |
| Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Technical security | Process or Activity | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Technical security | Process or Activity | |
| Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Technical security | Business Processes | |
| Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Technical security | Process or Activity | |
| Verify proof of identity records. CC ID 13761 | Technical security | Investigate | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Technical security | Process or Activity | |
| Conduct in-person proofing with physical interactions. CC ID 13775 | Technical security | Process or Activity | |
| Reperform the identity proofing process for each individual, as necessary. CC ID 13762 | Technical security | Process or Activity | |
| Validate the issuer in the authentication assertion. CC ID 13878 | Technical security | Technical Security | |
| Validate the timestamp in the authentication assertion. CC ID 13875 | Technical security | Technical Security | |
| Validate the digital signature in the authentication assertion. CC ID 13869 | Technical security | Technical Security | |
| Validate the signature validation element in the authentication assertion. CC ID 13867 | Technical security | Technical Security | |
| Validate the audience restriction element in the authentication assertion. CC ID 13866 | Technical security | Technical Security | |
| Identify information system users. CC ID 12081 | Technical security | Technical Security | |
| Review user accounts. CC ID 00525 | Technical security | Technical Security | |
| Match user accounts to authorized parties. CC ID 12126 | Technical security | Configuration | |
| Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 | Technical security | Technical Security | |
| Review shared accounts. CC ID 11840 | Technical security | Technical Security | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Configuration | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Testing | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Communicate | |
| Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Technical security | Process or Activity | |
| Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Technical security | Process or Activity | |
| Establish, implement, and maintain a sensitive information inventory. CC ID 13736 | Technical security | Establish/Maintain Documentation | |
| Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139 | Technical security | Technical Security | |
| Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560 | Technical security | Testing | |
| Monitor and evaluate all remote access usage. CC ID 00563 | Technical security | Monitor and Evaluate Occurrences | |
| Test cryptographic key management applications, as necessary. CC ID 04829 | Technical security | Testing | |
| Scan for malicious code, as necessary. CC ID 11941 | Technical security | Investigate | |
| Test all removable storage media for viruses and malicious code. CC ID 11861 | Technical security | Testing | |
| Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Technical security | Testing | |
| Log and react to all malicious code activity. CC ID 07072 | Technical security | Monitor and Evaluate Occurrences | |
| Analyze the behavior and characteristics of the malicious code. CC ID 10672 | Technical security | Technical Security | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Physical and Environmental Protection | |
| Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Investigate | |
| Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and environmental protection | Physical and Environmental Protection | |
| Test locks for physical security vulnerabilities. CC ID 04880 | Physical and environmental protection | Testing | |
| Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Physical and Environmental Protection | |
| Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 [Premises should be continuously monitored for unauthorized physical access. § 7.4 Control] | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Investigate | |
| Log when the vault is accessed. CC ID 06725 | Physical and environmental protection | Log Management | |
| Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Log Management | |
| Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Monitor physical entry point alarms. CC ID 01639 | Physical and environmental protection | Physical and Environmental Protection | |
| Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Monitor for alarmed security doors being propped open. CC ID 06684 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Track restricted storage media while it is in transit. CC ID 00967 | Physical and environmental protection | Data and Information Management | |
| Attach asset location technologies to distributed assets. CC ID 10626 | Physical and environmental protection | Physical and Environmental Protection | |
| Monitor the location of distributed assets. CC ID 11684 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 | Physical and environmental protection | Investigate | |
| Test and inspect assets under full load working conditions. CC ID 06356 | Physical and environmental protection | Testing | |
| Monitor and review environmental protections. CC ID 12571 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Install and maintain seismic detectors in critical facilities. CC ID 06364 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain an environment control monitoring system. CC ID 06370 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Define and prioritize critical business functions. CC ID 00736 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify all critical business records. CC ID 00737 | Operational and Systems Continuity | Records Management | |
| Establish, implement, and maintain a critical personnel list. CC ID 00739 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397 | Operational and Systems Continuity | Testing | |
| Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399 | Operational and Systems Continuity | Testing | |
| Require telecommunications service providers to have adequate continuity plans. CC ID 01400 | Operational and Systems Continuity | Testing | |
| Designate an alternate facility in the continuity plan. CC ID 00742 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine which data elements to back up. CC ID 13483 | Operational and Systems Continuity | Data and Information Management | |
| Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 | Operational and Systems Continuity | Testing | |
| Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 | Operational and Systems Continuity | Systems Continuity | |
| Test backup media for media integrity and information integrity, as necessary. CC ID 01401 [Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. § 8.13 Control] | Operational and Systems Continuity | Testing | |
| Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 | Operational and Systems Continuity | Testing | |
| Test each restored system for media integrity and information integrity. CC ID 01920 | Operational and Systems Continuity | Testing | |
| Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370 | Operational and Systems Continuity | Testing | |
| Review the insurance coverage of the insurance policy, as necessary. CC ID 12688 | Operational and Systems Continuity | Business Processes | |
| Review the beneficiaries of the insurance policy. CC ID 16563 | Operational and Systems Continuity | Business Processes | |
| Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Test the continuity plan, as necessary. CC ID 00755 [ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. § 5.30 Control] | Operational and Systems Continuity | Testing | |
| Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Testing | |
| Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 | Operational and Systems Continuity | Testing | |
| Analyze system interdependence during continuity plan tests. CC ID 13082 | Operational and Systems Continuity | Testing | |
| Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Testing | |
| Review all third party's continuity plan test results. CC ID 01365 | Operational and Systems Continuity | Testing | |
| Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Operational and Systems Continuity | Testing | |
| Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Operational and Systems Continuity | Testing | |
| Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Operational and Systems Continuity | Testing | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 | Human Resources management | Testing | |
| Perform a background check during personnel screening. CC ID 11758 [Background verification checks on all candidates to become personnel should be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. § 6.1 Control] | Human Resources management | Human Resources Management | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [Conflicting duties and conflicting areas of responsibility should be segregated. § 5.3 Control] | Human Resources management | Testing | |
| Monitor managing cloud services. CC ID 13150 | Operational management | Monitor and Evaluate Occurrences | |
| Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 | Operational management | Establish/Maintain Documentation | |
| Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 | Operational management | Technical Security | |
| Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 | Operational management | Testing | |
| Control and monitor all maintenance tools. CC ID 01432 | Operational management | Physical and Environmental Protection | |
| Conduct maintenance with authorized personnel. CC ID 01434 | Operational management | Testing | |
| Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Operational management | Testing | |
| Test for detrimental environmental factors after a system is disposed. CC ID 06938 | Operational management | Testing | |
| Establish, implement, and maintain an anti-money laundering program. CC ID 13675 | Operational management | Business Processes | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Monitor and Evaluate Occurrences | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Monitor and Evaluate Occurrences | |
| Identify root causes of incidents that force system changes. CC ID 13482 | Operational management | Investigate | |
| Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Monitor and Evaluate Occurrences | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Establish/Maintain Documentation | |
| Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677 | Operational management | Investigate | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 | Operational management | Establish/Maintain Documentation | |
| Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678 | Operational management | Establish/Maintain Documentation | |
| Analyze the incident response process following an incident response. CC ID 13179 | Operational management | Investigate | |
| Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Behavior | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Behavior | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Establish/Maintain Documentation | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Establish/Maintain Documentation | |
| Detect any potentially undiscovered security vulnerabilities on previously compromised systems. CC ID 06265 | Operational management | Monitor and Evaluate Occurrences | |
| Test incident monitoring procedures. CC ID 13194 | Operational management | Testing | |
| Conduct incident investigations, as necessary. CC ID 13826 | Operational management | Process or Activity | |
| Analyze the behaviors of individuals involved in the incident during incident investigations. CC ID 14042 | Operational management | Investigate | |
| Identify the affected parties during incident investigations. CC ID 16781 | Operational management | Investigate | |
| Interview suspects during incident investigations, as necessary. CC ID 14041 | Operational management | Investigate | |
| Interview victims and witnesses during incident investigations, as necessary. CC ID 14038 | Operational management | Investigate | |
| Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 | Operational management | Investigate | |
| Establish, implement, and maintain incident response procedures. CC ID 01206 [Information security incidents should be responded to in accordance with the documented procedures. § 5.26 Control] | Operational management | Establish/Maintain Documentation | |
| Ensure the root account is the first entry in password files. CC ID 16323 | System hardening through configuration management | Data and Information Management | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
| Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 | Records management | Testing | |
| Maintain media sanitization equipment in operational condition. CC ID 00721 | Records management | Testing | |
| Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Records Management | |
| Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Records management | Monitor and Evaluate Occurrences | |
| Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Records management | Testing | |
| Provide audit trails for all pertinent records. CC ID 00372 | Records management | Establish/Maintain Documentation | |
| Identify electronic storage media that require downgrading. CC ID 10620 | Records management | Process or Activity | |
| Test the storage media downgrade for correct performance. CC ID 10623 | Records management | Testing | |
| Formally approve the initiation of each project phase. CC ID 00997 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Perform a risk assessment for each system development project. CC ID 01000 | Systems design, build, and implementation | Testing | |
| Identify accreditation tasks. CC ID 00999 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Conduct a post implementation review when the system design project ends. CC ID 01003 | Systems design, build, and implementation | Testing | |
| Supervise and monitor outsourced development projects. CC ID 01096 [The organization should direct, monitor and review the activities related to outsourced system development. § 8.30 Control] | Systems design, build, and implementation | Monitor and Evaluate Occurrences | |
| Perform Quality Management on all newly developed or modified systems. CC ID 01100 | Systems design, build, and implementation | Testing | |
| Restrict production data from being used in the test environment. CC ID 01103 | Systems design, build, and implementation | Testing | |
| Test all software changes before promoting the system to a production environment. CC ID 01106 | Systems design, build, and implementation | Testing | |
| Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 | Systems design, build, and implementation | Testing | |
| Review and test source code. CC ID 01086 | Systems design, build, and implementation | Testing | |
| Approve all custom code test results before code is released. CC ID 06293 | Systems design, build, and implementation | Testing | |
| Include the cost effectiveness of security controls in system acquisition contracts. CC ID 11653 | Acquisition or sale of facilities, technology, and services | Technical Security | |
| Provide a Configuration Management plan by the Information System developer for all newly acquired assets. CC ID 01446 | Acquisition or sale of facilities, technology, and services | Testing | |
| Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired assets. CC ID 01447 | Acquisition or sale of facilities, technology, and services | Testing | |
| Require a data protection impact assessment when profiling the data subject. CC ID 12680 | Privacy protection for information and data | Process or Activity | |
| Document privacy policies in clearly written and easily understood language. CC ID 00376 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Behavior | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Behavior | |
| Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Privacy protection for information and data | Process or Activity | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Investigate | |
| Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Data and Information Management | |
| Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 | Privacy protection for information and data | Business Processes | |
| Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Investigate | |
| Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Investigate | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Testing | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Testing | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Data and Information Management | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Investigate | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Behavior | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Data and Information Management | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Log Management | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Log Management | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Data and Information Management | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Process or Activity | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Testing | |
| Review compliance with the organization's privacy objectives. CC ID 13490 | Privacy protection for information and data | Human Resources Management | |
| Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Behavior | |
| Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Privacy protection for information and data | Behavior | |
| Investigate privacy rights violation complaints in private. CC ID 00492 | Privacy protection for information and data | Behavior | |
| Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 | Privacy protection for information and data | Behavior | |
| Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Privacy protection for information and data | Behavior | |
| Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 | Privacy protection for information and data | Testing | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Testing | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. § 5.22 Control] | Third Party and supply chain oversight | Testing | |
| Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 [The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. § 5.22 Control Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. § 8.21 Control] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 | Third Party and supply chain oversight | Testing | |
| Assess the effectiveness of third party services provided to the organization. CC ID 13142 | Third Party and supply chain oversight | Business Processes | |
| Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 | Third Party and supply chain oversight | Monitor and Evaluate Occurrences | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Review the organization's approach to managing information security, as necessary. CC ID 12005 [The organization's approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur. § 5.35 Control] | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain an information classification standard. CC ID 00601 [Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements. § 5.12 Control] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Data and Information Management | |
| Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Data and Information Management | |
| Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Data and Information Management | |
| Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Data and Information Management | |
| Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Data and Information Management | |
| Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Data and Information Management | |
| Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Data and Information Management | |
| Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Data and Information Management | |
| Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Data and Information Management | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [{legal requirement}{statutory requirement}{regulatory requirement} Legal, statutory, regulatory and contractual requirements relevant to information security and the organization's approach to meet these requirements should be identified, documented and kept up to date. § 5.31 Control] | Leadership and high level objectives | Business Processes | |
| Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain an Authority Document list. CC ID 07113 [{legal requirement}{statutory requirement}{regulatory requirement} Legal, statutory, regulatory and contractual requirements relevant to information security and the organization's approach to meet these requirements should be identified, documented and kept up to date. § 5.31 Control] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Communicate | |
| Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Establish Roles | |
| Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Monitor systems for unauthorized data transfers. CC ID 12971 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Address operational anomalies within the incident management system. CC ID 11633 | Monitoring and measurement | Audits and Risk Management | |
| Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 | Monitoring and measurement | Audits and Risk Management | |
| Monitor systems for unauthorized mobile code. CC ID 10034 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Include the system components that generate audit records in the event logging procedures. CC ID 16426 | Monitoring and measurement | Data and Information Management | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. § 8.15 Control] | Monitoring and measurement | Log Management | |
| Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Log Management | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Data and Information Management | |
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Testing | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Establish/Maintain Documentation | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Monitoring and measurement | Audits and Risk Management | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Log Management | |
| Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [The clocks of information processing systems used by the organization should be synchronized to approved time sources. § 8.17 Control] | Monitoring and measurement | Configuration | |
| Centralize network time servers to as few as practical. CC ID 06308 | Monitoring and measurement | Configuration | |
| Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 | Monitoring and measurement | Communicate | |
| Monitor for software configurations updates absent authorization. CC ID 10676 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Allow expected changes during file integrity monitoring. CC ID 12090 | Monitoring and measurement | Technical Security | |
| Monitor for when documents are being updated absent authorization. CC ID 10677 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 | Monitoring and measurement | Establish/Maintain Documentation | |
| Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 | Monitoring and measurement | Process or Activity | |
| Develop and maintain a usage profile for each user account. CC ID 07067 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Behavior | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 [The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. § 5.22 Control] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Establish/Maintain Documentation | |
| Protect logs from unauthorized activity. CC ID 01345 [Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. § 8.15 Control] | Monitoring and measurement | Log Management | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 [Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. § 8.15 Control] | Monitoring and measurement | Log Management | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a Technical Surveillance Countermeasures program. CC ID 11401 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Establish/Maintain Documentation | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [Audit tests and other assurance activities involving assessment of operational systems should be planned and agreed between the tester and appropriate management. § 8.34 Control] | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Audits and risk management | Establish/Maintain Documentation | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Audits and Risk Management | |
| Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Investigate | |
| Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Audits and Risk Management | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Audits and Risk Management | |
| Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Establish/Maintain Documentation | |
| Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Establish/Maintain Documentation | |
| Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Audits and Risk Management | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Establish/Maintain Documentation | |
| Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Establish/Maintain Documentation | |
| Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Establish/Maintain Documentation | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Establish/Maintain Documentation | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Establish/Maintain Documentation | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Establish/Maintain Documentation | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Establish/Maintain Documentation | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Establish/Maintain Documentation | |
| Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Establish/Maintain Documentation | |
| Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Establish/Maintain Documentation | |
| Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Establish/Maintain Documentation | |
| Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Establish/Maintain Documentation | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Communicate | |
| Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Establish/Maintain Documentation | |
| Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Establish/Maintain Documentation | |
| Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 | Audits and risk management | Establish/Maintain Documentation | |
| Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Establish/Maintain Documentation | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Establish/Maintain Documentation | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Establish/Maintain Documentation | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Establish/Maintain Documentation | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Establish/Maintain Documentation | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 [The full life cycle of identities should be managed. § 5.16 Control] | Technical security | Establish/Maintain Documentation | |
| Establish the requirements for Identity Assurance Levels. CC ID 13857 | Technical security | Technical Security | |
| Establish, implement, and maintain an authorized representatives policy. CC ID 13798 | Technical security | Establish/Maintain Documentation | |
| Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Establish/Maintain Documentation | |
| Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Establish/Maintain Documentation | |
| Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Technical security | Establish/Maintain Documentation | |
| Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Technical security | Establish/Maintain Documentation | |
| Implement digital identification processes. CC ID 13731 | Technical security | Process or Activity | |
| Implement identity proofing processes. CC ID 13719 | Technical security | Process or Activity | |
| Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Technical security | Process or Activity | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Technical security | Process or Activity | |
| Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Technical security | Process or Activity | |
| Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Technical security | Establish/Maintain Documentation | |
| Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Technical security | Configuration | |
| Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Technical security | Process or Activity | |
| Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Technical security | Process or Activity | |
| Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Technical security | Process or Activity | |
| Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Technical security | Process or Activity | |
| Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Technical security | Process or Activity | |
| Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Technical security | Configuration | |
| Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Technical security | Configuration | |
| Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Technical security | Configuration | |
| Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Technical security | Process or Activity | |
| Allow records that relate to the data subject as proof of identity. CC ID 13772 | Technical security | Process or Activity | |
| Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Technical security | Process or Activity | |
| Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Technical security | Process or Activity | |
| Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Technical security | Process or Activity | |
| Refrain from approving attributes in the identity proofing process. CC ID 13716 | Technical security | Process or Activity | |
| Establish, implement, and maintain federated identity systems. CC ID 13837 | Technical security | Technical Security | |
| Authenticate all systems in a federated identity system. CC ID 13835 | Technical security | Technical Security | |
| Send and receive authentication assertions, as necessary. CC ID 13839 | Technical security | Technical Security | |
| Make the assertion reference for authentication assertions single-use. CC ID 13843 | Technical security | Technical Security | |
| Limit the lifetime of the assertion reference. CC ID 13874 | Technical security | Technical Security | |
| Refrain from using authentication assertions that have expired. CC ID 13872 | Technical security | Technical Security | |
| Protect the authentication assertion from unauthorized access or unauthorized disclosure. CC ID 16836 | Technical security | Technical Security | |
| Include the issuer identifier in the authentication assertion. CC ID 13865 | Technical security | Technical Security | |
| Include attribute metadata in the authentication assertion. CC ID 13856 | Technical security | Technical Security | |
| Include the authentication time in the authentication assertion. CC ID 13855 | Technical security | Technical Security | |
| Validate each element within the authentication assertion. CC ID 13853 | Technical security | Technical Security | |
| Include the subject in the authentication assertion. CC ID 13852 | Technical security | Technical Security | |
| Include the target audience in the authentication assertion. CC ID 13851 | Technical security | Technical Security | |
| Include audience restrictions in the authentication assertion. CC ID 13870 | Technical security | Technical Security | |
| Include the issue date in the authentication assertion. CC ID 13850 | Technical security | Technical Security | |
| Revoke authentication assertions, as necessary. CC ID 16534 | Technical security | Technical Security | |
| Include the expiration date in the authentication assertion. CC ID 13849 | Technical security | Technical Security | |
| Include identifiers in the authentication assertion. CC ID 13848 | Technical security | Technical Security | |
| Include digital signatures in the authentication assertion. CC ID 13847 | Technical security | Technical Security | |
| Include key binding in the authentication assertion. CC ID 13846 | Technical security | Technical Security | |
| Include attribute references in the authentication assertion. CC ID 13845 | Technical security | Technical Security | |
| Include attribute values in the authentication assertion. CC ID 13844 | Technical security | Technical Security | |
| Limit the use of the assertion reference to a single organization. CC ID 13841 | Technical security | Technical Security | |
| Request attribute references instead of attribute values during the presentation of an authentication assertion. CC ID 13840 | Technical security | Technical Security | |
| Define the assertion level for authentication assertions. CC ID 13873 | Technical security | Technical Security | |
| Refrain from assigning assertion levels for authentication assertions when not defined. CC ID 13879 | Technical security | Technical Security | |
| Authenticate systems referenced in the whitelist. CC ID 13838 | Technical security | Technical Security | |
| Place nonmembers of whitelists and blacklists into a gray area until a runtime decision is made during the authentication assertion. CC ID 13854 | Technical security | Technical Security | |
| Require runtime decisions regarding authentication for organizations that are excluded from the whitelist. CC ID 13842 | Technical security | Technical Security | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
| Include guidance for how users should protect their authentication credentials in the access control program. CC ID 11929 [Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information. § 5.17 Control] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. § 5.18 Control] | Technical security | Establish/Maintain Documentation | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Technical Security | |
| Inventory all user accounts. CC ID 13732 | Technical security | Establish/Maintain Documentation | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Data and Information Management | |
| Control access rights to organizational assets. CC ID 00004 [{physical access} Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. § 5.15 Control Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. § 5.18 Control The allocation and use of privileged access rights should be restricted and managed. § 8.2 Control Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. § 8.3 Control] | Technical security | Technical Security | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Configuration | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Establish/Maintain Documentation | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Technical Security | |
| Define roles for information systems. CC ID 12454 | Technical security | Human Resources Management | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Human Resources Management | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical security | Technical Security | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Technical Security | |
| Establish access rights based on least privilege. CC ID 01411 [The allocation and use of privileged access rights should be restricted and managed. § 8.2 Control] | Technical security | Technical Security | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Technical Security | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Technical Security | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [Groups of information services, users and information systems should be segregated in the organization's networks. § 8.22 Control] | Technical security | Configuration | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Technical Security | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Configuration | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Technical Security | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Configuration | |
| Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Configuration | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Technical Security | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Configuration | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Configuration | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Configuration | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Configuration | |
| Enable access control for objects and users on each system. CC ID 04553 | Technical security | Configuration | |
| Include all system components in the access control system. CC ID 11939 | Technical security | Technical Security | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Process or Activity | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Technical Security | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Technical Security | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Technical Security | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Establish/Maintain Documentation | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Establish Roles | |
| Enforce access restrictions for change control. CC ID 01428 | Technical security | Technical Security | |
| Enforce access restrictions for restricted data. CC ID 01921 [{physical access} Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. § 5.15 Control Access to information and other associated assets should be restricted in accordance with the established topic-specific policy on access control. § 8.3 Control] | Technical security | Data and Information Management | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Technical Security | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Technical Security | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Establish/Maintain Documentation | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Establish/Maintain Documentation | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Technical Security | |
| Display previous logon information in the logon banner. CC ID 01415 | Technical security | Configuration | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Establish/Maintain Documentation | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Technical Security | |
| Control user privileges. CC ID 11665 [Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. § 5.18 Control] | Technical security | Technical Security | |
| Review all user privileges, as necessary. CC ID 06784 [Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. § 5.18 Control] | Technical security | Technical Security | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Technical security | Configuration | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical security | Technical Security | |
| Change authenticators after personnel status changes. CC ID 12284 | Technical security | Human Resources Management | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Technical security | Establish/Maintain Documentation | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical security | Technical Security | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical security | Technical Security | |
| Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Technical security | Establish/Maintain Documentation | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical security | Technical Security | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 | Technical security | Technical Security | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 | Technical security | Human Resources Management | |
| Automate access control methods, as necessary. CC ID 11838 | Technical security | Technical Security | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical security | Technical Security | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Technical Security | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical security | Technical Security | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Establish/Maintain Documentation | |
| Enforce the password policy. CC ID 16347 | Technical security | Technical Security | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Technical security | Establish/Maintain Documentation | |
| Limit superuser accounts to designated System Administrators. CC ID 06766 | Technical security | Configuration | |
| Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical security | Technical Security | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 | Technical security | Technical Security | |
| Protect and manage biometric systems and biometric data. CC ID 01261 | Technical security | Technical Security | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Establish/Maintain Documentation | |
| Document the business need justification for authentication data storage. CC ID 06325 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. § 8.5 Control] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Communicate | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Technical Security | |
| Require proper authentication for user identifiers. CC ID 11785 | Technical security | Technical Security | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 [Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. § 8.5 Control] | Technical security | Configuration | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical security | Technical Security | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Establish/Maintain Documentation | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Technical security | Configuration | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical security | Technical Security | |
| Identify and control all network access controls. CC ID 00529 | Technical security | Technical Security | |
| Establish, implement, and maintain a network configuration standard. CC ID 00530 [Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. § 8.9 Control] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain network segmentation requirements. CC ID 16380 | Technical security | Establish/Maintain Documentation | |
| Enforce the network segmentation requirements. CC ID 16381 | Technical security | Process or Activity | |
| Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical security | Technical Security | |
| Establish, implement, and maintain a network security policy. CC ID 06440 [Networks and network devices should be secured, managed and controlled to protect information in systems and applications. § 8.20 Control] | Technical security | Establish/Maintain Documentation | |
| Include compliance requirements in the network security policy. CC ID 14205 | Technical security | Establish/Maintain Documentation | |
| Include coordination amongst entities in the network security policy. CC ID 14204 | Technical security | Establish/Maintain Documentation | |
| Include management commitment in the network security policy. CC ID 14203 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the network security policy. CC ID 14202 | Technical security | Establish/Maintain Documentation | |
| Include the scope in the network security policy. CC ID 14201 | Technical security | Establish/Maintain Documentation | |
| Include the purpose in the network security policy. CC ID 14200 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Technical security | Communicate | |
| Establish, implement, and maintain system and communications protection procedures. CC ID 14052 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Technical security | Communicate | |
| Establish, implement, and maintain a wireless networking policy. CC ID 06732 | Technical security | Establish/Maintain Documentation | |
| Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Technical security | Establish/Maintain Documentation | |
| Maintain up-to-date network diagrams. CC ID 00531 | Technical security | Establish/Maintain Documentation | |
| Include the date of the most recent update on the network diagram. CC ID 14319 | Technical security | Establish/Maintain Documentation | |
| Include virtual systems in the network diagram. CC ID 16324 | Technical security | Data and Information Management | |
| Include the organization's name in the network diagram. CC ID 14318 | Technical security | Establish/Maintain Documentation | |
| Include Internet Protocol addresses in the network diagram. CC ID 16244 | Technical security | Establish/Maintain Documentation | |
| Include Domain Name System names in the network diagram. CC ID 16240 | Technical security | Establish/Maintain Documentation | |
| Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Technical security | Communicate | |
| Maintain up-to-date data flow diagrams. CC ID 10059 | Technical security | Establish/Maintain Documentation | |
| Include information flows to third parties in the data flow diagram. CC ID 13185 | Technical security | Establish/Maintain Documentation | |
| Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Technical security | Communicate | |
| Enforce information flow control. CC ID 11781 | Technical security | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. § 5.14 Control] | Technical security | Establish/Maintain Documentation | |
| Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923 | Technical security | Data and Information Management | |
| Establish, implement, and maintain a document printing policy. CC ID 14384 | Technical security | Establish/Maintain Documentation | |
| Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain information flow procedures. CC ID 04542 [Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. § 5.14 Control] | Technical security | Establish/Maintain Documentation | |
| Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 | Technical security | Data and Information Management | |
| Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 | Technical security | Data and Information Management | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 | Technical security | Establish/Maintain Documentation | |
| Perform content sanitization on data-in-transit. CC ID 16512 | Technical security | Data and Information Management | |
| Perform content conversion on data-in-transit. CC ID 16510 | Technical security | Data and Information Management | |
| Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Technical security | Data and Information Management | |
| Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 | Technical security | Data and Information Management | |
| Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 | Technical security | Data and Information Management | |
| Review and approve information exchange system connections. CC ID 07143 | Technical security | Technical Security | |
| Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Technical security | Log Management | |
| Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 | Technical security | Technical Security | |
| Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107 | Technical security | Technical Security | |
| Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097 [Access to external websites should be managed to reduce exposure to malicious content. § 8.23 Control] | Technical security | Establish/Maintain Documentation | |
| Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183 | Technical security | Configuration | |
| Block uncategorized sites using URL filtering. CC ID 12140 | Technical security | Technical Security | |
| Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234 | Technical security | Data and Information Management | |
| Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 | Technical security | Establish/Maintain Documentation | |
| Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094 | Technical security | Behavior | |
| Control all methods of remote access and teleworking. CC ID 00559 [{remote working arrangement} Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization's premises. § 6.7 Control] | Technical security | Technical Security | |
| Assign virtual escorting to authorized personnel. CC ID 16440 | Technical security | Process or Activity | |
| Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 | Technical security | Establish/Maintain Documentation | |
| Include information security requirements in the remote access and teleworking program. CC ID 15704 | Technical security | Establish/Maintain Documentation | |
| Refrain from allowing remote users to copy files to remote devices. CC ID 06792 | Technical security | Technical Security | |
| Control remote administration in accordance with organizational standards. CC ID 04459 | Technical security | Configuration | |
| Control remote access through a network access control. CC ID 01421 | Technical security | Technical Security | |
| Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371 | Technical security | Configuration | |
| Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324 | Technical security | Technical Security | |
| Employ multifactor authentication for remote access to the organization's network. CC ID 12505 | Technical security | Technical Security | |
| Implement multifactor authentication techniques. CC ID 00561 | Technical security | Configuration | |
| Implement phishing-resistant multifactor authentication techniques. CC ID 16541 | Technical security | Technical Security | |
| Document and approve requests to bypass multifactor authentication. CC ID 15464 | Technical security | Establish/Maintain Documentation | |
| Limit the source addresses from which remote administration is performed. CC ID 16393 | Technical security | Technical Security | |
| Protect remote access accounts with encryption. CC ID 00562 | Technical security | Configuration | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Technical Security | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented. § 8.24 Control] | Technical security | Establish/Maintain Documentation | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Technical security | Configuration | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 | Technical security | Data and Information Management | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Data and Information Management | |
| Make key usage for data fields unique for each device. CC ID 04828 | Technical security | Technical Security | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Data and Information Management | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Data and Information Management | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Technical Security | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Technical security | Data and Information Management | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Process or Activity | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Process or Activity | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Communicate | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Process or Activity | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Data and Information Management | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [Rules for the effective use of cryptography, including cryptographic key management, should be defined and implemented. § 8.24 Control] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Technical security | Communicate | |
| Bind keys to each identity. CC ID 12337 | Technical security | Technical Security | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Technical security | Establish/Maintain Documentation | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Technical security | Establish/Maintain Documentation | |
| Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Technical security | Data and Information Management | |
| Generate strong cryptographic keys. CC ID 01299 | Technical security | Data and Information Management | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Technical Security | |
| Use approved random number generators for creating cryptographic keys. CC ID 06574 | Technical security | Data and Information Management | |
| Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical security | Technical Security | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 | Technical security | Data and Information Management | |
| Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Technical security | Data and Information Management | |
| Store cryptographic keys securely. CC ID 01298 | Technical security | Data and Information Management | |
| Restrict access to cryptographic keys. CC ID 01297 | Technical security | Data and Information Management | |
