Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework., CC ID: 11747
Comply with all implemented policies in the organization's compliance framework., CC ID: 06384
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive., CC ID: 12788
Review systems for compliance with organizational information security policies., CC ID: 12004
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties., CC ID: 00815
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The hardware and software systems and procedures of an Authentication Service provider shall adhere to the generally accepted security procedures. (§ 30(3)(d), The Electronic Communications and Transactions Act, 2002)
If the online financial services offered by an AI involve activities regulated by the Securities and Futures Commission (SFC) (such as allowing AIs' customers to make use of their online platforms for investment in money market funds), AIs should have regard to the relevant regulatory requirements (… (§ 6.4.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
Achieving a consistent standard of sound practices for IT controls across an AI requires clear direction and commitment from the Board and senior management. In this connection, senior management, who may be assisted by a delegated sub-committee, is responsible for developing a set of IT control pol… (2.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 â 24.06.03)
These guidelines provide help for organizations to protect the personal data they handle. When organizations operate in more than one sector, they should consult all relevant industry guidelines and develop a compliance program that takes into account all of the applicable guidelines. Organizations … (Art 1, Japan Handbook Concerning Protection Of Personal Data, February 1998)
Company-level internal control design should be understood, recorded, and maintained and be based on the existing internal control rules and practices and complying with these rules and practices. A record must be made for any implicit, unwritten rules that are in force. (Practice Standard § I.5(2)[2], On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. (§ 8.(4), Digital Personal Data Protection Act, 2023, August 11, 2023)
Compliance processes should be implemented to verify that IT security standards and procedures are enforced. Follow-up processes should be implemented so that compliance deviations are addressed and remedied on a timely basis. (§ 3.2.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
Compliance processes should be implemented to verify that policies, standards and procedures are adhered to. These include follow-up processes for non-compliance. (§ 3.2.3, Technology Risk Management Guidelines, January 2021)
When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with. (Security Control: 0627; Revision: 5, Australian Government Information Security Manual, March 2021)
The organization must comply with the additional controls or alternative controls that are stated in device-specific and scenario-specific guidance. (Control: 0008, Australian Government Information Security Manual: Controls)
The organization must comply with the additional requirements in Australian Communications - Electronic Security Instruction 129 and Australian Communications - Electronic Security Instruction 131, if it intends to use the fax machines and Multi-Function Devices to send classified information. (Control: 0242, Australian Government Information Security Manual: Controls)
The organization must comply with any additional product specific directions that the manufacturer and the Certification Authority provides for the degausser. (Control: 0362, Australian Government Information Security Manual: Controls)
The organization must comply with the current standard from the australian government Information Management office for applying protective markings to e-mails. (Control: 0270, Australian Government Information Security Manual: Controls)
The organization that connects a typical gateway and a Cross Domain Solution to a common network must consult with the Defence Signals Directorate on the security impact and comply with all directions. (Control: 0627, Australian Government Information Security Manual: Controls)
The organization should have a control environment that enforces compliance instead of assuming that the staff knows the Information Technology policies and procedures. (¶ 26(g), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
The organization should require all users to comply with the information technology security policies. (¶ 36, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
An APRA-regulated entity could consider implementing processes that ensure compliance with its information security policy framework and regulatory requirements. This could include an exemption policy defining registration, authorisation and duration requirements. Exemptions are typically administer… (23., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
A regulated institution would normally have clear accountability and communication strategies to limit the impact of IT security incidents. This would typically include defined mechanisms for escalation and reporting to the Board and senior management and customer communication where appropriate (re… (¶ 72, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
If the Product Disclosure Statement states that people have a right to obtain a copy of the document, the organization must provide the copy to whomever asks, free of charge. (Sched 7 ¶ 8, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004)
an ICT security policy that takes into consideration and, where appropriate, adheres to internationally recognised ICT security standards and security principles (e.g. the 'principle of least privilege' i.e. limiting access to the minimal level that will allow normal functioning for access right man… (Title 3 3.3.4(b) 55.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
In accordance with Article 109 (2) of Directive2013/36/EU, these guidelines should also apply on a sub-consolidated and consolidated basis, taking into account the prudential scope of consolidation. For this purpose, the EU parent undertakings or the parent undertaking in a Member State should ensur… (4.2 21, Final Report on EBA Guidelines on outsourcing arrangements)
compliance with international standards. (Art. 16.1(e), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
IT operations shall fulfil the requirements resulting from the implementation of the business strategy as well as from the IT-supported business processes (see AT 7.2 numbers 1 and 2 of MaRisk). (II.7.45, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
Firms should avoid becoming 'empty shells' that are incapable of meeting the Threshold Conditions. The following Threshold Conditions are particularly relevant: (§ 4.6, SS2/21 Outsourcing and third party risk management, March 2021)
The organization must comply with hmg ia standard no. 4, Communications security and cryptography (parts 1-3), for protecting protectively marked material. (Mandatory Requirement 40, HMG Security Policy Framework, Version 6.0 May 2011)
The organization must implement plans that foster a culture of proportionate protective security. (Mandatory Requirement 9.e, HMG Security Policy Framework, Version 6.0 May 2011)
If an agreement is not in place, the organization must protect foreign classified information at the same standard as equivalent united kingdom information. (Security Policy No. 1 p15, HMG Security Policy Framework, Version 6.0 May 2011)
The organization must follow procedures for managing risk from eavesdropping and electromagnetic emanations. (Mandatory Requirement 41, HMG Security Policy Framework, Version 6.0 May 2011)
The organization must implement the requirements for the protective marking system and the controls and technical measures contained in this framework. (Mandatory Requirement 11, HMG Security Policy Framework, Version 6.0 May 2011)
The organization must use hmg ia standard no. 2 To accredit systems that process protectively marked data. The organization must review the accreditation status at least annually. (Mandatory Requirement 36, HMG Security Policy Framework, Version 6.0 May 2011)
The organization must implement the minimum standards and procedures for handling and protecting personal data in accordance with hmg ia standard no. 6. (Mandatory Requirement 14, HMG Security Policy Framework, Version 6.0 May 2011)
The organization must comply with the data protection principles of the data protection act. (Security Policy No. 4 ¶ 6, HMG Security Policy Framework, Version 6.0 May 2011)
The organization should implement a lockdown policy. this policy should restrict unnecessary services and ensure users do not have more privileges than are required. (Mandatory Requirement 39.e, HMG Security Policy Framework, Version 6.0 May 2011)
The counter-terrorist protective security policy must include controls and assurance from management that appropriate measures and plans have been implemented. (Mandatory Requirement 66.c, HMG Security Policy Framework, Version 6.0 May 2011)
(§ 4.3.1, § 4.3.2, OGC ITIL: Security Management)