| Store cryptographic keys in encrypted format. CC ID 06084 | Technical security | Data and Information Management | |
| Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical security | Technical Security | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Establish/Maintain Documentation | |
| Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Technical security | Data and Information Management | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Technical security | Data and Information Management | |
| Control cryptographic keys with split knowledge and dual control. CC ID 01304 | Technical security | Data and Information Management | |
| Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Technical security | Data and Information Management | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical security | Technical Security | |
| Archive outdated cryptographic keys. CC ID 06884 | Technical security | Data and Information Management | |
| Archive revoked cryptographic keys. CC ID 11819 | Technical security | Data and Information Management | |
| Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Technical security | Establish/Maintain Documentation | |
| Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Technical security | Human Resources Management | |
| Manage the digital signature cryptographic key pair. CC ID 06576 | Technical security | Data and Information Management | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Technical security | Establish/Maintain Documentation | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Establish Roles | |
| Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Technical security | Establish/Maintain Documentation | |
| Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Technical security | Establish/Maintain Documentation | |
| Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Technical security | Establish/Maintain Documentation | |
| Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Technical security | Establish/Maintain Documentation | |
| Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Technical security | Establish/Maintain Documentation | |
| Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical security | Technical Security | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical security | Technical Security | |
| Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Technical security | Establish/Maintain Documentation | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Technical security | Establish/Maintain Documentation | |
| Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Technical security | Establish/Maintain Documentation | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Technical security | Establish/Maintain Documentation | |
| Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical security | Technical Security | |
| Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Technical security | Records Management | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 [Protection against malware should be implemented and supported by appropriate user awareness. § 8.7 Control] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485 | Technical security | Communicate | |
| Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484 | Technical security | Communicate | |
| Establish, implement, and maintain malicious code protection procedures. CC ID 15483 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a malicious code protection policy. CC ID 15478 | Technical security | Establish/Maintain Documentation | |
| Restrict downloading to reduce malicious code attacks. CC ID 04576 | Technical security | Behavior | |
| Install security and protection software, as necessary. CC ID 00575 | Technical security | Configuration | |
| Install and maintain container security solutions. CC ID 16178 | Technical security | Technical Security | |
| Protect the system against replay attacks. CC ID 04552 | Technical security | Technical Security | |
| Define and assign roles and responsibilities for malicious code protection. CC ID 15474 | Technical security | Establish Roles | |
| Lock antivirus configurations. CC ID 10047 | Technical security | Configuration | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 [Security perimeters should be defined and used to protect areas that contain information and other associated assets. § 7.1 Control Physical security for offices, rooms and facilities should be designed and implemented. § 7.3 Control] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Behavior | |
| Protect the facility from crime. CC ID 06347 | Physical and environmental protection | Physical and Environmental Protection | |
| Define communication methods for reporting crimes. CC ID 06349 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Establish/Maintain Documentation | |
| Protect facilities from eavesdropping. CC ID 02222 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Establish/Maintain Documentation | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Physical and Environmental Protection | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Physical and Environmental Protection | |
| Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Establish/Maintain Documentation | |
| Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Communicate | |
| Post and maintain security signage for all facilities. CC ID 02201 | Physical and environmental protection | Establish/Maintain Documentation | |
| Inspect items brought into the facility. CC ID 06341 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain all physical security systems. CC ID 02206 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain all security alarm systems. CC ID 11669 | Physical and environmental protection | Physical and Environmental Protection | |
| Identify and document physical access controls for all physical entry points. CC ID 01637 [Secure areas should be protected by appropriate entry controls and access points. § 7.2 Control] | Physical and environmental protection | Establish/Maintain Documentation | |
| Control physical access to (and within) the facility. CC ID 01329 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain physical access procedures. CC ID 13629 | Physical and environmental protection | Establish/Maintain Documentation | |
| Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and environmental protection | Physical and Environmental Protection | |
| Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Physical and environmental protection | Establish/Maintain Documentation | |
| Escort visitors within the facility, as necessary. CC ID 06417 | Physical and environmental protection | Establish/Maintain Documentation | |
| Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and environmental protection | Physical and Environmental Protection | |
| Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Physical and environmental protection | Testing | |
| Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Physical and environmental protection | Behavior | |
| Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Physical and environmental protection | Establish/Maintain Documentation | |
| Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Physical and environmental protection | Establish/Maintain Documentation | |
| Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Physical and environmental protection | Establish/Maintain Documentation | |
| Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain physical identification procedures. CC ID 00713 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Human Resources Management | |
| Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Process or Activity | |
| Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Process or Activity | |
| Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement operational requirements for card readers. CC ID 02225 | Physical and environmental protection | Testing | |
| Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Establish/Maintain Documentation | |
| Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Physical and Environmental Protection | |
| Manage constituent identification inside the facility. CC ID 02215 | Physical and environmental protection | Behavior | |
| Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Human Resources Management | |
| Manage visitor identification inside the facility. CC ID 11670 | Physical and environmental protection | Physical and Environmental Protection | |
| Issue visitor identification badges to all non-employees. CC ID 00543 | Physical and environmental protection | Behavior | |
| Secure unissued visitor identification badges. CC ID 06712 | Physical and environmental protection | Physical and Environmental Protection | |
| Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Physical and environmental protection | Behavior | |
| Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Physical and environmental protection | Establish/Maintain Documentation | |
| Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Physical and environmental protection | Process or Activity | |
| Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Business Processes | |
| Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Physical and environmental protection | Process or Activity | |
| Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include an identity registration process in the identification issuance procedures. CC ID 11671 | Physical and environmental protection | Establish/Maintain Documentation | |
| Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and environmental protection | Physical and Environmental Protection | |
| Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Physical and Environmental Protection | |
| Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Physical and Environmental Protection | |
| Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Physical and environmental protection | Establish/Maintain Documentation | |
| Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Human Resources Management | |
| Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Physical and environmental protection | Establish/Maintain Documentation | |
| Prevent tailgating through physical entry points. CC ID 06685 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install doors so that exposed hinges are on the secured side. CC ID 06687 | Physical and environmental protection | Configuration | |
| Install emergency doors to permit egress only. CC ID 06688 | Physical and environmental protection | Configuration | |
| Install contact alarms on doors, as necessary. CC ID 06710 | Physical and environmental protection | Configuration | |
| Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and environmental protection | Physical and Environmental Protection | |
| Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Physical and environmental protection | Configuration | |
| Secure unissued access mechanisms. CC ID 06713 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Physical and environmental protection | Establish/Maintain Documentation | |
| Change cipher lock codes, as necessary. CC ID 06651 | Physical and environmental protection | Technical Security | |
| Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install contact alarms on openable windows, as necessary. CC ID 06690 | Physical and environmental protection | Configuration | |
| Install glass break alarms on windows, as necessary. CC ID 06691 | Physical and environmental protection | Configuration | |
| Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and environmental protection | Physical and Environmental Protection | |
| Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Physical and Environmental Protection | |
| Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and environmental protection | Physical and Environmental Protection | |
| Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and environmental protection | Physical and Environmental Protection | |
| Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and environmental protection | Physical and Environmental Protection | |
| Screen incoming mail and deliveries. CC ID 06719 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish a security room, if necessary. CC ID 00738 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Physical and Environmental Protection | |
| Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 [Security measures for working in secure areas should be designed and implemented. § 7.6 Control] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Communicate | |
| Establish and maintain a visitor log. CC ID 00715 | Physical and environmental protection | Log Management | |
| Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Physical and environmental protection | Behavior | |
| Record the visitor's name in the visitor log. CC ID 00557 | Physical and environmental protection | Log Management | |
| Record the visitor's organization in the visitor log. CC ID 12121 | Physical and environmental protection | Log Management | |
| Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Physical and environmental protection | Log Management | |
| Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Establish/Maintain Documentation | |
| Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Physical and environmental protection | Establish/Maintain Documentation | |
| Retain all records in the visitor log as prescribed by law. CC ID 00572 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain a physical access log. CC ID 12080 | Physical and environmental protection | Establish/Maintain Documentation | |
| Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Physical and environmental protection | Log Management | |
| Store facility access logs in off-site storage. CC ID 06958 | Physical and environmental protection | Log Management | |
| Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Configure video cameras to cover all physical entry points. CC ID 06302 | Physical and environmental protection | Configuration | |
| Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Physical and environmental protection | Configuration | |
| Retain video events according to Records Management procedures. CC ID 06304 | Physical and environmental protection | Records Management | |
| Establish, implement, and maintain physical security threat reports. CC ID 02207 | Physical and environmental protection | Establish/Maintain Documentation | |
| Build and maintain fencing, as necessary. CC ID 02235 | Physical and environmental protection | Physical and Environmental Protection | |
| Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and environmental protection | Physical and Environmental Protection | |
| Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Physical and Environmental Protection | |
| Employ security guards to provide physical security, as necessary. CC ID 06653 | Physical and environmental protection | Establish Roles | |
| Establish, implement, and maintain a facility wall standard. CC ID 06692 | Physical and environmental protection | Establish/Maintain Documentation | |
| Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and environmental protection | Physical and Environmental Protection | |
| Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Physical and environmental protection | Configuration | |
| Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Physical and environmental protection | Behavior | |
| Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Physical and environmental protection | Behavior | |
| Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Physical and environmental protection | Business Processes | |
| Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Physical and environmental protection | Behavior | |
| Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Physical and environmental protection | Behavior | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [{be secure} Equipment should be sited securely and protected. § 7.8 Control] | Physical and environmental protection | Physical and Environmental Protection | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements. § 7.10 Control] | Physical and environmental protection | Records Management | |
| Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Log Management | |
| Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Technical Security | |
| Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 | Physical and environmental protection | Records Management | |
| Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Physical and Environmental Protection | |
| Transport restricted media using a delivery method that can be tracked. CC ID 11777 | Physical and environmental protection | Business Processes | |
| Restrict physical access to distributed assets. CC ID 11865 [{physical access} Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. § 5.15 Control] | Physical and environmental protection | Physical and Environmental Protection | |
| House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect electronic storage media with physical access controls. CC ID 00720 [{physical access} Rules to control physical and logical access to information and other associated assets should be established and implemented based on business and information security requirements. § 5.15 Control] | Physical and environmental protection | Physical and Environmental Protection | |
| Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Physical and environmental protection | Data and Information Management | |
| Control access to restricted storage media. CC ID 04889 | Physical and environmental protection | Data and Information Management | |
| Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 | Physical and environmental protection | Physical and Environmental Protection | |
| Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 | Physical and environmental protection | Records Management | |
| Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Records Management | |
| Log the transfer of removable storage media. CC ID 12322 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Physical and environmental protection | Behavior | |
| Control the storage of restricted storage media. CC ID 00965 | Physical and environmental protection | Records Management | |
| Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect the combinations for all combination locks. CC ID 02199 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain eavesdropping protection for vaults. CC ID 02231 | Physical and environmental protection | Physical and Environmental Protection | |
| Serialize all removable storage media. CC ID 00949 | Physical and environmental protection | Configuration | |
| Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Physical and Environmental Protection | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Establish/Maintain Documentation | |
| Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Establish/Maintain Documentation | |
| Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Physical and environmental protection | Process or Activity | |
| Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 | Physical and environmental protection | Physical and Environmental Protection | |
| Control the removal of assets through physical entry points and physical exit points. CC ID 11681 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 [Off-site assets should be protected. § 7.9 Control] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Physical and environmental protection | Establish/Maintain Documentation | |
| Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [{be accessible} Information stored on, processed by or accessible via user endpoint devices should be protected. § 8.1 Control] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a locking screen saver policy. CC ID 06717 | Physical and environmental protection | Establish/Maintain Documentation | |
| Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Data and Information Management | |
| Secure workstations to desks with security cables. CC ID 04724 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Business Processes | |
| Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Data and Information Management | |
| Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include legal requirements in the mobile device security guidelines. CC ID 12291 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Physical and Environmental Protection | |
| Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Physical and environmental protection | Establish/Maintain Documentation | |
| Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Physical and environmental protection | Establish/Maintain Documentation | |
| Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and environmental protection | Physical and Environmental Protection | |
| Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and environmental protection | Physical and Environmental Protection | |
| Encrypt information stored on mobile devices. CC ID 01422 | Physical and environmental protection | Data and Information Management | |
| Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 | Physical and environmental protection | Physical and Environmental Protection | |
| Secure system components from unauthorized viewing. CC ID 01437 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain asset return procedures. CC ID 04537 [Personnel and other interested parties as appropriate should return all the organization's assets in their possession upon change or termination of their employment, contract or agreement. § 5.11 Control] | Physical and environmental protection | Establish/Maintain Documentation | |
| Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 | Physical and environmental protection | Behavior | |
| Require the return of all assets upon notification an individual is terminated. CC ID 06679 | Physical and environmental protection | Behavior | |
| Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598 | Physical and environmental protection | Behavior | |
| Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 | Physical and environmental protection | Behavior | |
| Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 | Physical and environmental protection | Behavior | |
| Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 | Physical and environmental protection | Configuration | |
| Establish, implement, and maintain open storage container procedures. CC ID 02198 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a clean desk policy. CC ID 06534 [Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced. § 7.7 Control] | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain a clear screen policy. CC ID 12436 [Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities should be defined and appropriately enforced. § 7.7 Control] | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain contact card reader security guidelines. CC ID 06588 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590 | Physical and environmental protection | Establish/Maintain Documentation | |
| Identify customer property within the organizational facility. CC ID 06612 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Physical and Environmental Protection | |
| Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 | Physical and environmental protection | Technical Security | |
| Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 | Physical and environmental protection | Configuration | |
| Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 | Physical and environmental protection | Technical Security | |
| Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 [Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure should be designed and implemented. § 7.5 Control] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain clean energy standards. CC ID 16285 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain environmental control procedures. CC ID 12246 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain a telecommunications equipment room, as necessary. CC ID 06708 | Physical and environmental protection | Configuration | |
| Protect power equipment and power cabling from damage or destruction. CC ID 01438 [{power cabling} Cables carrying power, data or supporting information services should be protected from interception, interference or damage. § 7.12 Control] | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain power distribution boards. CC ID 16486 | Physical and environmental protection | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a battery room, as necessary. CC ID 06706 | Physical and environmental protection | Configuration | |
| Establish and maintain a generator room, as necessary. CC ID 06704 | Physical and environmental protection | Configuration | |
| Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain facility maintenance procedures. CC ID 00710 | Physical and environmental protection | Establish/Maintain Documentation | |
| Design the Information Technology facility with consideration given to natural disasters and man-made disasters. CC ID 00712 | Physical and environmental protection | Physical and Environmental Protection | |
| Design the Information Technology facility with a low profile. CC ID 16140 | Physical and environmental protection | Physical and Environmental Protection | |
| Prohibit signage indicating computer room location and uses. CC ID 06343 | Physical and environmental protection | Physical and Environmental Protection | |
| Require critical facilities to have adequate room for facility maintenance. CC ID 06361 | Physical and environmental protection | Physical and Environmental Protection | |
| Require critical facilities to have adequate room for evacuation. CC ID 11686 | Physical and environmental protection | Physical and Environmental Protection | |
| Build critical facilities according to applicable building codes. CC ID 06366 | Physical and environmental protection | Physical and Environmental Protection | |
| Build critical facilities with fire resistant materials. CC ID 06365 | Physical and environmental protection | Physical and Environmental Protection | |
| Build critical facilities with materials that limit electromagnetic interference. CC ID 16131 | Physical and environmental protection | Physical and Environmental Protection | |