Having an effective governance framework will ensure that procedure, personnel, physical and technical controls continue to work through the lifetime of a service. It should also respond to changes in the service, technological developments and the appearance of new threats. (4. ¶ 2, Cloud Security Guidance, 1.0)
An effective governance framework will ensure that procedural, personnel, physical and technical controls continue to work through the lifetime of a service. It should also respond to changes in the service, technological developments, and the appearance of new threats. (4. ¶ 2, Cloud Security Guidance, 2)
The organization should have implemented processes to ensure it complies with all internal policies, procedures, and controls. (¶ 163, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
The organization should implement the Risk Management plan. (Supplement on Tin, Tantalum, and Tungsten Step 3: C, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Upstream companies should implement the Risk Management plan. (Supplement on Gold Step 3: § I.D, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Downstream companies should implement the Risk Management plan. (Supplement on Gold Step 3: § II.D, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Does the organization use a digital forensic policy? (Table Row XII.24, OECD / World Bank Technology Risk Checklist, Version 7.3)
Is there an institution-wide wireless policy? (Table Row XIII.1, OECD / World Bank Technology Risk Checklist, Version 7.3)
The organization should ensure all client devices, including laptops, PCs, and PEDs, are in compliance with all security policies, configuration policies, and the operating system benchmark. (§ 2.2 (2.2.190), The Center for Internet Security Wireless Networking Benchmark, 1)
Define, establish and align the IT governance framework with the overall enterprise governance and control environment. Base the framework on a suitable IT process and control model and provide for unambiguous accountability and practices to avoid a breakdown in internal control and oversight. Confi… (ME4.1 Establishment of an IT Governance Framework, CobiT, Version 4.1)
Define an IT process framework to execute the IT strategic plan. This framework should include an IT process structure and relationships (e.g., to manage process gaps and overlaps), ownership, maturity, performance measurement, improvement, compliance, quality targets and plans to achieve them. It s… (PO4.1 IT Process Framework, CobiT, Version 4.1)
Establish an organizing structure for identifying, creating, approving, enforcing, and updating policies and related procedures (OCEG GRC Capability Model, v. 3.0, P2.2 Establish Policy Structure, OCEG GRC Capability Model, v 3.0)
Implement, communicate, manage, enforce, and audit policies, related procedures and standards to ensure that they operate as intended and continue to be relevant. (OCEG GRC Capability Model, v. 3.0, P2.4 Implement and Manage Policies, OCEG GRC Capability Model, v 3.0)
Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. (10.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. (8.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. (6.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. (7.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. (5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. (3.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. (4.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. (9.10, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. (10.9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. (8.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. (9.10, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. (6.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. (7.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable. (6.4.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. (5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. (4.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. (3.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. (4.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. (5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. (6.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. (3.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. (7.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. (8.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. (9.10, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable. (6.4.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. (10.9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Are security policies and operational procedures for encrypting transmissions of cardholder data:
- Documented
- In use
- Known to all affected parties? (4.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Are security policies and operational procedures for protecting systems against malware:
- Documented
- In use
- Known to all affected parties? (5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? (6.4.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Are security policies and operational procedures for developing and maintaining secure systems and applications:
- Documented
- In use
- Known to all affected parties? (6.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Are security policies and operational procedures for identification and authentication:
- Documented
- In use
- Known to all affected parties? (8.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? (6.4.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
Are security policies and operational procedures for identification and authentication:
- Documented
- In use
- Known to all affected parties? (8.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
Are security policies and operational procedures for managing firewalls:
- Documented
- In use
- Known to all affected parties? (1.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are security policies and operational procedures for protecting stored cardholder data:
- Documented
- In use
- Known to all affected parties? (3.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are security policies and operational procedures for encrypting transmissions of cardholder data:
- Documented
- In use
- Known to all affected parties? (4.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are security policies and operational procedures for protecting systems against malware:
- Documented
- In use
- Known to all affected parties? (5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are security policies and operational procedures for identification and authentication:
- Documented
- In use
- Known to all affected parties? (8.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are security policies and operational procedures for restricting access to cardholder data:
- Documented
- In use
- Known to all affected parties? (7.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are security policies and operational procedures for developing and maintaining secure systems and applications:
- Documented
- In use
- Known to all affected parties? (6.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are security policies and operational procedures for restricting physical access to cardholder data:
- Documented
- In use
- Known to all affected parties? (9.10, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are security policies and operational procedures for monitoring all access to network resources and cardholder data:
- Documented
- In use
- Known to all affected parties? (10.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are security policies and operational procedures for protecting stored cardholder data:
- Documented
- In use
- Known to all affected parties? (3.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are security policies and operational procedures for encrypting transmissions of cardholder data:
- Documented
- In use
- Known to all affected parties? (4.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are security policies and operational procedures for protecting systems against malware:
- Documented
- In use
- Known to all affected parties? (5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are security policies and operational procedures for developing and maintaining secure systems and applications:
- Documented
- In use
- Known to all affected parties? (6.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are security policies and operational procedures for restricting access to cardholder data:
- Documented
- In use
- Known to all affected parties? (7.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are security policies and operational procedures for identification and authentication:
- Documented
- In use
- Known to all affected parties? (8.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are security policies and operational procedures for restricting physical access to cardholder data:
- Documented
- In use
- Known to all affected parties? (9.10, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are security policies and operational procedures for monitoring all access to network resources and cardholder data:
- Documented
- In use
- Known to all affected parties? (10.9, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? (6.4.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are security policies and operational procedures for managing firewalls:
- Documented
- In use