| Build critical facilities with water-resistant materials. CC ID 11679 | Physical and environmental protection | Physical and Environmental Protection | |
| Monitor operational conditions at unmanned facilities. CC ID 06327 | Physical and environmental protection | Physical and Environmental Protection | |
| Remotely control operational conditions at unmanned facilities. CC ID 11680 | Physical and environmental protection | Technical Security | |
| Inspect and maintain the facility and supporting assets. CC ID 06345 | Physical and environmental protection | Physical and Environmental Protection | |
| Define selection criteria for facility locations. CC ID 06351 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain facility demolition procedures. CC ID 16133 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain work environment requirements. CC ID 06613 | Physical and environmental protection | Establish/Maintain Documentation | |
| Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain system cleanliness requirements. CC ID 06614 | Physical and environmental protection | Establish/Maintain Documentation | |
| House system components in areas where the physical damage potential is minimized. CC ID 01623 [{be secure} Equipment should be sited securely and protected. § 7.8 Control] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install and maintain fire protection equipment. CC ID 00728 | Physical and environmental protection | Configuration | |
| Install and maintain fire suppression systems. CC ID 00729 | Physical and environmental protection | Configuration | |
| Install and maintain smoke detectors. CC ID 15264 | Physical and environmental protection | Physical and Environmental Protection | |
| Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362 | Physical and environmental protection | Physical and Environmental Protection | |
| Conduct fire drills, as necessary. CC ID 13985 | Physical and environmental protection | Process or Activity | |
| Employ environmental protections. CC ID 12570 | Physical and environmental protection | Process or Activity | |
| Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472 | Physical and environmental protection | Establish/Maintain Documentation | |
| Protect physical assets against static electricity, as necessary. CC ID 06363 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain emergency lighting for use in a power failure. CC ID 01440 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain lightning protection mechanisms in critical facilities. CC ID 06367 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain pest control systems in organizational facilities. CC ID 16139 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727 | Physical and environmental protection | Configuration | |
| Protect air intakes into the organizational facility. CC ID 02211 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368 | Physical and environmental protection | Configuration | |
| Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369 | Physical and environmental protection | Configuration | |
| Install and maintain a moisture control system as a part of the climate control system. CC ID 06694 | Physical and environmental protection | Configuration | |
| Install and maintain hydrogen sensors, as necessary. CC ID 06705 | Physical and environmental protection | Configuration | |
| Protect physical assets from water damage. CC ID 00730 | Physical and environmental protection | Configuration | |
| Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 | Physical and environmental protection | Communicate | |
| Install and maintain water detection devices. CC ID 11678 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain redundant systems. CC ID 16354 [Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. § 8.14 Control] | Operational and Systems Continuity | Configuration | |
| Establish, implement, and maintain organizational facility continuity plans. CC ID 02224 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Install and maintain redundant power supplies for critical facilities. CC ID 06355 [Information processing facilities should be protected from power failures and other disruptions caused by failures in supporting utilities. § 7.11 Control] | Operational and Systems Continuity | Configuration | |
| Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Install and maintain dedicated power lines to critical facilities. CC ID 06357 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 | Operational and Systems Continuity | Configuration | |
| Install electro-magnetic shielding around all electrical cabling. CC ID 06358 [{power cabling} Cables carrying power, data or supporting information services should be protected from interception, interference or damage. § 7.12 Control] | Operational and Systems Continuity | Physical and Environmental Protection | |
| Install electrical grounding equipment. CC ID 06359 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 [ICT readiness should be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements. § 5.30 Control] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include emergency operating procedures in the continuity plan. CC ID 11694 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Review and prioritize the importance of each business unit. CC ID 01165 | Operational and Systems Continuity | Systems Continuity | |
| Review and prioritize the importance of each business process. CC ID 11689 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Document the mean time to failure for system components. CC ID 10684 | Operational and Systems Continuity | Systems Continuity | |
| Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Operational and Systems Continuity | Audits and Risk Management | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Define and prioritize critical business records. CC ID 11687 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the protection of personnel in the continuity plan. CC ID 06378 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Operational and Systems Continuity | Human Resources Management | |
| Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a critical third party list. CC ID 06815 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Operational and Systems Continuity | Behavior | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include workstation continuity procedures in the continuity plan. CC ID 01378 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include server continuity procedures in the continuity plan. CC ID 01379 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include website continuity procedures in the continuity plan. CC ID 01380 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 | Operational and Systems Continuity | Data and Information Management | |
| Include near-line capabilities in the continuity plan. CC ID 01383 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include online capabilities in the continuity plan. CC ID 11690 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include mainframe continuity procedures in the continuity plan. CC ID 01382 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include telecommunications continuity procedures in the continuity plan. CC ID 11691 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include system continuity procedures in the continuity plan. CC ID 01268 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include Local Area Network continuity procedures in the continuity plan. CC ID 01381 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include emergency power continuity procedures in the continuity plan. CC ID 01254 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include evacuation procedures in the continuity plan. CC ID 12773 | Operational and Systems Continuity | Systems Continuity | |
| Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include a backup rotation scheme in the backup policy. CC ID 16219 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include naming conventions in the backup policy. CC ID 16218 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. § 8.13 Control] | Operational and Systems Continuity | Systems Continuity | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 | Operational and Systems Continuity | Systems Continuity | |
| Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 | Operational and Systems Continuity | Configuration | |
| Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Store backup media at an off-site electronic media storage facility. CC ID 01332 | Operational and Systems Continuity | Data and Information Management | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 | Operational and Systems Continuity | Data and Information Management | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Operational and Systems Continuity | Systems Continuity | |
| Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Operational and Systems Continuity | Data and Information Management | |
| Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Operational and Systems Continuity | Data and Information Management | |
| Perform backup procedures for in scope systems. CC ID 11692 | Operational and Systems Continuity | Process or Activity | |
| Perform full backups in accordance with organizational standards. CC ID 16376 | Operational and Systems Continuity | Data and Information Management | |
| Perform incremental backups in accordance with organizational standards. CC ID 16375 | Operational and Systems Continuity | Data and Information Management | |
| Back up all records. CC ID 11974 | Operational and Systems Continuity | Systems Continuity | |
| Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 | Operational and Systems Continuity | Data and Information Management | |
| Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Encrypt backup data. CC ID 00958 | Operational and Systems Continuity | Configuration | |
| Log the execution of each backup. CC ID 00956 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Digitally sign disk images, as necessary. CC ID 06814 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include emergency communications procedures in the continuity plan. CC ID 00750 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 | Operational and Systems Continuity | Systems Continuity | |
| Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Log important conversations conducted during emergencies with third parties. CC ID 12763 | Operational and Systems Continuity | Log Management | |
| Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 | Operational and Systems Continuity | Communicate | |
| Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
| Minimize system continuity requirements. CC ID 00753 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include purchasing insurance in the continuity plan. CC ID 00762 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
| Obtain an insurance policy to cover business products and services delivered to clients. CC ID 06683 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
| Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Validate information security continuity controls regularly. CC ID 12008 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Testing | |
| Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Operational and Systems Continuity | Testing | |
| Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Operational and Systems Continuity | Testing | |
| Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Operational and Systems Continuity | Testing | |
| Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Operational and Systems Continuity | Testing | |
| Validate the evacuation plans during continuity plan tests. CC ID 12760 | Operational and Systems Continuity | Testing | |
| Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 | Operational and Systems Continuity | Testing | |
| Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 | Operational and Systems Continuity | Actionable Reports or Measurements | |
| Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Human Resources Management | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Establish/Maintain Documentation | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Human Resources Management | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Human Resources Management | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Establish/Maintain Documentation | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Testing | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Human Resources Management | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Establish/Maintain Documentation | |
| Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties. § 6.5 Control] | Human Resources management | Communicate | |
| Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties. § 6.5 Control] | Human Resources management | Human Resources Management | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Establish Roles | |
| Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Human Resources management | Technical Security | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Behavior | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Establish/Maintain Documentation | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 [Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function. § 6.3 Control] | Human Resources management | Training | |
| Include cybersecurity in the security awareness program. CC ID 13183 [Protection against malware should be implemented and supported by appropriate user awareness. § 8.7 Control] | Human Resources management | Training | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 [Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function. § 6.3 Control] | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Behavior | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 [Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization. § 5.4 Control Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. § 5.1 Control] | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Code of Conduct. CC ID 04897 | Human Resources management | Establish/Maintain Documentation | |
| Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties. § 6.5 Control The employment contractual agreements should state the personnel's and the organization's responsibilities for information security. § 6.2 Control] | Human Resources management | Human Resources Management | |
| Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 [A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation. § 6.4 Control] | Human Resources management | Communicate | |
| Establish, implement, and maintain a capacity management plan. CC ID 11751 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [The use of resources should be monitored and adjusted in line with current and expected capacity requirements. § 8.6 Control] | Operational management | Establish/Maintain Documentation | |
| Manage cloud services. CC ID 13144 [Processes for acquisition, use, management and exit from cloud services should be established in accordance with the organization's information security requirements. § 5.23 Control] | Operational management | Business Processes | |
| Refrain from implementing network elements in a public cloud. CC ID 16382 | Operational management | Technical Security | |
| Protect clients' hosted environments. CC ID 11862 | Operational management | Physical and Environmental Protection | |
| Notify cloud customers of the geographic locations of the cloud service organization and its assets. CC ID 13037 | Operational management | Communicate | |
| Establish, implement, and maintain cloud service agreements. CC ID 13157 | Operational management | Establish/Maintain Documentation | |
| Include the asset removal policy in the cloud service agreement. CC ID 13161 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain cloud management procedures. CC ID 13149 | Operational management | Technical Security | |
| Establish, implement, and maintain a migration process and/or strategy to transfer systems from one asset to another. CC ID 16384 | Operational management | Process or Activity | |
| Define and enforce the deployment requirements for applications and virtual network devices in a public cloud. CC ID 16383 | Operational management | Process or Activity | |
| Include cloud security requirements in the cloud management procedures. CC ID 16366 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a cloud service usage standard. CC ID 13143 | Operational management | Establish/Maintain Documentation | |
| Use strong data encryption when storing information within a cloud service. CC ID 16411 | Operational management | Technical Security | |
| Include the roles and responsibilities of cloud service users in the cloud service usage standard. CC ID 13984 | Operational management | Establish/Maintain Documentation | |
| Include information security requirements in the cloud service usage standard. CC ID 13148 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate documentation of pertinent monitoring capabilities to interested personnel and affected parties. CC ID 13159 | Operational management | Communicate | |
| Disseminate and communicate the legal jurisdiction of cloud services to interested personnel and affected parties. CC ID 13147 | Operational management | Communicate | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Establish/Maintain Documentation | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 [The organization should establish and maintain contact with relevant authorities. § 5.5 Control] | Operational management | Establish/Maintain Documentation | |
| Share security information with interested personnel and affected parties. CC ID 11732 [The organization should establish and maintain contact with special interest groups or other specialist security forums and professional associations. § 5.6 Control] | Operational management | Communicate | |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Process or Activity | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
| Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 [Processes and procedures should be defined and implemented to manage the information security risks associated with the ICT products and services supply chain. § 5.21 Control Processes and procedures should be defined and implemented to manage the information security risks associated with the use of supplier's products or services. § 5.19 Control] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security policy. CC ID 11740 [Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. § 5.1 Control] | Operational management | Establish/Maintain Documentation | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Business Processes | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Establish/Maintain Documentation | |
| Include information security objectives in the information security policy. CC ID 13493 | Operational management | Establish/Maintain Documentation | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 [Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. § 5.1 Control] | Operational management | Process or Activity | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Establish Roles | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 [Information security roles and responsibilities should be defined and allocated according to the organization needs. § 5.2 Control] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. § 5.1 Control] | Operational management | Communicate | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [Operating procedures for information processing facilities should be documented and made available to personnel who need them. § 5.37 Control] | Operational management | Establish/Maintain Documentation | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Records Management | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 [Operating procedures for information processing facilities should be documented and made available to personnel who need them. § 5.37 Control] | Operational management | Communicate | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 [Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. § 5.10 Control] | Operational management | Establish/Maintain Documentation | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. § 5.10 Control] | Operational management | Establish/Maintain Documentation | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Establish/Maintain Documentation | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 [Procedures and measures should be implemented to securely manage software installation on operational systems. § 8.19 Control] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [The organization should implement appropriate procedures to protect intellectual property rights. § 5.32 Control] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [{confidentiality agreement} Confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties. § 6.6 Control] | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 [{confidentiality agreement} Confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information should be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties. § 6.6 Control] | Operational management | Establish/Maintain Documentation | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 [Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. § 5.14 Control] | Operational management | Establish/Maintain Documentation | |
| Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Establish/Maintain Documentation | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Establish/Maintain Documentation | |
| Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Establish/Maintain Documentation | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Establish/Maintain Documentation | |
| Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Establish/Maintain Documentation | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Establish/Maintain Documentation | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Establish/Maintain Documentation | |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Establish/Maintain Documentation | |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a network management program. CC ID 13123 [Networks and network devices should be secured, managed and controlled to protect information in systems and applications. § 8.20 Control] | Operational management | Establish/Maintain Documentation | |
| Include quality of service requirements in the network management program. CC ID 16429 | Operational management | Establish/Maintain Documentation | |
| Document the network design in the network management program. CC ID 13135 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain network documentation. CC ID 16497 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the network standard to all interested personnel and affected parties. CC ID 13129 | Operational management | Communicate | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 [Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. § 5.10 Control] | Operational management | Business Processes | |
| Establish, implement, and maintain an asset management policy. CC ID 15219 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the asset management policy. CC ID 16424 | Operational management | Business Processes | |
| Establish, implement, and maintain asset management procedures. CC ID 16748 | Operational management | Establish/Maintain Documentation | |
| Assign an information owner to organizational assets, as necessary. CC ID 12729 | Operational management | Human Resources Management | |
| Define and prioritize the importance of each asset in the asset management program. CC ID 16837 | Operational management | Business Processes | |
| Include life cycle requirements in the security management program. CC ID 16392 | Operational management | Establish/Maintain Documentation | |
| Include program objectives in the asset management program. CC ID 14413 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continual improvement in the asset management program. CC ID 14412 | Operational management | Establish/Maintain Documentation | |
| Include compliance with applicable requirements in the asset management program. CC ID 14411 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain administrative controls over all assets. CC ID 16400 | Operational management | Business Processes | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Establish/Maintain Documentation | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Operational management | Establish/Maintain Documentation | |
| Define confidentiality controls. CC ID 01908 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 | Operational management | Establish/Maintain Documentation | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Operational management | Process or Activity | |
| Define integrity controls. CC ID 01909 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Operational management | Establish/Maintain Documentation | |
| Define availability controls. CC ID 01911 | Operational management | Establish/Maintain Documentation | |
| Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 | Operational management | Communicate | |
| Classify assets according to the Asset Classification Policy. CC ID 07186 | Operational management | Establish Roles | |
| Classify virtual systems by type and purpose. CC ID 16332 | Operational management | Business Processes | |
| Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 | Operational management | Establish/Maintain Documentation | |
| Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 | Operational management | Establish Roles | |
| Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 | Operational management | Configuration | |
| Assign decomposed system components the same asset classification as the originating system. CC ID 06605 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an asset inventory. CC ID 06631 [An inventory of information and other associated assets, including owners, should be developed and maintained. § 5.9 Control] | Operational management | Business Processes | |
| Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 | Operational management | Establish/Maintain Documentation | |
| Include all account types in the Information Technology inventory. CC ID 13311 | Operational management | Establish/Maintain Documentation | |
| Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 | Operational management | Systems Design, Build, and Implementation | |
| Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 | Operational management | Data and Information Management | |
| Include each Information System's major applications in the Information Technology inventory. CC ID 01407 | Operational management | Establish/Maintain Documentation | |
| Categorize all major applications according to the business information they process. CC ID 07182 | Operational management | Establish/Maintain Documentation | |
| Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 | Operational management | Establish/Maintain Documentation | |
| Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 | Operational management | Establish/Maintain Documentation | |
| Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 | Operational management | Establish/Maintain Documentation | |
| Conduct environmental surveys. CC ID 00690 | Operational management | Physical and Environmental Protection | |
| Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a hardware asset inventory. CC ID 00691 | Operational management | Establish/Maintain Documentation | |
| Include network equipment in the Information Technology inventory. CC ID 00693 | Operational management | Establish/Maintain Documentation | |
| Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 | Operational management | Establish/Maintain Documentation | |
| Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 | Operational management | Process or Activity | |
| Include software in the Information Technology inventory. CC ID 00692 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a storage media inventory. CC ID 00694 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 [An inventory of information and other associated assets, including owners, should be developed and maintained. § 5.9 Control] | Operational management | Establish/Maintain Documentation | |
| Add inventoried assets to the asset register database, as necessary. CC ID 07051 | Operational management | Establish/Maintain Documentation | |
| Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 | Operational management | Establish/Maintain Documentation | |
| Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 | Operational management | Technical Security | |
| Link the authentication system to the asset inventory. CC ID 13718 | Operational management | Technical Security | |
| Record a unique name for each asset in the asset inventory. CC ID 16305 | Operational management | Data and Information Management | |
| Record the decommission date for applicable assets in the asset inventory. CC ID 14920 | Operational management | Establish/Maintain Documentation | |
| Record the status of information systems in the asset inventory. CC ID 16304 | Operational management | Data and Information Management | |
| Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 | Operational management | Data and Information Management | |
| Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 | Operational management | Establish/Maintain Documentation | |
| Include source code in the asset inventory. CC ID 14858 | Operational management | Records Management | |
| Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 | Operational management | Human Resources Management | |
| Record the review date for applicable assets in the asset inventory. CC ID 14919 | Operational management | Establish/Maintain Documentation | |
| Record software license information for each asset in the asset inventory. CC ID 11736 | Operational management | Data and Information Management | |
| Record services for applicable assets in the asset inventory. CC ID 13733 | Operational management | Establish/Maintain Documentation | |
| Record protocols for applicable assets in the asset inventory. CC ID 13734 | Operational management | Establish/Maintain Documentation | |
| Record the software version in the asset inventory. CC ID 12196 | Operational management | Establish/Maintain Documentation | |
| Record the publisher for applicable assets in the asset inventory. CC ID 13725 | Operational management | Establish/Maintain Documentation | |
| Record the authentication system in the asset inventory. CC ID 13724 | Operational management | Establish/Maintain Documentation | |
| Tag unsupported assets in the asset inventory. CC ID 13723 | Operational management | Establish/Maintain Documentation | |
| Record the install date for applicable assets in the asset inventory. CC ID 13720 | Operational management | Establish/Maintain Documentation | |
| Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 | Operational management | Establish/Maintain Documentation | |
| Record the asset tag for physical assets in the asset inventory. CC ID 06632 | Operational management | Establish/Maintain Documentation | |
| Record the host name of applicable assets in the asset inventory. CC ID 13722 | Operational management | Establish/Maintain Documentation | |
| Record network ports for applicable assets in the asset inventory. CC ID 13730 | Operational management | Establish/Maintain Documentation | |
| Record the MAC address for applicable assets in the asset inventory. CC ID 13721 | Operational management | Establish/Maintain Documentation | |
| Record the operating system version for applicable assets in the asset inventory. CC ID 11748 | Operational management | Data and Information Management | |
| Record the operating system type for applicable assets in the asset inventory. CC ID 06633 | Operational management | Establish/Maintain Documentation | |
| Record rooms at external locations in the asset inventory. CC ID 16302 | Operational management | Data and Information Management | |
| Record the department associated with the asset in the asset inventory. CC ID 12084 | Operational management | Establish/Maintain Documentation | |
| Record the physical location for applicable assets in the asset inventory. CC ID 06634 | Operational management | Establish/Maintain Documentation | |
| Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 | Operational management | Establish/Maintain Documentation | |
| Record the firmware version for applicable assets in the asset inventory. CC ID 12195 | Operational management | Establish/Maintain Documentation | |
| Record the related business function for applicable assets in the asset inventory. CC ID 06636 | Operational management | Establish/Maintain Documentation | |
| Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 | Operational management | Establish/Maintain Documentation | |
| Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 | Operational management | Establish/Maintain Documentation | |
| Record trusted keys and certificates in the asset inventory. CC ID 15486 | Operational management | Data and Information Management | |
| Record cipher suites and protocols in the asset inventory. CC ID 15489 | Operational management | Data and Information Management | |
| Link the software asset inventory to the hardware asset inventory. CC ID 12085 | Operational management | Establish/Maintain Documentation | |
| Record the owner for applicable assets in the asset inventory. CC ID 06640 [An inventory of information and other associated assets, including owners, should be developed and maintained. § 5.9 Control] | Operational management | Establish/Maintain Documentation | |
| Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 | Operational management | Establish/Maintain Documentation | |
| Record all changes to assets in the asset inventory. CC ID 12190 | Operational management | Establish/Maintain Documentation | |
| Record cloud service derived data in the asset inventory. CC ID 13007 | Operational management | Establish/Maintain Documentation | |
| Include cloud service customer data in the asset inventory. CC ID 13006 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a software accountability policy. CC ID 00868 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain software asset management procedures. CC ID 00895 | Operational management | Establish/Maintain Documentation | |
| Prevent users from disabling required software. CC ID 16417 | Operational management | Technical Security | |
| Establish, implement, and maintain software archives procedures. CC ID 00866 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain software distribution procedures. CC ID 00894 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain software documentation management procedures. CC ID 06395 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain software license management procedures. CC ID 06639 | Operational management | Establish/Maintain Documentation | |
| Automate software license monitoring, as necessary. CC ID 07057 | Operational management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain digital legacy procedures. CC ID 16524 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system redeployment program. CC ID 06276 | Operational management | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 | Operational management | Behavior | |
| Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 | Operational management | Data and Information Management | |
| Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 | Operational management | Acquisition/Sale of Assets or Services | |
| Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 | Operational management | Establish/Maintain Documentation | |
| Redeploy systems to other organizational units, as necessary. CC ID 11452 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system disposal program. CC ID 14431 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain disposal procedures. CC ID 16513 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain asset sanitization procedures. CC ID 16511 | Operational management | Establish/Maintain Documentation | |
| Destroy systems in accordance with the system disposal program. CC ID 16457 | Operational management | Business Processes | |
| Approve the release of systems and waste material into the public domain. CC ID 16461 | Operational management | Business Processes | |
| Establish, implement, and maintain system destruction procedures. CC ID 16474 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information. § 7.13 Control] | Operational management | Establish/Maintain Documentation | |
| Establish and maintain maintenance reports. CC ID 11749 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain system inspection reports. CC ID 06346 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Establish/Maintain Documentation | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Establish/Maintain Documentation | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Communicate | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Communicate | |
| Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Operational management | Establish/Maintain Documentation | |
| Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Operational management | Physical and Environmental Protection | |
| Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Operational management | Behavior | |
| Use system components only when third party support is available. CC ID 10644 | Operational management | Maintenance | |
| Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Operational management | Maintenance | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Business Processes | |
| Control remote maintenance according to the system's asset classification. CC ID 01433 | Operational management | Technical Security | |
| Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Operational management | Configuration | |
| Approve all remote maintenance sessions. CC ID 10615 | Operational management | Technical Security | |
| Log the performance of all remote maintenance. CC ID 13202 | Operational management | Log Management | |
| Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Operational management | Technical Security | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Maintenance | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Maintenance | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Maintenance | |
| Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Operational management | Behavior | |
| Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Operational management | Establish/Maintain Documentation | |
| Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Operational management | Acquisition/Sale of Assets or Services | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 | Operational management | Behavior | |
| Restart systems on a periodic basis. CC ID 16498 | Operational management | Maintenance | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Maintenance | |
| Employ dedicated systems during system maintenance. CC ID 12108 | Operational management | Technical Security | |
| Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Operational management | Technical Security | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Human Resources Management | |
| Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Physical and Environmental Protection | |
| Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Operational management | Establish/Maintain Documentation | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Process or Activity | |
| Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 | Operational management | Business Processes | |
| Establish, implement, and maintain an end-of-life management process. CC ID 16540 | Operational management | Establish/Maintain Documentation | |
| Dispose of hardware and software at their life cycle end. CC ID 06278 | Operational management | Business Processes | |
| Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 | Operational management | Business Processes | |
| Establish, implement, and maintain disposal contracts. CC ID 12199 | Operational management | Establish/Maintain Documentation | |
| Include disposal procedures in disposal contracts. CC ID 13905 | Operational management | Establish/Maintain Documentation | |
| Remove asset tags prior to disposal of an asset. CC ID 12198 | Operational management | Business Processes | |
| Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 | Operational management | Establish/Maintain Documentation | |
| Review each system's operational readiness. CC ID 06275 | Operational management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a data stewardship policy. CC ID 06657 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain an unauthorized software list. CC ID 10601 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 [The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. § 5.24 Control] | Operational management | Business Processes | |
| Establish, implement, and maintain an incident management policy. CC ID 16414 | Operational management | Establish/Maintain Documentation | |
| Define and assign the roles and responsibilities for Incident Management program. CC ID 13055 | Operational management | Human Resources Management | |
| Define the uses and capabilities of the Incident Management program. CC ID 00854 | Operational management | Establish/Maintain Documentation | |
| Include incident escalation procedures in the Incident Management program. CC ID 00856 | Operational management | Establish/Maintain Documentation | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 | Operational management | Establish/Maintain Documentation | |
| Include references to, or portions of, the Governance, Risk, and Compliance framework in the incident management program, as necessary. CC ID 13504 | Operational management | Establish/Maintain Documentation | |
| Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Establish/Maintain Documentation | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Technical Security | |
| Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 | Operational management | Establish/Maintain Documentation | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Establish/Maintain Documentation | |
| Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Data and Information Management | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
| Remediate security violations according to organizational standards. CC ID 12338 | Operational management | Business Processes | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
| Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 | Operational management | Establish/Maintain Documentation | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Establish/Maintain Documentation | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Establish/Maintain Documentation | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Establish/Maintain Documentation | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Establish/Maintain Documentation | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Establish/Maintain Documentation | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Establish/Maintain Documentation | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Establish/Maintain Documentation | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Establish/Maintain Documentation | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Establish/Maintain Documentation | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Establish/Maintain Documentation | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Establish/Maintain Documentation | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Establish/Maintain Documentation | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Establish/Maintain Documentation | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Establish/Maintain Documentation | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Establish/Maintain Documentation | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Establish/Maintain Documentation | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Establish/Maintain Documentation | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Establish/Maintain Documentation | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Establish/Maintain Documentation | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Establish/Maintain Documentation | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Establish/Maintain Documentation | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Establish/Maintain Documentation | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Establish/Maintain Documentation | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Establish/Maintain Documentation | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Behavior | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Establish/Maintain Documentation | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Establish/Maintain Documentation | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Behavior | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Behavior | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 [{be appropriate} The organization should plan how to maintain information security at an appropriate level during disruption. § 5.29 Control] | Operational management | Establish/Maintain Documentation | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Establish/Maintain Documentation | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a restoration log. CC ID 12745 | Operational management | Establish/Maintain Documentation | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Data and Information Management | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Data and Information Management | |
| Establish, implement, and maintain compromised system reaccreditation procedures. CC ID 00592 | Operational management | Establish/Maintain Documentation | |
| Analyze security violations in Suspicious Activity Reports. CC ID 00591 | Operational management | Establish/Maintain Documentation | |
| Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 [Knowledge gained from information security incidents should be used to strengthen and improve the information security controls. § 5.27 Control] | Operational management | Monitor and Evaluate Occurrences | |
| Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298 | Operational management | Investigate | |
| Update the incident response procedures using the lessons learned. CC ID 01233 | Operational management | Establish/Maintain Documentation | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 | Operational management | Establish/Maintain Documentation | |
| Include incident response procedures in the Incident Management program. CC ID 01218 | Operational management | Establish/Maintain Documentation | |
| Integrate configuration management procedures into the incident management program. CC ID 13647 | Operational management | Technical Security | |
| Include incident management procedures in the Incident Management program. CC ID 12689 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334 | Operational management | Establish/Maintain Documentation | |
| Include after-action analysis procedures in the Incident Management program. CC ID 01219 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security and breach investigation procedures. CC ID 16844 | Operational management | Establish/Maintain Documentation | |
| Document any potential harm in the incident finding when concluding the incident investigation. CC ID 13830 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain incident management audit logs. CC ID 13514 | Operational management | Records Management | |
| Log incidents in the Incident Management audit log. CC ID 00857 | Operational management | Establish/Maintain Documentation | |
| Include who the incident was reported to in the incident management audit log. CC ID 16487 | Operational management | Log Management | |
| Include corrective actions in the incident management audit log. CC ID 16466 | Operational management | Establish/Maintain Documentation | |
| Include the organization's business products and services affected by disruptions in the Incident Management audit log. CC ID 12234 | Operational management | Log Management | |
| Include emergency processing priorities in the Incident Management program. CC ID 00859 | Operational management | Establish/Maintain Documentation | |
| Include user's responsibilities for when a theft has occurred in the Incident Management program. CC ID 06387 | Operational management | Establish/Maintain Documentation | |
| Include incident record closure procedures in the Incident Management program. CC ID 01620 | Operational management | Establish/Maintain Documentation | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner. § 6.8 Control] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 | Operational management | Communicate | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
| Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Establish/Maintain Documentation | |
| Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. § 5.24 Control] | Operational management | Establish Roles | |
| Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Establish Roles | |
| Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 | Operational management | Establish Roles | |
| Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 | Operational management | Establish Roles | |
| Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 | Operational management | Establish Roles | |
| Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 | Operational management | Establish Roles | |
| Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 | Operational management | Establish Roles | |
| Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 | Operational management | Establish Roles | |
| Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 | Operational management | Establish Roles | |
| Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 | Operational management | Establish Roles | |
| Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 | Operational management | Establish Roles | |
| Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 | Operational management | Human Resources Management | |
| Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 | Operational management | Establish/Maintain Documentation | |
| Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 | Operational management | Communicate | |
| Include references to industry best practices in the incident response procedures. CC ID 11956 | Operational management | Establish/Maintain Documentation | |
| Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 | Operational management | Establish/Maintain Documentation | |
| Identify potential sources of digital forensic evidence. CC ID 08651 [The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. § 5.28 Control] | Operational management | Investigate | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 [The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. § 5.28 Control] | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 [The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. § 5.28 Control] | Operational management | Records Management | |
| Disseminate and communicate the incident response procedures to all interested personnel and affected parties. CC ID 01215 [The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. § 5.24 Control The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities. § 5.24 Control] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a performance management standard. CC ID 01615 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain rate limiting filters. CC ID 06883 | Operational management | Business Processes | |
| Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 [The use of resources should be monitored and adjusted in line with current and expected capacity requirements. § 8.6 Control] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 | Operational management | Establish/Maintain Documentation | |
| Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023 [Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. § 8.21 Control] | Operational management | Establish/Maintain Documentation | |
| Include the management requirements for network services in the Service Level Agreement. CC ID 12025 [Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. § 8.21 Control] | Operational management | Establish/Maintain Documentation | |