- Known to all affected parties? (1.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are security policies and operational procedures for protecting stored cardholder data:
- Documented
- In use
- Known to all affected parties? (3.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are security policies and operational procedures for encrypting transmissions of cardholder data:
- Documented
- In use
- Known to all affected parties? (4.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are security policies and operational procedures for protecting systems against malware:
- Documented
- In use
- Known to all affected parties? (5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are security policies and operational procedures for restricting access to cardholder data:
- Documented
- In use
- Known to all affected parties? (7.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are security policies and operational procedures for developing and maintaining secure systems and applications:
- Documented
- In use
- Known to all affected parties? (6.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are security policies and operational procedures for identification and authentication:
- Documented
- In use
- Known to all affected parties? (8.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are security policies and operational procedures for restricting physical access to cardholder data:
- Documented
- In use
- Known to all affected parties? (9.10, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are security policies and operational procedures for monitoring all access to network resources and cardholder data:
- Documented
- In use
- Known to all affected parties? (10.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are security policies and operational procedures for protecting stored cardholder data:
- Documented
- In use
- Known to all affected parties? (3.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are security policies and operational procedures for encrypting transmissions of cardholder data:
- Documented
- In use
- Known to all affected parties? (4.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are security policies and operational procedures for protecting systems against malware:
- Documented
- In use
- Known to all affected parties? (5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are security policies and operational procedures for developing and maintaining secure systems and applications:
- Documented
- In use
- Known to all affected parties? (6.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are security policies and operational procedures for restricting access to cardholder data:
- Documented
- In use
- Known to all affected parties? (7.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are security policies and operational procedures for identification and authentication:
- Documented
- In use
- Known to all affected parties? (8.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are security policies and operational procedures for restricting physical access to cardholder data:
- Documented
- In use
- Known to all affected parties? (9.10, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are security policies and operational procedures for monitoring all access to network resources and cardholder data:
- Documented
- In use
- Known to all affected parties? (10.9, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? (6.4.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are security policies and operational procedures for protecting stored cardholder data:
- Documented
- In use
- Known to all affected parties? (3.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
Are security policies and operational procedures for restricting physical access to cardholder data:
- Documented
- In use
- Known to all affected parties? (9.10, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
Are security policies and operational procedures for protecting stored cardholder data:
- Documented
- In use
- Known to all affected parties? (3.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
Are security policies and operational procedures for restricting physical access to cardholder data:
- Documented
- In use
- Known to all affected parties? (9.10, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
For a sample of significant changes, examine change records, interview personnel, and observe the affected systems/networks to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change. (6.4.6, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Examine documentation and interview personnel to verify that security policies and operational procedures for protecting stored cardholder data are:
- Documented,
- In use, and
- Known to all affected parties. (3.7, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Examine documentation and interview personnel to verify that security policies and operational procedures for encrypting transmissions of cardholder data are:
- Documented,
- In use, and
- Known to all affected parties. (4.3, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Examine documentation and interview personnel to verify that security policies and operational procedures for protecting systems against malware are:
- Documented,
- In use, and
- Known to all affected parties. (5.4, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Examine documentation and interview personnel to verify that security policies and operational procedures for developing and maintaining secure systems and applications are:
- Documented,
- In use, and
- Known to all affected parties. (6.7, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Examine documentation and interview personnel to verify that security policies and operational procedures for restricting access to cardholder data are:
- Documented,
- In use, and
- Known to all affected parties. (7.3, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Examine documentation and interview personnel to verify that security policies and operational procedures for identification and authentication are:
- Documented,
- In use, and
- Known to all affected parties. (8.8, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Examine documentation and interview personnel to verify that security policies and operational procedures for restricting physical access to cardholder data are:
- Documented,
- In use, and
- Known to all affected parties. (9.10, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Examine documentation and interview personnel to verify that security policies and operational procedures for monitoring all access to network resources and cardholder data are:
- Documented,
- In use, and
- Known to all affected parties. (10.9, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
An implementation guide should be developed, maintained, and disseminated to resellers, customers, and integrators addressing all the requirements in this document. The guide should be reviewed annually and updated when changes are made to the software or the requirements. (§ 14.1.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
Processes for the continuous validation of PCI DSS requirements (for example, daily, weekly, every three months, as applicable per the requirement). (A3.1.2 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
An information governance program shall be constructed to comply with applicable laws, other binding authorities, and the organization's policies. (Principle of Compliance:, Generally Accepted Recordkeeping Principles®, For the Web)
The organization should maintain operational efficiency and implement appropriate processes to ensure it is compliance with different national and local laws, regulations, and mandates. (§ 4.1.3, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
The organizational policy statement must, within the scope of the organizational resilience management system, ensure it includes a requirement to comply with legal requirements and other requirements applicable to the organization. (§ 4.2.1(f), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
The organization should ensure that a compliance program is implemented and is effective and functioning correctly. The organization's policies and procedures should ensure that all movements and changes in asset controls are defined. The movement or control of assets should be authorized and record… (Pg 1-I-A2, Pg 11-III-3, Revised Volume 2 Pg 1-I-66, Revised Volume 1 Pg 8-III-5, Protection of Assets Manual, ASIS International)
The high-level working group, committee, or equivalent body should ensure the ongoing effectiveness of Information Security arrangements by approving new Information Security procedures. (SG.01.02.07c-3, The Standard of Good Practice for Information Security)
Policies and procedures shall be established, and supporting business processes and technical measures implemented, for appropriate IT governance and service management to ensure appropriate planning, delivery and support of the organization's IT capabilities supporting business functions, workforce… (BCR-11, Cloud Controls Matrix, v3.0)
An organization should include ICT security as a component of all planning, implementation and operational activities. Protection should continue throughout the life cycle of information and ICT systems, from planning to acquisition, testing and operation.
An organizational structure should support … (§ 5.2.2, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
Security Compliance Checking. Security compliance checking is the review and analysis of the implemented safeguards. It is used to check whether IT systems or services conform to the security requirements documented in the IT system security policy and IT system security plan. Security compliance ch… (¶ 11.2, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
Security Compliance Checking. An organization should implement safeguards which assure that compliance is maintained with all required safeguards, and relevant laws, regulations and policies, since any safeguard, regulation or policy can only be working as long as users comply, and systems conform, … (¶ 8.1.2(1), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
A security objective should exist and should demonstrate that the objectives eradicate the security problem. The security objective statement should define the product's security objectives, the identified threats that will be countered, and the security policies that will be met. (§ 9.4, § 10.4, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
The security objectives statement should be clearly identified and described; state whether it applies to the product, environment, or both; link to at least one identified threat and/or security policy; counter the linked threat by either eliminating it, reducing it to an acceptable level, or mitig… (§ 8.3.4, § 9.3.4, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
Controls should be put in place to manage the identified compliance obligations and associated compliance risk and to achieve desired behaviour. (§ 8.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
Managers should ensure they comply with all information security polices and standards. They should regularly review the policy and ensure compliance. If any of the standards are noncompliant, they should be corrected. (§ 15.2.1, ISO 27002 Code of practice for information security management, 2005)
The organization should implement the risk management framework by:
- developing an appropriate plan including time and resources;
- identifying where, when and how different types of decisions are made across the organization, and by whom;
- modifying the applicable decision-making processes wher… (§ 5.5 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
Top management is accountable for managing risk while oversight bodies are accountable for overseeing risk management. Oversight bodies are often expected or required to:
- ensure that risks are adequately considered when setting the organization's objectives;
- understand the risks facing the organ… (§ 5.2 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
Top management and oversight bodies, where applicable, should ensure that risk management is integrated into all organizational activities and should demonstrate leadership and commitment by:
- customizing and implementing all components of the framework;
- issuing a statement or policy that establi… (§ 5.2 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
Table 1 describes the structure of the governance principles and lists the principles associated with each category. All principles should be applied, and applied concurrently. (§ 5 ¶ 3, ISO 37000:2021, Governance of organizations â Guidance, First Edition)
Governing bodies should ensure that they realize the described governance outcomes through intentionally implementing the practices. (§ 5 ¶ 6, ISO 37000:2021, Governance of organizations â Guidance, First Edition)
The organization shall implement controls to manage its compliance obligations and associated compliance risks. These controls shall be maintained, periodically reviewed and tested to ensure their continuing effectiveness. (§ 8.2 ¶ 1, ISO 37301:2021 Compliance management systems â Requirements with guidance for use, First Edition, Edition 1)
implementing control of the processes in accordance with the criteria; (§ 8.1.1 ¶ 1 b), ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
be appropriately implemented and enforced. (§ 5.2 ¶ 2 g), ISO/DIS 37301, Compliance management systems â Requirements with guidance for use, DRAFT)
The organization shall implement controls to manage its compliance obligations and associated compliance risks. These controls shall be maintained, periodically reviewed and tested to ensure their continuing effectiveness. (§ 8.2 ¶ 1, ISO/DIS 37301, Compliance management systems â Requirements with guidance for use, DRAFT)
implementing control of the processes in accordance with the established performance criteria; (§ 8.1 ¶ 1(b), ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
verifying compliance with this Act; (Section 15(3)(a), An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act)
The organization should confirm its compliance with applicable policies and regulations annually. (§ G1, Canadian Marketing Association Code of Ethics and Standards of Practice)
Aligning individual behavior with culture is critical. The most powerful influence comes from management who creates and sustains the organizational agenda. Explicitly, the organization develops policies, rules, and standards of conduct. Implicitly, the organization should lead by example to reflect… (Embracing a Risk-Aware Culture ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
Enforcing accountability for all actions: Management documents policies of accountability and adheres to them, demonstrating to personnel that lack of accountability is not tolerated and that practicing accountability is appropriately rewarded. (Embracing a Risk-Aware Culture ¶ 1 Bullet 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
Due care principle. A member should observe the profession's technical and ethical standards, strive continually to improve competence and the quality of services, and discharge professional responsibility to the best of the member's ability. (0.300.060.01, AICPA Code of Professional Conduct, August 31, 2016)
The organization should communicate to all internal personnel who have access to personal information, information about the organization's privacy policies and the consequences of not complying with the policies. (ID 1.1.1, AICPA/CICA Privacy Framework)
The organization should have procedures for escalating unresolved disputes and complaints to management for review. (Table Ref 10.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
can comply with legal and relevant ethical requirements; and (¶ 2.31(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
this section; (AT-C Section 105.12 Bullet 1, SSAE No. 18, Attestation Standards: Clarification and Recodification)
sections 205, 210, or 215, as applicable; and (AT-C Section 105.12 Bullet 2, SSAE No. 18, Attestation Standards: Clarification and Recodification)
The engagement being planned and performed (including appropriate direction and supervision) to comply with professional standards and applicable legal and regulatory requirements (AT-C Section 105.33 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
the nature, timing, and extent of the procedures performed to comply with relevant AT-C sections and applicable legal and regulatory requirements, including (AT-C Section 210.62 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
The program must comply with all applicable policies, directives, legislation and regulatory requirements. The organization also should consider guidelines and industry codes of practices. A strategy for dealing with the revision needs of directives, policies, industry codes of practice, legislation… (§ 5.2, Annex A.5.2.1, Annex A.5.2.2, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
Does the information security function provide for consistent implementation of Information Security across different parts of the organization? (§ C.1.5, Shared Assessments Standardized Information Gathering Questionnaire - C. Organizational Security, 7.0)
Do the windows systems that transmit scoped data use standard builds and comply with security compliance checks? (§ G.17.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
Do the windows systems used for processing scoped data use standard builds and comply with security compliance checks? (§ G.17.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
Do the windows systems that store scoped data use standard builds and comply with security compliance checks? (§ G.17.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
A Medicare Advantage (MA) organization must establish a formal way to consult with physicians who provide services under the MA plan on the organization's medical policy, quality improvement programs and medical management procedures and must ensure that decisions about utilization management, cover… (§ 422.202(b)(3), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
§ 205.12(a) Relation to Truth in Lending. All issued credit cards should be solicited and are governed by The Electronic Fund Transfer Act and The Truth in Lending Act and Regulation Z (12 CFR part 226).