| Include the service levels for network services in the Service Level Agreement. CC ID 12024 [Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored. § 8.21 Control] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Establish/Maintain Documentation | |
| Implement changes according to the change control program. CC ID 11776 [Changes to information processing facilities and information systems should be subject to change management procedures. § 8.32 Control] | Operational management | Business Processes | |
| Provide audit trails for all approved changes. CC ID 13120 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 [Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. § 8.9 Control] | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include installed custom software in the baseline configuration. CC ID 13274 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include network ports in the baseline configuration. CC ID 13273 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Establish/Maintain Documentation | |
| Remove all unnecessary functionality. CC ID 00882 | System hardening through configuration management | Configuration | |
| Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827 | System hardening through configuration management | Configuration | |
| Restrict and control the use of privileged utility programs. CC ID 12030 [The use of utility programs that can be capable of overriding system and application controls should be restricted and tightly controlled. § 8.18 Control] | System hardening through configuration management | Technical Security | |
| Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Technical Security | |
| Establish, implement, and maintain an authenticator standard. CC ID 01702 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an authenticator management system. CC ID 12031 [Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information. § 5.17 Control] | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a repository of authenticators. CC ID 16372 | System hardening through configuration management | Data and Information Management | |
| Establish, implement, and maintain authenticator procedures. CC ID 12002 | System hardening through configuration management | Establish/Maintain Documentation | |
| Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127 | System hardening through configuration management | Technical Security | |
| Configure authenticators to comply with organizational standards. CC ID 06412 | System hardening through configuration management | Configuration | |
| Configure the system to require new users to change their authenticator on first use. CC ID 05268 | System hardening through configuration management | Configuration | |
| Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519 | System hardening through configuration management | Configuration | |
| Configure the system to prevent unencrypted authenticator use. CC ID 04457 | System hardening through configuration management | Configuration | |
| Disable store passwords using reversible encryption. CC ID 01708 | System hardening through configuration management | Configuration | |
| Configure the system to encrypt authenticators. CC ID 06735 | System hardening through configuration management | Configuration | |
| Configure the system to mask authenticators. CC ID 02037 | System hardening through configuration management | Configuration | |
| Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992 | System hardening through configuration management | Configuration | |
| Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 | System hardening through configuration management | Configuration | |
| Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719 | System hardening through configuration management | Establish/Maintain Documentation | |
| Disable machine account password changes. CC ID 01737 | System hardening through configuration management | Configuration | |
| Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "password reuse" setting to organizational standards. CC ID 08724 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "Disable Remember Password" setting. CC ID 05270 | System hardening through configuration management | Configuration | |
| Configure the "Minimum password age" to organizational standards. CC ID 01703 | System hardening through configuration management | Configuration | |
| Configure the LILO/GRUB password. CC ID 01576 | System hardening through configuration management | Configuration | |
| Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481 | System hardening through configuration management | Configuration | |
| Change the default password to Apple's Keychain. CC ID 04482 | System hardening through configuration management | Configuration | |
| Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483 | System hardening through configuration management | Configuration | |
| Configure the Syskey Encryption Key and associated password. CC ID 05978 | System hardening through configuration management | Configuration | |
| Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505 | System hardening through configuration management | Configuration | |
| Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534 | System hardening through configuration management | Configuration | |
| Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267 | System hardening through configuration management | Configuration | |
| Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269 | System hardening through configuration management | Configuration | |
| Configure the "Send LanMan compatible password" setting. CC ID 05271 | System hardening through configuration management | Configuration | |
| Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993 | System hardening through configuration management | Configuration | |
| Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054 | System hardening through configuration management | Configuration | |
| Set the default folder for BitLocker recovery passwords correctly. CC ID 06055 | System hardening through configuration management | Configuration | |
| Notify affected parties to keep authenticators confidential. CC ID 06787 | System hardening through configuration management | Behavior | |
| Discourage affected parties from recording authenticators. CC ID 06788 | System hardening through configuration management | Behavior | |
| Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866 | System hardening through configuration management | Configuration | |
| Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185 | System hardening through configuration management | Configuration | |
| Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187 | System hardening through configuration management | Configuration | |
| Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296 | System hardening through configuration management | Configuration | |
| Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355 | System hardening through configuration management | Configuration | |
| Configure the authenticator display screen to organizational standards. CC ID 13794 | System hardening through configuration management | Configuration | |
| Configure the authenticator field to disallow memorized secrets found in the memorized secret list. CC ID 13808 | System hardening through configuration management | Configuration | |
| Configure the authenticator display screen to display the memorized secret as an option. CC ID 13806 | System hardening through configuration management | Configuration | |
| Disseminate and communicate with the end user when a memorized secret entered into an authenticator field matches one found in the memorized secret list. CC ID 13807 | System hardening through configuration management | Communicate | |
| Configure the memorized secret verifiers to refrain from allowing anonymous users to access memorized secret hints. CC ID 13823 | System hardening through configuration management | Configuration | |
| Configure the system to allow paste functionality for the authenticator field. CC ID 13819 | System hardening through configuration management | Configuration | |
| Configure the system to require successful authentication before an authenticator for a user account is changed. CC ID 13821 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a record classification scheme. CC ID 00914 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a records authentication system. CC ID 11648 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. § 5.33 Control] | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 [Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements. § 7.10 Control] | Records management | Establish/Maintain Documentation | |
| Supervise media destruction in accordance with organizational standards. CC ID 16456 | Records management | Business Processes | |
| Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 | Records management | Data and Information Management | |
| Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 [Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. § 7.14 Control] | Records management | Data and Information Management | |
| Degauss as a method of sanitizing electronic storage media. CC ID 00973 | Records management | Records Management | |
| Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 | Records management | Process or Activity | |
| Use approved media sanitization equipment for destruction. CC ID 16459 | Records management | Business Processes | |
| Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Process or Activity | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. § 5.33 Control] | Records management | Establish/Maintain Documentation | |
| Manage the disposition status for all records. CC ID 00972 | Records management | Records Management | |
| Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313 | Records management | Data and Information Management | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 [Information stored in information systems, devices or in any other storage media should be deleted when no longer required. § 8.10 Control] | Records management | Records Management | |
| Place printed records awaiting destruction into secure containers. CC ID 12464 | Records management | Physical and Environmental Protection | |
| Destroy printed records so they cannot be reconstructed. CC ID 11779 | Records management | Physical and Environmental Protection | |
| Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Records management | Data and Information Management | |
| Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures. CC ID 11962 | Records management | Establish/Maintain Documentation | |
| Maintain disposal records or redeployment records. CC ID 01644 | Records management | Establish/Maintain Documentation | |
| Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
| Protect records from loss in accordance with applicable requirements. CC ID 12007 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. § 5.33 Control] | Records management | Records Management | |
| Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. § 5.33 Control] | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 [Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements. § 7.10 Control] | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security label procedures. CC ID 06747 [An appropriate set of procedures for information labelling should be developed and implementedpan> in accordance with the information classification scheme nd-color:#CBD0E5;" class="term_secondary-verb">adopted by the organization. § 5.13 Control] | Records management | Establish/Maintain Documentation | |
| Label restricted storage media appropriately. CC ID 00966 | Records management | Data and Information Management | |
| Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Establish/Maintain Documentation | |
| Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Establish/Maintain Documentation | |
| Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Data and Information Management | |
| Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Records management | Technical Security | |
| Establish the minimum originator requirements for security labels. CC ID 06579 | Records management | Establish/Maintain Documentation | |
| Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Records management | Establish/Maintain Documentation | |
| Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Records management | Establish/Maintain Documentation | |
| Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Records management | Establish/Maintain Documentation | |
| Establish and maintain access controls for all records. CC ID 00371 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release. § 5.33 Control] | Records management | Records Management | |
| Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Records management | Data and Information Management | |
| Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information preservation policy. CC ID 16483 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain information preservation procedures. CC ID 06277 | Records management | Establish/Maintain Documentation | |
| Implement and maintain high availability storage, as necessary. CC ID 00952 | Records management | Technical Security | |
| Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records management | Records Management | |
| Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Records Management | |
| Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records management | Records Management | |
| Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Technical Security | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Records Management | |
| Provide encryption for different types of electronic storage media. CC ID 00945 | Records management | Technical Security | |
| Implement electronic storage media integrity controls. CC ID 00946 | Records management | Configuration | |
| Automate electronic storage media integrity check controls. CC ID 00948 | Records management | Configuration | |
| Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Records management | Configuration | |
| Establish, implement, and maintain a removable storage media log. CC ID 12317 | Records management | Log Management | |
| Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Records management | Establish/Maintain Documentation | |
| Include the date and time in the removable storage media log. CC ID 12318 | Records management | Establish/Maintain Documentation | |
| Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Records management | Establish/Maintain Documentation | |
| Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Records management | Establish/Maintain Documentation | |
| Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Records management | Establish/Maintain Documentation | |
| Include the sender's name in the removable storage media log. CC ID 12752 | Records management | Establish/Maintain Documentation | |
| Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Records management | Establish/Maintain Documentation | |
| Include the reason for transfer in the removable storage media log. CC ID 12316 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Records management | Process or Activity | |
| Document all actions taken when downgrading electronic storage media. CC ID 10622 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include information security throughout the system development life cycle. CC ID 12042 [Information security requirements should be identified, specified and approved when developing or acquiring applications. § 8.26 Control] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Systems design, build, and implementation | Data and Information Management | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain security design principles. CC ID 14718 [Principles for engineering secure systems should be established, documented, maintained and applied to any information system development activities. § 8.27 Control Rules for the secure development of software and systems should be established and applied. § 8.25 Control] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include reduced complexity of systems or system components in the security design principles. CC ID 14753 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include modularity and layering of systems or system components in the security design principles. CC ID 14750 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure evolvability of systems or system components in the security design principles. CC ID 14749 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include continuous protection of systems or system components in the security design principles. CC ID 14748 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include least common mechanisms between systems or system components in the security design principles. CC ID 14747 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure system modification of systems or system components in the security design principles. CC ID 14746 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include clear abstractions of systems or system components in the security design principles. CC ID 14745 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include least privilege of systems or system components in the security design principles. CC ID 14742 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include minimized sharing of systems or system components in the security design principles. CC ID 14741 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include acceptable security of systems or system components in the security design principles. CC ID 14740 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include minimized security elements in systems or system components in the security design principles. CC ID 14739 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include hierarchical protection in systems or system components in the security design principles. CC ID 14738 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include self-analysis of systems or system components in the security design principles. CC ID 14737 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure distributed composition of systems or system components in the security design principles. CC ID 14734 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include minimization of systems or system components in the security design principles. CC ID 14733 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure defaults in systems or system components in the security design principles. CC ID 14732 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include trusted communications channels for systems or system components in the security design principles. CC ID 14731 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include economic security in systems or system components in the security design principles. CC ID 14730 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include trusted components of systems or system components in the security design principles. CC ID 14729 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include procedural rigor in systems or system components in the security design principles. CC ID 14728 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include accountability and traceability of systems or system components in the security design principles. CC ID 14727 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include hierarchical trust in systems or system components in the security design principles. CC ID 14726 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include sufficient documentation for systems or system components in the security design principles. CC ID 14725 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include performance security of systems or system components in the security design principles. CC ID 14724 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include human factored security in systems or system components in the security design principles. CC ID 14723 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include secure metadata management of systems or system components in the security design principles. CC ID 14722 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include predicate permission of systems or system components in the security design principles. CC ID 14721 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain project management standards. CC ID 00992 [Information security should be integrated into project management. § 5.8 Control] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a project program documentation standard. CC ID 00995 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include budgeting for projects in the project management standard. CC ID 13136 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain integrated project plans. CC ID 01056 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a project control program. CC ID 01612 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a project test plan. CC ID 01001 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a project team plan. CC ID 06533 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a project management training plan. CC ID 01002 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Separate the design and development environment from the production environment. CC ID 06088 [{development environment}{test environment} Development, testing and production environments should be separated and secured. § 8.31 Control] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Specify appropriate tools for the system development project. CC ID 06830 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Implement security controls in development endpoints. CC ID 16389 | Systems design, build, and implementation | Testing | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain outsourced development procedures. CC ID 01141 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Develop new products based on best practices. CC ID 01095 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect application program libraries. CC ID 11762 [{read access}{software development tool} Read and write access to source code, development tools and software libraries should be appropriately managed. § 8.4 Control] | Systems design, build, and implementation | Technical Security | |
| Establish and maintain access rights to source code based upon least privilege. CC ID 06962 [{read access}{software development tool} Read and write access to source code, development tools and software libraries should be appropriately managed. § 8.4 Control] | Systems design, build, and implementation | Technical Security | |
| Develop new products based on secure coding techniques. CC ID 11733 [Secure coding principles should be applied to software development. § 8.28 Control] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish and maintain a coding manual for secure coding techniques. CC ID 11863 [Rules for the secure development of software and systems should be established and applied. § 8.25 Control] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Systems design, build, and implementation | Technical Security | |
| Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 | Systems design, build, and implementation | Technical Security | |
| Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937 | Systems design, build, and implementation | Technical Security | |
| Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 | Systems design, build, and implementation | Technical Security | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Systems design, build, and implementation | Technical Security | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Refrain from hard-coding usernames in source code. CC ID 06561 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Systems design, build, and implementation | Technical Security | |
| Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 | Systems design, build, and implementation | Technical Security | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Control user account management through secure coding techniques in source code. CC ID 11909 | Systems design, build, and implementation | Technical Security | |
| Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 | Systems design, build, and implementation | Technical Security | |
| Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 | Systems design, build, and implementation | Technical Security | |
| Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 | Systems design, build, and implementation | Process or Activity | |
| Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897 | Systems design, build, and implementation | Process or Activity | |
| Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 | Systems design, build, and implementation | Process or Activity | |
| Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 | Systems design, build, and implementation | Technical Security | |
| Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 | Systems design, build, and implementation | Process or Activity | |
| Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 | Systems design, build, and implementation | Technical Security | |
| Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Configure software development tools in accordance with organizational standards. CC ID 16387 | Systems design, build, and implementation | Configuration | |
| Standardize Application Programming Interfaces. CC ID 12167 | Systems design, build, and implementation | Technical Security | |
| Include all confidentiality, integrity, and availability functions in the system design specification. CC ID 04556 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the relationships and dependencies between modules in the system design specification. CC ID 04559 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security policy model document. CC ID 04560 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system testing policy. CC ID 01102 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Configure the test environment similar to the production environment. CC ID 06837 [{development environment}{test environment} Development, testing and production environments should be separated and secured. § 8.31 Control] | Systems design, build, and implementation | Configuration | |