§ 205.12(b) Preemption of inconsistent state laws. State laws should be consistent with this a… (§ 205.12(a)-(c), 12 CFR Part 205, Electronic Fund Transfers (Regulation E))
If an operator complies with self-regulatory guidelines issued by the marketing or online industries or by other Federal Trade Commission-approved representatives, the operator will be in compliance with the requirements of this part. (§ 312.10(a), 16 CFR Part 312, Children's Online Privacy Protection Rule)
The Director of the Office of Management and Budget must oversee agency information security policies and practices, including overseeing compliance with the requirements of Title 44, Chapter 35, Subchapter III. Each agency head must comply with these requirements and related policies, procedures, g… (§ 3543(a)(4), § 3544(a)(1)(B), § 3547(2), § 3547(3), Federal Information Security Management Act of 2002, Deprecated)
the requirements of this subchapter; (§ 3554(b)(2)(D)(i), Federal Information Security Modernization Act of 2014)
operational directives developed by the Sec- retary under section 3553(b); (§ 3554(a)(1)(B)(ii), Federal Information Security Modernization Act of 2014)
implements information security policies and practices as required by standards and guidelines for national security systems, issued in accordance with law and as directed by the President; and (§ 3557 ¶ 1(2), Federal Information Security Modernization Act of 2014)
Healthcare providers shall ensure compliance with regards to securing the health information by the officers and employees who manage or access that information. (§ 1173(d)(2)(C), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress, Deprecated)
Notwithstanding other provisions of Title II, Section 201 does not apply to (1) services or products offered by data brokers involved in interstate commerce when the service or product is subject to and in compliance with any access and accuracy protections that are similar to the protections under … (§ 201(b), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
Individuals who willfully violate this act, violate the rules of the Securities and Exchange Commission, or make untrue statements on the organization's registration form, upon conviction, may be fined not more than $10,000, imprisoned not more than 5 years, or both. (§ 78x, Securities Act of 1933)
The security manager must comply with the policies in the identification credentials section of this Security Technical Implementation Guide and applicable Department of Defense polices about identity cards, when using locally issued badges. (§ 3.5.4 ¶ AC35.053, DISA Access Control STIG, Version 2, Release 3)
§ 2.2 (WIR2250) All required wireless e-mail server and device configuration should be implemented.
App B.3 Row "Enable Compliance Enforcement", located under System Management/Compliance Settings, should have the check mark option chosen.
App B.3 Row "Allow Only Registered User Device Sync", loc… (§ 2.2 (WIR2250), App B.3 Row "Enable Compliance Enforcement", App B.3 Row "Allow Only Registered User Device Sync", App B.3 Row "Compliance Duration", DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
§ 1.6.1 (MED0001: CAT II) Medical devices will conform to Information Assurance Vulnerability Management compliancy requirements.
§ 6.2 (MED0810: CAT I) The Information Assurance Officer, for the processing of Department of Defense information, for all wireless systems; including peripheral device… (§ 1.6.1 (MED0001: CAT II), § 6.2 (MED0810: CAT I), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both … (§ III.11.a., EU-U.S. Privacy Shield Framework Principles)
Airline passenger reservation and other travel information, such as frequent flyer or hotel reservation information and special handling needs, such as meals to meet religious requirements or physical assistance, may be transferred to organizations located outside the EU in several different circums… (§ III.13.a., EU-U.S. Privacy Shield Framework Principles)
Organizations are obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I. (§ II.7.c., EU-U.S. Privacy Shield Framework Principles)
The organization may satisfy the requirements for points (a) and (c) of the enforcement principle by complying with developed privacy programs that incorporate the safe harbor principles and include effective enforcement mechanisms. (FAQ-Dispute Resolution and Enforcement ¶ 1(1), US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
The organization may satisfy the requirements for points (a) and (c) of the enforcement principle by complying with regulatory supervisory authorities or legal supervisory authorities that handle dispute resolution or individual complaints. (FAQ-Dispute Resolution and Enforcement ¶ 1(2), US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at osd.dibcsia@mail.mil, within 30 days of contract award, of… (§ 252.204-7012(b)(2)(ii)(A), 252.204-7012, SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (DEC 2019))
All users must comply with the organization's security program requirements. (§ 8-105, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
Reasonable and appropriate policies and procedures shall be implemented in order to comply with the standards, implementation specifications, or other requirements. This standard does not permit or excuse actions that violate other standards, implementation specifications, or other requirements. The… (§ 164.316(a), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
A covered entity that performs multiple covered functions must comply with the standards, requirements, and implementation specifications as applicable to the health plan, health care provider, or health care clearinghouse functions that are being performed. (§ 164.504(g)(1), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
Whenever there are changes in the law, the policies and procedures must be changed to comply with the changes in law. (§ 164.530(i)(2)(i), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
The criminal justice information services systems officer shall ensure the agency complies with the approved criminal justice information services advisory policy board policies that have been adopted by the federal bureau of investigation. (§ 3.2.2(2)(b), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
The IT function at a financial institution is influenced by several other functions, which should include the following:
- The human resources function should hire and maintain competent and motivated IT staff.
- The IT audit function should validate appropriate controls to mitigate IT risk.
- The c… (I.B.7 Other Functions, FFIEC Information Technology Examination Handbook - Management, November 2015)
Implements effective IT governance and IT risk management processes, including those that relate to cybersecurity. (App A Objective 2:8 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following:
- Establishing, implementing, and enforcing IT policies, standards, and procedures.
- Documenting policies… (III.C Risk Mitigation, FFIEC Information Technology Examination Handbook - Management, November 2015)
Determine whether audit procedures for information security adequately consider compliance with the "Interagency Guidelines Establishing Standards for Safeguarding Customer Information," as mandated by Section 501(b) of the Gramm-Leach-Bliley Act of 1999. Consider evaluating whether management has: (TIER II OBJECTIVES AND PROCEDURES D.2, FFIEC IT Examination Handbook - Audit, April 2012)
Compliance with NACHA, local clearinghouse, and FRB rules and regulations. (TIER II OBJECTIVES AND PROCEDURES E.3. Bullet 7, FFIEC IT Examination Handbook - Audit, April 2012)
All EFT activity conforms to applicable provisions of Regulation E. (TIER II OBJECTIVES AND PROCEDURES E.2. Bullet 10, FFIEC IT Examination Handbook - Audit, April 2012)
Exam Tier II Obj D.1 Determine whether audit procedures for information security adequately consider the risks in information security and e-banking. Evaluate whether ⪠A written and adequate data security policy is in effect covering all major operating systems, databases, and applications; ⪠E… (Exam Tier II Obj D.1, Exam Tier II Obj E.3, FFIEC IT Examination Handbook - Audit, August 2003)
The organization should have a program to ensure it adheres to all laws, regulations, policies, procedures, and standards. The organization should conduct self-assessments on a periodic basis. (Pg 27, Pg 35, FFIEC IT Examination Handbook - Management)
Determine the adequacy of Internet and telephone ACH transaction processing procedures and determine whether there are appropriate authentication controls and procedures to ensure the proper identities of parties invoking ACH transactions. (Exam Tier II Obj 10.8, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
The organization should have policies and procedures documenting the specific compliance requirements needed to meet Federal and State regulations. (Pg 32, Exam Tier II Obj 1.3, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
Do the firewall rules conform with organizational policy? (IT - Firewalls Q 22, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Enforce policies and procedures as a matter of ongoing operations. (§ 4.14.6 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
Continue to be executed; and (PM-14a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Continue to be executed; and (PM-14a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Continue to be executed; and (PM-14a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
The CSP SHALL give special consideration to the legal restrictions of interacting with minors unable to meet the evidence requirements of identity proofing to ensure compliance with the Children's Online Privacy Protection Act of 1998 (COPPA) [COPPA], and other laws, as applicable. (5.3.4.1 1, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
Minors under age 13 require additional special considerations under COPPA [COPPA], and other laws, to which the CSP SHALL ensure compliance, as applicable. (5.3.4.1 2, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
RPs MAY establish whitelists of IdPs that the RP will accept authentication and attributes from without a runtime decision from the subscriber. All IdPs in an RP's whitelist SHALL abide by the provisions and requirements in the 800-63 suite. RPs MAY also establish blacklists of IdPs that the RP will… (4.2 ¶ 3, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
IdPs MAY establish whitelists of RPs authorized to receive authentication and attributes from the IdP without a runtime decision from the subscriber. All RPs in an IdP's whitelist SHALL abide by the provisions and requirements in the SP 800-63 suite. IdPs SHALL make whitelists available to subscribe… (4.2 ¶ 2, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
Continue to be executed in a timely manner; (PM-14a.2., Guide to Industrial Control Systems (ICS) Security, Revision 2)
Client devices should be configured to comply with the organizational policies. (§ 6.3.4 (Policy enforcement), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
The organization should ensure handheld devices are configured, deployed, and managed according to the organizational security requirements. (Pg ES-3, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
Apply and obey applicable statutes, laws, regulations and policies. (T0574, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Apply security policies to meet security objectives of the system. (T0016, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Apply security policies to applications that interface with one another, such as Business-to-Business (B2B) applications. (T0015, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Continuously validate the organization against policies/guidelines/procedures/regulations/laws to ensure compliance. (T0280, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
A data controller should be accountable for complying with all of the security measures for protecting personal data. (§ 2.3 ¶ 2 Bullet Accountability, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
Management must commit themselves to complying with the organization's security policy and regulatory requirements. (SG.AC-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
Management must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.AU-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
Management must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.CA-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.CM-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.CP-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.IA-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.ID-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.IR-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.MA-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.MP-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.PE-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.PL-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.PM-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.PS-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.RA-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.SA-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.SC-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must make a commitment to ensure the organization complies with the security policy and other regulatory requirements. (SG.SI-1 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
Apply security policies to applications that interface with one another, such as Business-to-Business (B2B) applications. (T0015, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Apply security policies to meet security objectives of the system. (T0016, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Continuously validate the organization against policies/guidelines/procedures/regulations/laws to ensure compliance. (T0280, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Apply and obey applicable statutes, laws, regulations and policies. (T0574, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Continue to be executed in a timely manner; (PM-14a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Continue to be executed; and (PM-14a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Continue to be executed; and (PM-14a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
The organization should ensure that all personnel understand the importance of following the organization's policies. All personnel in an organization should receive information in a reliable and timely manner. The organization should also communicate with outside organizations in a reliable and tim… (§ II.A, § II.D, OMB Circular A-123, Management's Responsibility for Internal Control)
The auditor should evaluate the period-end financial reporting process. This process includes procedures for entering totals and initiating, recording, authorizing, and processing entries in the general ledger; procedures for selecting and applying accounting policies; procedures for recording adjus… (¶ 26, PCAOB Auditing Standard No. 5)
Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may als… (CYBERSECURITY GUIDANCE ¶ 3 Bullet 3, IM Guidance Update: Cybersecurity Guidance, No. 2015-02)
Airport operators and air carriers are required to develop and implement programs for rewarding compliance and penalizing noncompliance with the access control requirements as a way for measuring employee compliance. (§ 44903(g)(2)(C), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the requirements of this section, the organization will be in compliance with the section requirements. Organizations that maintain securi… (§ 44-7501.E, § 44-7501.F, Arizona Revised Statues, Section 44-7501, Notification of breach of security system)
A person who maintains the person's own notification procedures as part of an information security policy for the treatment of personal information and who is otherwise consistent with the requirements of this section shall be deemed to be in compliance with the notification requirements of this sec… (¶ 18-545.E, Arizona Revised Statutes Title 18, Chapter 5, Article 3, Section 18-545, Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, it will be in compliance with this section. Organizations regulated by state or federal law that … (§ 4-110-105(f), § 4-110-106(a), Arkansas Code, Title 4 Business and Commercial Law, Subtitle 7 Consumer Protection, Chapter 110 Personal Information, Sections 4-110-103 thru 4 -110-105, Personal Information Protection Act)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, it will be in compliance with this section. (§ 1798.29(j), California Civil Code Title 1.8 Personal Data Chapter 1 Information Practices Act of 1977 Article 7. Accounting of Disclosures §§ 1798.25-1798.29)
On or after October 1, 2017, each company shall certify annually to the Insurance Department, under penalty of perjury, that it maintains a comprehensive information security program that complies with the requirements of subsection (b) of this section. (§ 38a-999b(c), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
comply with the notice requirements set forth in section 36a-701b, (§ 38a-999b(e)(1), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, or if the organization maintains breach procedures in accordance with the laws, regulations, rule… (§ 12B-103, Delaware Code, Title 6, Commerce and Trade, Subtitle II, Other Laws Relating to Commerce and Trade, Chapter 12B, Computer Security Breaches, Sections 12B-101 thru 104)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the appropriate timing requirements of this section, the organization will be in compliance with the section requirements. Organizations t… (§ 28-3852(e), § 28-3852(g), District of Columbia Official Code, Division V Local Business Affairs, Title 28. Commercial Instruments and Transactions, Chapter 38. Consumer Protections, Subchapter II. Consumer Security Breach Notification)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the appropriate timing requirements of this section, the organization will be in compliance with these section requirements. Organizations… (§ 817.5681(9), Florida Statutes, Section 817.5681, Breach of security concerning confidential personal information in third-party possession)
Notice provided pursuant to rules, regulations, procedures, or guidelines established by the covered entity's primary or functional federal regulator is deemed to be in compliance with the notice requirement in this subsection if the covered entity notifies affected individuals in accordance with th… (¶ 501.171(4)(g), Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, it will be in compliance with this section. (§ 10-1-911(3), Georgia Code, Title 10, Chapter 1, Article 34, Sections 10-1-911 thru 10-1-915, Notification required upon breach of security regarding personal information)
Financial organizations subject to the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice or subject to 12 C.F.R. Part 748, and any revisions, and health care providers and plans that are subject to and in compliance with HIPAA are i… (§ 487N-2(g), Hawaii Revised Statute, Section 487N, Security Breach of Personal Information)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, or if the organization maintains breach procedures in accordance with the laws, regulations, rule… (§ 28-51-106, Idaho Code, Title 28 Commercial Transactions, Chapter 51 Identity Theft)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, it will be in compliance with this section if it notifies affected individuals of a security brea… (§ 530/10(d), § 530/12(c), Illinois Compiled Statutes, Chapter 815, ILCS 530/Personal Information Protection Act.)