| Establish, implement, and maintain system testing procedures. CC ID 11744 [Security testing processes should be defined and implemented in the development life cycle. § 8.29 Control] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect test data in the development environment. CC ID 12014 [Test information should be appropriately selected, protected and managed. § 8.33 Control] | Systems design, build, and implementation | Technical Security | |
| Control the test data used in the development environment. CC ID 12013 [Test information should be appropriately selected, protected and managed. § 8.33 Control] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Select the test data carefully. CC ID 12011 [Test information should be appropriately selected, protected and managed. § 8.33 Control] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Test security functionality during the development process. CC ID 12015 | Systems design, build, and implementation | Testing | |
| Include system performance in the scope of system testing. CC ID 12624 | Systems design, build, and implementation | Process or Activity | |
| Include security controls in the scope of system testing. CC ID 12623 | Systems design, build, and implementation | Process or Activity | |
| Include business logic in the scope of system testing. CC ID 12622 | Systems design, build, and implementation | Process or Activity | |
| Assign the review of custom code changes to individuals other than the code author. CC ID 06291 | Systems design, build, and implementation | Establish Roles | |
| Evaluate and document all known code anomalies and code deficiencies. CC ID 06611 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Disseminate and communicate the system testing procedures to interested personnel and affected parties. CC ID 15471 | Systems design, build, and implementation | Communicate | |
| Establish, implement, and maintain poor quality material removal procedures. CC ID 06214 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain system acquisition contracts. CC ID 14758 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include security requirements in system acquisition contracts. CC ID 01124 [Information security requirements should be identified, specified and approved when developing or acquiring applications. § 8.26 Control] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include operational requirements in system acquisition contracts. CC ID 00825 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts. CC ID 06890 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include required service levels in system acquisition contracts. CC ID 11652 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include security controls in system acquisition contracts. CC ID 01125 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Obtain system documentation before acquiring products and services. CC ID 01445 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include a description of the use and maintenance of security functions in the administration documentation. CC ID 14309 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include a description of the known vulnerabilities for administrative functions in the administration documentation. CC ID 14302 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Disseminate and communicate the system documentation to interested personnel and affected parties. CC ID 14285 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Obtain user documentation before acquiring products and services. CC ID 14283 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Include instructions on how to use the security functions in the user documentation. CC ID 14314 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include security functions in the user documentation. CC ID 14313 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include user responsibilities for maintaining system security in the user documentation. CC ID 14312 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Include a description of user interactions in the user documentation. CC ID 14311 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Require the information system developer to create a continuous monitoring plan. CC ID 14307 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements. § 5.34 Control] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Data and Information Management | |
| Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the purpose of the privacy notice in the privacy notice. CC ID 13526 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the processing purpose in the privacy notice. CC ID 16543 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include contact information in the privacy notice. CC ID 14432 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the personal data collection categories in the privacy notice. CC ID 13457 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include disclosure exceptions in the privacy notice. CC ID 13447 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of personal data disclosed in the privacy notice. CC ID 13446 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Specify the time frame that notice will be given. CC ID 00385 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the information about the appeal process in the privacy notice. CC ID 15312 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 | Privacy protection for information and data | Communicate | |
| Deliver privacy notices to data subjects, as necessary. CC ID 13444 | Privacy protection for information and data | Communicate | |
| Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Update privacy notices, as necessary. CC ID 13474 | Privacy protection for information and data | Communicate | |
| Redeliver privacy notices, as necessary. CC ID 14850 | Privacy protection for information and data | Communicate | |
| Deliver privacy notices to third parties, as necessary. CC ID 13473 | Privacy protection for information and data | Communicate | |
| Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 | Privacy protection for information and data | Communicate | |
| Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain opt-out notices. CC ID 13448 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Explain the right to opt out in the opt-out notice. CC ID 13462 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Deliver opt-out notices, as necessary. CC ID 13449 | Privacy protection for information and data | Communicate | |
| Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 | Privacy protection for information and data | Communicate | |
| Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 | Privacy protection for information and data | Communicate | |
| Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 | Privacy protection for information and data | Communicate | |
| Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 | Privacy protection for information and data | Communicate | |
| Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 | Privacy protection for information and data | Data and Information Management | |
| Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 | Privacy protection for information and data | Communicate | |
| Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 | Privacy protection for information and data | Communicate | |
| Provide the data subject with a notice of participation procedures. CC ID 06241 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Deliver notices to the intended parties. CC ID 06240 | Privacy protection for information and data | Data and Information Management | |
| Notify data subjects about their privacy rights. CC ID 12989 | Privacy protection for information and data | Communicate | |
| Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Privacy protection for information and data | Data and Information Management | |
| Provide public proof the organization participates in a privacy program. CC ID 12349 | Privacy protection for information and data | Communicate | |
| Publish a description of processing activities in an official register. CC ID 00379 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish and maintain a records request manual. CC ID 00381 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 | Privacy protection for information and data | Behavior | |
| Define what is included in registration notices. CC ID 00386 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include roles and responsibilities in the registration notice. CC ID 16803 | Privacy protection for information and data | Establish Roles | |
| Include the verification method in the registration notice. CC ID 16798 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the statutory authority in the registration notice. CC ID 16799 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a purpose specification description in the registration notice. CC ID 00388 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include information about the dispute resolution body in the registration notice. CC ID 16800 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject category being processed in the registration notice. CC ID 00389 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the time period for data processing in the registration notice. CC ID 00390 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide legal authorities access to personal data, upon request. CC ID 06818 | Privacy protection for information and data | Data and Information Management | |
| Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 | Privacy protection for information and data | Process or Activity | |
| Document the countries where restricted data may be stored. CC ID 12750 | Privacy protection for information and data | Data and Information Management | |
| Protect the rights of students and their parents or legal representatives. CC ID 00222 | Privacy protection for information and data | Data and Information Management | |
| Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Privacy protection for information and data | Technical Security | |
| Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Privacy protection for information and data | Records Management | |
| Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Privacy protection for information and data | Records Management | |
| Define the criteria for waivers of data subjects' rights. CC ID 16858 | Privacy protection for information and data | Behavior | |
| Revoke waivers of data subject's rights, as necessary. CC ID 16859 | Privacy protection for information and data | Behavior | |
| Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose educational data, as necessary. CC ID 00223 | Privacy protection for information and data | Data and Information Management | |
| Grant access to education records in support of educational program audits. CC ID 13032 | Privacy protection for information and data | Records Management | |
| Grant access to education records in support of external requirements. CC ID 13033 | Privacy protection for information and data | Records Management | |
| Disclose statements added to education records, as necessary. CC ID 12990 | Privacy protection for information and data | Communicate | |
| Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Privacy protection for information and data | Data and Information Management | |
| Disclose education records when written consent is received. CC ID 00224 | Privacy protection for information and data | Data and Information Management | |
| Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Specify the purpose of the disclosure in the written consent. CC ID 13001 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Specify which education records may be disclosed in the written consent. CC ID 13000 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Privacy protection for information and data | Communicate | |
| Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Privacy protection for information and data | Communicate | |
| Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Privacy protection for information and data | Communicate | |
| Disclose educational data absent consent to other school officials. CC ID 00226 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Privacy protection for information and data | Communicate | |
| Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Privacy protection for information and data | Data and Information Management | |
| Disclose educational data absent consent to a crime victim. CC ID 00236 | Privacy protection for information and data | Data and Information Management | |
| Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from providing information to the data subject, as necessary. CC ID 12625 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Privacy protection for information and data | Communicate | |
| Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Privacy protection for information and data | Communicate | |
| Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Privacy protection for information and data | Communicate | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the data retention period for personal data. CC ID 12587 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with the adequacy decision. CC ID 12586 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Business Processes | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Business Processes | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Data and Information Management | |
| Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 | Privacy protection for information and data | Data and Information Management | |
| Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 | Privacy protection for information and data | Communicate | |
| Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide shareholders access to electronic messages via electronic means. CC ID 11855 | Privacy protection for information and data | Process or Activity | |
| Make telephone directory information available to the public. CC ID 08698 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Display warning screens and confirmation screens for all payment transactions. CC ID 06409 | Privacy protection for information and data | Technical Security | |
| Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain a privacy policy. CC ID 06281 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject's rights in the privacy policy. CC ID 16355 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy policy model document. CC ID 14720 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 | Privacy protection for information and data | Behavior | |
| Write privacy notices in the official languages required by law. CC ID 16529 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define what is included in the privacy policy. CC ID 00404 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the information being collected in the privacy policy. CC ID 13115 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the means by which information is collected in the privacy policy. CC ID 13114 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include roles and responsibilities in the privacy policy. CC ID 14669 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include management commitment in the privacy policy. CC ID 14668 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include coordination amongst entities in the privacy policy. CC ID 14667 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include compliance requirements in the privacy policy. CC ID 14666 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a complaint form in the privacy policy. CC ID 12364 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the processing purpose in the privacy policy. CC ID 00406 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data subject categories being processed in the privacy policy. CC ID 00407 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the retention period for collected information in the privacy policy. CC ID 13116 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions on how to opt-out in the privacy policy. CC ID 00411 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Post the privacy policy in an easily seen location. CC ID 00401 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define who will receive the privacy policy. CC ID 00402 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain privacy procedures. CC ID 14665 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a privacy plan. CC ID 14672 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Align the enterprise architecture with the privacy plan. CC ID 14705 | Privacy protection for information and data | Process or Activity | |
| Approve the privacy plan. CC ID 14700 | Privacy protection for information and data | Business Processes | |
| Include privacy requirements in the privacy plan. CC ID 14699 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the information types in the privacy plan. CC ID 14695 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include threats in the privacy plan. CC ID 14694 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include roles and responsibilities in the privacy plan. CC ID 14702 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include a description of the operational context in the privacy plan. CC ID 14692 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include risk assessment results in the privacy plan. CC ID 14701 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the security categorizations and rationale in the privacy plan. CC ID 14690 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include security controls in the privacy plan. CC ID 14681 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 | Privacy protection for information and data | Communicate | |
| Include a description of the operational environment in the privacy plan. CC ID 14679 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include network diagrams in the privacy plan. CC ID 14678 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy report. CC ID 14754 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 | Privacy protection for information and data | Communicate | |
| Protect private communications in keeping with compliance requirements. CC ID 14334 | Privacy protection for information and data | Business Processes | |
| Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data request procedures. CC ID 16546 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 | Privacy protection for information and data | Human Resources Management | |
| Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Privacy protection for information and data | Business Processes | |
| Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include agreement termination information in the disclosure authorization form. CC ID 13437 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Privacy protection for information and data | Business Processes | |
| Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Business Processes | |
| Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 | Privacy protection for information and data | Data and Information Management | |
| Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Business Processes | |
| Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Business Processes | |
| Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Privacy protection for information and data | Data and Information Management | |
| Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 | Privacy protection for information and data | Business Processes | |
| Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Privacy protection for information and data | Process or Activity | |
| Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow consent requests to be provided in any official languages. CC ID 16530 | Privacy protection for information and data | Business Processes | |
| Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Privacy protection for information and data | Communicate | |
| Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Privacy protection for information and data | Records Management | |
| Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 | Privacy protection for information and data | Data and Information Management | |
| Refrain from obtaining consent through deception. CC ID 13556 | Privacy protection for information and data | Data and Information Management | |
| Give individuals the ability to change the uses of their personal data. CC ID 00469 | Privacy protection for information and data | Data and Information Management | |
| Notify data subjects of the implications of withdrawing consent. CC ID 13551 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 | Privacy protection for information and data | Human Resources Management | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
| Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Privacy protection for information and data | Human Resources Management | |
| Notify the supervisory authority. CC ID 00472 | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Business Processes | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Communicate | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Business Processes | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Process or Activity | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Privacy protection for information and data | Process or Activity | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Communicate | |
| Cooperate with Data Protection Authorities. CC ID 06870 | Privacy protection for information and data | Data and Information Management | |
| Submit a safe harbor self-certification letter. CC ID 06871 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 | Privacy protection for information and data | Human Resources Management | |
| Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the data controller of any changes in data processors. CC ID 12648 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Privacy protection for information and data | Human Resources Management | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Data and Information Management | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the collection purpose. CC ID 00095 | Privacy protection for information and data | Behavior | |
| Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Data and Information Management | |
| Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the data subject of the consequences for not providing personal data. CC ID 00104 | Privacy protection for information and data | Behavior | |
| Notify the data subject of changes to personal data use. CC ID 00105 | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain the data subject's consent when the personal data use changes. CC ID 11832 | Privacy protection for information and data | Behavior | |
| Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Dispose of media and restricted data in a timely manner. CC ID 00125 | Privacy protection for information and data | Data and Information Management | |
| Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Records Management | |
| Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data access procedures. CC ID 00414 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Process or Activity | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Data and Information Management | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Data and Information Management | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Data and Information Management | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Business Processes | |
| Respond to data access requests in a timely manner. CC ID 00421 | Privacy protection for information and data | Behavior | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Data and Information Management | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Data and Information Management | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Business Processes | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Process or Activity | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Data and Information Management | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Records Management | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 | Privacy protection for information and data | Data and Information Management | |
| Disclose de-identified data, as necessary. CC ID 13034 | Privacy protection for information and data | Communicate | |
| Notify the data subject after personal data is used or disclosed. CC ID 06247 | Privacy protection for information and data | Behavior | |
| Refrain from processing restricted data, as necessary. CC ID 12551 | Privacy protection for information and data | Records Management | |
| Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Privacy protection for information and data | Process or Activity | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Privacy protection for information and data | Business Processes | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Privacy protection for information and data | Process or Activity | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Process or Activity | |
| Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Privacy protection for information and data | Records Management | |
| Include the data processor's contact information in the record of processing activities. CC ID 12657 | Privacy protection for information and data | Records Management | |
| Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Privacy protection for information and data | Records Management | |
| Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Privacy protection for information and data | Records Management | |
| Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Privacy protection for information and data | Records Management | |
| Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Privacy protection for information and data | Records Management | |
| Include the personal data processing categories in the record of processing activities. CC ID 12661 | Privacy protection for information and data | Records Management | |
| Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Privacy protection for information and data | Records Management | |
| Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Privacy protection for information and data | Records Management | |
| Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Privacy protection for information and data | Records Management | |
| Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Privacy protection for information and data | Records Management | |
| Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Privacy protection for information and data | Records Management | |
| Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Privacy protection for information and data | Records Management | |
| Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Privacy protection for information and data | Records Management | |
| Include the data controller's contact information in the record of processing activities. CC ID 12637 | Privacy protection for information and data | Records Management | |
| Process restricted data lawfully and carefully. CC ID 00086 | Privacy protection for information and data | Establish Roles | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Technical Security | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Data and Information Management | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Records Management | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Data and Information Management | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Records Management | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Process or Activity | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Records Management | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Data and Information Management | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Data and Information Management | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Data and Information Management | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Data and Information Management | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Privacy protection for information and data | Data and Information Management | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Data and Information Management | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 | Privacy protection for information and data | Data and Information Management | |
| Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Data and Information Management | |
| Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Business Processes | |
| Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for debt collection or benefit payments. CC ID 00190 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to advance the public interest. CC ID 00191 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Data and Information Management | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Data and Information Management | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Data and Information Management | |
| Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Data and Information Management | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Privacy protection for information and data | Process or Activity | |
| Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent in order to perform a contract. CC ID 13586 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is needed by law. CC ID 13577 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is from publicly available information. CC ID 13576 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to create a credit report. CC ID 15288 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when produced for business purposes. CC ID 13563 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Privacy protection for information and data | Data and Information Management | |
| Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 | Privacy protection for information and data | Behavior | |
| Define security breach notification requirement exceptions. CC ID 04797 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 | Privacy protection for information and data | Records Management | |
| Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 | Privacy protection for information and data | Data and Information Management | |
| Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define opt-out exceptions for disclosing restricted data. CC ID 00159 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define how a data subject may give consent. CC ID 00160 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 | Privacy protection for information and data | Communicate | |
| Disclose restricted data absent consent when the law does not require consent. CC ID 00136 | Privacy protection for information and data | Data and Information Management | |
| Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to create a credit report. CC ID 15297 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to perform a contract. CC ID 00139 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent for public economic interests. CC ID 00148 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 | Privacy protection for information and data | Data and Information Management | |
| Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 | Privacy protection for information and data | Data and Information Management | |
| Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain restricted data retention procedures. CC ID 00167 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Capture personal data removal requests. CC ID 13507 | Privacy protection for information and data | Communicate | |
| Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Privacy protection for information and data | Records Management | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Process or Activity | |
| Dispose of personal data removal requests, as necessary. CC ID 13512 | Privacy protection for information and data | Business Processes | |
| Limit the redisclosure and reuse of restricted data. CC ID 00168 | Privacy protection for information and data | Data and Information Management | |
| Refrain from redisclosing or reusing restricted data. CC ID 00169 | Privacy protection for information and data | Data and Information Management | |
| Document the redisclosing restricted data exceptions. CC ID 00170 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Redisclose restricted data when the data subject consents. CC ID 00171 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to protect public revenue. CC ID 00173 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Privacy protection for information and data | Data and Information Management | |
| Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 | Privacy protection for information and data | Data and Information Management | |
| Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Privacy protection for information and data | Data and Information Management | |
| Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Data and Information Management | |
| Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Behavior | |
| Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Data and Information Management | |
| Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Data and Information Management | |
| Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Data and Information Management | |
| Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Data and Information Management | |
| Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Data and Information Management | |
| Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Data and Information Management | |
| Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Data and Information Management | |
| Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Data and Information Management | |
| Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Data and Information Management | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Data and Information Management | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Data and Information Management | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Process or Activity | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Data and Information Management | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Data and Information Management | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Data and Information Management | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Data and Information Management | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Privacy protection for information and data | Data and Information Management | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Communicate | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Data and Information Management | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Privacy protection for information and data | Data and Information Management | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Data and Information Management | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Communicate | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Communicate | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Data and Information Management | |
| Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Data and Information Management | |
| Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Data and Information Management | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Data and Information Management | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Data and Information Management | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include cookie management in the privacy framework. CC ID 13809 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain cookie management procedures. CC ID 13810 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 | Privacy protection for information and data | Data and Information Management | |
| Refrain from collecting personal data, as necessary. CC ID 15269 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Use personal data for specified purposes. CC ID 11831 | Privacy protection for information and data | Data and Information Management | |
| Post the collection purpose. CC ID 00101 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Privacy protection for information and data | Data and Information Management | |
| Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide explicit consent that is clear and unambiguous. CC ID 00181 | Privacy protection for information and data | Data and Information Management | |
| Allow individuals to change their personal data collection consent preferences. CC ID 06946 | Privacy protection for information and data | Data and Information Management | |
| Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Behavior | |
| Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Data and Information Management | |
| Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Data and Information Management | |
| Establish and maintain a personal data definition. CC ID 00028 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Data and Information Management | |
| Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Data and Information Management | |
| Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Data and Information Management | |
| Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Data and Information Management | |
| Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Data and Information Management | |
| Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Data and Information Management | |
| Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Data and Information Management | |
| Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Data and Information Management | |
| Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Data and Information Management | |
| Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Data and Information Management | |
| Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Data and Information Management | |
| Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Data and Information Management | |
| Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Data and Information Management | |
| Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Data and Information Management | |
| Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Data and Information Management | |
| Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Data and Information Management | |
| Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Data and Information Management | |
| Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Data and Information Management | |
| Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Data and Information Management | |
| Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Data and Information Management | |
| Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Technical Security | |
| Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Data and Information Management | |
| Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Data and Information Management | |
| Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Data and Information Management | |
| Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Behavior | |
| Manage health data collection. CC ID 00050 | Privacy protection for information and data | Data and Information Management | |
| Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Privacy protection for information and data | Data and Information Management | |
| Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Data and Information Management | |
| Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Data and Information Management | |
| Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Data and Information Management | |
| Give special attention to collecting children's data. CC ID 00038 | Privacy protection for information and data | Data and Information Management | |
| Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Behavior | |
| Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Data and Information Management | |
| Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Collect personal data directly from the data subject. CC ID 00011 | Privacy protection for information and data | Data and Information Management | |
| Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Data and Information Management | |
| Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Data and Information Management | |
| Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Technical Security | |
| Collect restricted data in a fair and lawful manner. CC ID 00010 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to make a disclosure. CC ID 13550 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent from publicly available information. CC ID 00019 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when needed by law. CC ID 00020 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent to create a credit report. CC ID 15287 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Data and Information Management | |
| Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Data and Information Management | |
| Collect the minimum amount of restricted data necessary. CC ID 00078 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Data and Information Management | |
| Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data when required by law. CC ID 00031 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data to prevent life-threatening emergencies. CC ID 00032 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Privacy protection for information and data | Data and Information Management | |
| Collect restricted data for legal purposes. CC ID 00036 | Privacy protection for information and data | Data and Information Management | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Communicate | |
| Provide the data subject with the data collector's name and contact information. CC ID 00024 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Data and Information Management | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Technical Security | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Data and Information Management | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Configuration | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Configuration | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Configuration | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Technical Security | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Data and Information Management | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Log Management | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Log Management | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Technical Security | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Technical Security | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Testing | |
| Limit data leakage. CC ID 00356 [Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information. § 8.12 Control] | Privacy protection for information and data | Data and Information Management | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Business Processes | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Acquisition/Sale of Assets or Services | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Process or Activity | |
| Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 [Data masking should be used in accordance with the organization's topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration. § 8.11 Control] | Privacy protection for information and data | Data and Information Management | |
| Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Data and Information Management | |
| Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Data and Information Management | |
| Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Data and Information Management | |
| Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data handling procedures. CC ID 11756 [Rules for the acceptable use and procedures for handling information and other associated assets should be identified, documented and implemented. § 5.10 Control] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Data and Information Management | |
| Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Data and Information Management | |
| Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Business Processes | |
| Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain consent from an individual prior to transferring personal data. CC ID 06948 | Privacy protection for information and data | Data and Information Management | |
| Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 | Privacy protection for information and data | Business Processes | |
| Notify data subjects when their personal data is transferred. CC ID 00352 | Privacy protection for information and data | Behavior | |
| Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 | Privacy protection for information and data | Communicate | |
| Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 | Privacy protection for information and data | Data and Information Management | |
| Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Privacy protection for information and data | Data and Information Management | |
| Prohibit the transfer of personal data when security is inadequate. CC ID 00345 | Privacy protection for information and data | Data and Information Management | |
| Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Privacy protection for information and data | Data and Information Management | |
| Refrain from transferring past the first transfer. CC ID 00347 | Privacy protection for information and data | Data and Information Management | |
| Document transfer disagreements by the data subject in writing. CC ID 00348 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Privacy protection for information and data | Data and Information Management | |
| Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Privacy protection for information and data | Records Management | |
| Follow the instructions of the data transferrer. CC ID 00334 | Privacy protection for information and data | Behavior | |
| Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Privacy protection for information and data | Data and Information Management | |
| Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Privacy protection for information and data | Data and Information Management | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Privacy protection for information and data | Data and Information Management | |
| Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Privacy protection for information and data | Data and Information Management | |
| Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Privacy protection for information and data | Data and Information Management | |
| Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 | Privacy protection for information and data | Business Processes | |
| Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Privacy protection for information and data | Data and Information Management | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Privacy protection for information and data | Data and Information Management | |
| Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 | Privacy protection for information and data | Communicate | |
| Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 | Privacy protection for information and data | Data and Information Management | |
| Obtain consent prior to downloading software to an individual's computer. CC ID 06951 | Privacy protection for information and data | Data and Information Management | |
| Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 | Privacy protection for information and data | Process or Activity | |
| Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 | Privacy protection for information and data | Process or Activity | |
| Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 | Privacy protection for information and data | Process or Activity | |
| Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a privacy impact assessment. CC ID 13712 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include how to grant consent in the privacy impact assessment. CC ID 15519 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data handling procedures in the privacy impact assessment. CC ID 15516 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the intended use of information in the privacy impact assessment. CC ID 15515 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Privacy protection for information and data | Business Processes | |
| Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Privacy protection for information and data | Communicate | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Data and Information Management | |
| Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Privacy protection for information and data | Behavior | |
| Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Privacy protection for information and data | Business Processes | |
| Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document unresolved challenges. CC ID 13568 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify individuals of their right to challenge personal data. CC ID 00457 | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Privacy protection for information and data | Data and Information Management | |
| Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Privacy protection for information and data | Configuration | |
| Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Privacy protection for information and data | Human Resources Management | |
| Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Privacy protection for information and data | Communicate | |
| Investigate the disputed accuracy of personal data. CC ID 00461 | Privacy protection for information and data | Data and Information Management | |
| Notify third parties of unresolved challenges. CC ID 13559 | Privacy protection for information and data | Communicate | |
| Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the allegations against the organization in the notice of investigation. CC ID 13031 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 | Privacy protection for information and data | Behavior | |
| Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Privacy protection for information and data | Behavior | |
| Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Privacy protection for information and data | Behavior | |
| Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Privacy protection for information and data | Behavior | |
| Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Privacy protection for information and data | Behavior | |
| Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Privacy protection for information and data | Behavior | |
| Define the organization's liability based on the applicable law. CC ID 00504 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the appeal process based on the applicable law. CC ID 00506 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Process or Activity | |
| Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Privacy protection for information and data | Communicate | |
| Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Privacy protection for information and data | Communicate | |
| Provide notice of proposed penalties. CC ID 06216 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 [Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. § 5.14 Control] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 [The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. § 5.22 Control] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Third Party and supply chain oversight | Process or Activity | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |
| Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [Relevant information security requirements should be established and agreed with each supplier based on the type of supplier relationship. § 5.20 Control] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Review the supply chain's service delivery on a regular basis. CC ID 12010 [The organization should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery. § 5.22 Control] | Third Party and supply chain oversight | Business Processes | |