If the organization maintains procedures for notifying affected individuals as part of its information security policy and the procedures are in accordance with the requirements of this section, it will be in compliance with this section, if the organization notifies affected Indiana residents in ac… (§ 24-4.9-3-4(c ), § 24-4.9-3-4(d), § 24-4.9-3-4(e), Indiana Code 24, Article 4.9, Disclosure of Security Breach)
If the organization has notification requirements and security breach procedures that provide greater protection to personal information and disclosure requirements equal to or more thorough than those in this section pursuant to the rules, regulations, procedures, guidelines, or guidance of its pri… (§ 715C.2.7, Iowa Code Annotated, Section 715C, Personal Information Security Breach Protection)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, or if the organization is regulated by state or federal law and maintains breach procedures in ac… (§ 50-7a02(d), § 50-7a02(e), Kansas Statutes, Chapter 50, Article 7a, Protection Of Consumer Information)
Notwithstanding subsection (5) of this section, an information holder that maintains its own notification procedures as part of an information security policy for the treatment of personally identifiable information, and is otherwise consistent with the timing requirements of this section, shall be … (¶ 365.732(6), Kentucky Revised Statutes, Title XXIX, Chapter 365, Section .732, Notification to affected persons of computer security breach involving their unencrypted personally identifiable information)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, it will be in compliance with this section. Financial organizations that are subject to and compl… (§ 3074.F, § 3076, Louisiana Revised Statutes, Title 51, Sections 3073-3074, Database Security Breach Notification Law)
If the organization maintains security breach notification procedures in accordance with the laws, rules, regulations, or guidelines established by federal or Maine state law, it will be in compliance with this section, if the notification procedures provided by the laws, rules, regulations, or guid… (§ 1349.4, Maine Revised Statutes Title 10, Part 3, Chapter 210-B, Notice of Risk to Personal Data)
If the organization maintains procedures for notifying affected individuals as part of its information security policy and the procedures are in accordance with the rules, regulations, guidelines, or procedures established by its primary state or federal regulator, it will be in compliance with this… (§ 14-3507, Maryland Commercial Law, Subtitle 35, Maryland Personal Information Protection Act, Sections 14-3501 thru 14-3508)
If the organization maintains procedures for handling security breaches in accordance with federal laws, regulations, rules, guidelines, and guidances and notifies Massachusetts residents in accordance with its procedures if a breach occurs and also notifies the Attorney General and the Director of … (Ch 93H § 5, General Laws of Massachusetts, Part I, Title XV, Chapter 93H, Security Breaches)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, it will be in compliance with this section. (§ 325E.61 Subd 1(h), Minnesota Statutes, Section 325E.61, Data Warehouses; Notice Required For Certain Disclosures)
Any person who conducts business in this state that maintains its own security breach procedures as part of an information security policy for the treatment of personal information, and otherwise complies with the timing requirements of this section, shall be deemed to be in compliance with the secu… (§ 75-24-29(7), Mississippi Code Ann Title 75, Chapter 24, Section 75-24-29, Persons conducting business in Mississippi required to provide notice of a breach of security involving personal information to all affected individuals; enforcement)
If the organization maintains procedures for notifying affected consumers as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, it will be in compliance with this section, if it notifies affected consumers in the event of a sec… (§ 407.1500.3, Missouri Revised Statutes, Chapter 407 Merchandising Practices. Section 407.1500)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and doesn't unreasonably delay notice, it will be in compliance with this section. (§ 30-14-1704(6), Montana Code - Part 17: IMPEDIMENT OF IDENTITY THEFT)
must be consistent with any federal or state law or regulation; and (§ Section 6. (3)(b)(iv), Montana Consumer Data Privacy Act 2023)
If the organization is in compliance with a state or federal law that requires greater protection for personal information than this section, the organization will be in compliance with this section. If the organization maintains procedures for notifying affected individuals as part of its informati… (§ 603A.210(3), § 603A.220(5), Nevada Revised Statutes, Chapter 603A, Security of Personal Information)
The organization must notify individuals in accordance with the procedures outlined in its information security policy. If the organization is subject to RSA 358-A:3, I, and maintains those breach procedures in accordance with the laws, rules, regulations, guidelines, or guidances established by its… (§ 359-C:20.III(e), § 359-C:20.V, New Hampshire Statute, Title XXXI, Chapter 359-C, Right to Privacy, Notice of Security Breach)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, it will be in compliance with this section. (§ 56:8-163.e, New Jersey Permanent Statutes, Title 56, Security of Personal Information)
is a compliant regulated entity as defined in subdivision one of this section; or (§ 899-bb. 2(b)(i), New York General Business Law Chapter 20, Article 39-F, Section 899-BB)
Financial organizations subject to and that comply with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are in compliance with this section. (§ 75-65(h), North Carolina Statutes, Chapter 75, Article 2A, Identity Theft Protection Act, Sections 75-60 thru 75-66)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, the organization will be in compliance with this section. Financial organizations that are subjec… (§ 51-30-06, North Dakota Century Code, Chapter 51-30, Notice of Security Breach For Personal Information)
Financial organizations that are required by federal law to notify customers whenever a security breach occurs and are examined by a government regulatory agency to ensure they are complying with federal law, are exempt from the notification requirements of this section. (§ 1349.19(F), Ohio Revised Code, Title XIII, Chapter 1347, Section 1347.12, Agency disclosure of security breach of computerized personal information data)
If state agencies, commissions, or state government subdivisions maintain procedures for notifying affected individuals as part of their information security policy, and the procedures are in accordance with the timing requirements of this section, they will be in compliance with this section. (§ 74-3113.1.E, Oklahoma Statutes, Section 74-3113.1, Disclosure of breach of security of computerized personal information)
Complies with a state or federal law that provides greater protection to personal information than the protections that this section provides. (§ 646A.622(2)(a), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
Complies with regulations promulgated under Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as in effect on January 1, 2016, if the person is subject to the Act. (§ 646A.622(2)(b), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
Complies with regulations that implement the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164) as in effect on January 1, 2016, if the person is subject to the Act. (§ 646A.622(2)(c), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, or if the organization maintains security breach procedures in accordance with the rules, regulat… (§ 2307, Pennsylvania Statutes, Title 73, Trade and Commerce, Chapter 43, Breach of Personal Information Notification Act, Sections 2301 thru 2329, 2009 Statutes)
If the organization or state agency maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, or if the organization maintains breach procedures in accordance with the rules, … (§ 11-49.2-7, Rhode Island General Law, Chapter 11-49.2, Identity Theft Protection, Sections 11-49.2-1 thru 11-49. 2-4, 2008 General Laws)
If the state agency maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, it will be in compliance with this section. (§ 1-11-490(F), South Carolina Code of Laws, Section 1-11-490, Breach of security of state agency data notification, 2008 Session)
If the organization maintains procedures for notifying affected individuals as part of its information security policy and the procedures are in accordance with the timing requirements of this section, it will be in compliance with this section. Financial organizations subject to and in compliance w… (§ 39-1-90(F), § 39-1-90(I), § 39-1-90(J), South Carolina Code of Laws, Sections 16-13-512, Credit Card, and 39-1-90, Breach of security of business data notification, 2008 Session)
Information Privacy or Security Policy. An entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information and that are consistent with the timing requirements of this Chapter shall be deemed to be in compliance wit… (§ 48.40(a), Guam 9 GCA, Chapter 48, Notification of Breaches of Personal Information)
A financial institution that complies with the notification requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with this Chapter. (§ 48.40(b)(1), Guam 9 GCA, Chapter 48, Notification of Breaches of Personal Information)
An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the entity's primary or functional Federal regulator shall be in compliance with this Chapter. (§ 48.40(b)(2), Guam 9 GCA, Chapter 48, Notification of Breaches of Personal Information)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, it will be in compliance with this section, if the organization notifies affected Texas residents… (§ 521.053(g), Texas Business and Commercial Code, Title 11, Subtitle B, Chapter 521, Subchapter A, Section 521)
If an organization or agency maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, it will be in compliance with this section. (§ 2208(h), § 2209(h), Virgin Islands Code Tittle 14 Chapter 110 The Identity Theft Prevention Act § 2201 thru § 2211)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, or if the organization maintains breach procedures in accordance with the laws, regulations, or g… (§ 13-44-202(5)(b), § 13-44-202(5)(c), Utah Code, Title 13-44, Protection of Personal Information Act)
Financial organizations that are subject to the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice or the Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice are exempt from the requiremen… (§ 2435(f), Vermont Statute, Title 9, Chapter 62, Protection of Personal Information, Sections 2430, 2435, 2440, 2445)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, or if the organization maintains breach notification procedures in accordance with the laws, rule… (§ 18.2-186.6.F, § 18.2-186.6.G, § 18.2-186.6.H, Virginia Code, Title 18.2, Chapter 6, Breach of personal information notification, Section 18.2-186.6)
Health care organizations, banks, financial institutions, or other entities subject to the following federal regulations will be in compliance with this chapter's requirements, if they are in compliance with appropriate federal guidelines: interagency guidelines establishing standards for safeguardi… (§ 19.215.030, Revised Code of Washington, Title 19, Chapter 19.215, Disposal of personal information, Sections 19.215.005 thru 19.215.030)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, it will be in compliance with this section. (§ 19.255.010(8), Revised Code of Washington, Title 19, Chapter 19.255, Personal information - notice of security breaches, Section 19.255.010)
If the organization maintains procedures for notifying affected individuals as part of its information security policy, and the procedures are in accordance with the timing requirements of this section, or if the organization complies with notification requirements or procedures in accordance with t… (§ 46A-2A-103, West Virginia Code Chapter 46A Article 2A Breach of Security of Consumer Information § 46A-2A-101 thru § 46A-2A-105, 2009 Legislative Session)
If the organization is subject to and complies with the security and privacy requirements of 15 U.S.C. 6801 to 6827, or is contracted by one, and the organization or contractor has a policy for information security breaches, it is in compliance with this section. If the organization is in compliance… (§ 134.98(3m), Wisconsin Statute, Chapter 134, Notice of unauthorized acquisition of personal information, Section 134.98, 2008 Session)
Financial organizations or federal credit unions that notify individuals according to 15 U.S.C. 6801(b)(3) and 12 C.F.R. Part 364 Appendix B or Part 748 Appendix B are in compliance with this section, if it notifies Wyoming residents in compliance with the requirements of 15 U.S.C. 6801 - 6809 and 1… (§ 40-12-502(c), Wyoming Statutes, Title 40, Article 5, Breach of the security of the data system, Sections 40-12-501 thru 40-12-509)
