The organization should respond to user inquiries and complaints. Points of contact should be made available to users and should be displayed on websites, pamphlets, and other media. (O105.5, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
A proper response should be made to inquiries and complaints from users. (P114.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
APRA envisages that a regulated institution would ensure audit trails exist for IT assets that: satisfy the institution's business requirements (including regulatory and legal); facilitate independent audit; assist in dispute resolution (including non-repudiation); and assist in the provision of for… (¶ 74, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
Implement a means to manage reports of vulnerabilities (5.2, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
Member States shall ensure that procedures are set up which allow payment service users and other interested parties including consumer associations, to submit complaints to the competent authorities with regard to payment service providers' alleged infringements of this Directive. (Art 99(1), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
Member States shall ensure that payment service providers put in place and apply adequate and effective complaint resolution procedures for the settlement of complaints of payment service users concerning the rights and obligations arising under Titles III and IV of this Directive and shall monitor … (Art 101(1), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
Those procedures shall be applied in every Member State where the payment service provider offers the payment services and shall be available in an official language of the relevant Member State or in another language if agreed between the payment service provider and the payment service user. (Art 101(1) ¶ 1, DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
Member States shall ensure that adequate, independent, impartial, transparent and effective ADR procedures for the settlement of disputes between payment service users and payment service providers concerning the rights and obligations arising under Titles III and IV of this Directive are establishe… (Art 102(1), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
set out plans for communication to staff, external stakeholders and media in accordance with Article 14 and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to financial entities that act as counte… (Art. 17.3.(d), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Thus, there must be a clearly defined procedure and explicitly specified competences for handling complaints and for feedback on problems to the responsible body. A response to complaints should be provided as fast as possible so that the person filing the complaint feels to be taken seriously. The … (§ 10.2 Subsection 3 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Generally, feedback on errors and vulnerabilities in the processes does not only originate from the information security organisations or auditing, but also from employees, business partners, customers or partners. Thus, the organisation must establish an effective approach for handling complaints a… (§ 10.2 Subsection 3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Firstly, Union data subjects may pursue cases of non-compliance with the Principles through direct contacts with the EU-U.S. DPF organisations. To facilitate resolution, the organisation must put in place an effective redress mechanism to deal with such complaints. An organisation's privacy policy m… (2.4 (69), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
First, a specific redress mechanism is established, under EO 14086, complemented by the AG Regulation establishing the Data Protection Review Court, to handle and resolve complaints from individuals concerning U.S. signals intelligence activities. Any individual in the EU is entitled to submit a com… (3.2.3 (176), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
The organization should implement a mechanism to collect or obtain information about client satisfaction with services provided by the organization. (CORE - 12, URAC Health Utilization Management Standards, Version 6)
The organization must maintain a formal process to address consumer complaints that includes a process to receive and respond in a timely manner to complaints. (CORE - 35(a), URAC Health Utilization Management Standards, Version 6)
The organization should maintain a formal process to address consumer complaints that includes notice (written or verbal) of final result with an explanation. (CORE - 35(b), URAC Health Utilization Management Standards, Version 6)
The organization should maintain a formal process to address consumer complaints that includes evidence of meeting the organization's specified time frame for resolution and response. (CORE - 35(d), URAC Health Utilization Management Standards, Version 6)
customers, e.g. through a complaints handling system; (§ 9.1.3 ¶ 1 Bullet 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). (§ 6.4.3.3 ¶ 2 Bullet 5, ISO 37000:2021, Governance of organizations â Guidance, First Edition)
Service complaints shall be recorded, managed to closure and reported. Where a service complaint is not resolved through the normal channels, a method of escalation shall be provided. (§ 8.3.2 ¶ 5, ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
feedback from interested parties, including suggestions for improvement, requests for change and complaints; (§ 9.3 Guidance ¶ 4(d), ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate entity personnel. (CC2.3 ¶ 6 Bullet 4 Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
Entity personnel are provided with information on how to report systems failures, incidents, concerns, and other complaints. (CC2.2 ¶ 4 Bullet 2 Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
If the organization sells products or services over the Internet, it should provide a way for customers to click and contact the organization. (§ M1.5, Canadian Marketing Association Code of Ethics and Standards of Practice)
The organization's privacy policies should include information on how an individual can contact the organization with complaints. (ID 10.1.1, AICPA/CICA Privacy Framework)
For electronic commerce systems, the website provides customers with where they can obtain warranty, repair service, and support related to the goods and services purchased on the website. (Processing Integrity Prin. and Criteria Table § 2.1 c, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
For electronic commerce systems, the website provides procedures for resolving processing integrity issues, such as complaints about Quality of Service, accuracy, completeness, and the quality of the product, along with the consequences of failing to resolve the issue. (Processing Integrity Prin. and Criteria Table § 2.1 d, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The process for submitting complaints is communicated to the authorized users. (Processing Integrity Prin. and Criteria Table § 2.4, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The organization should have an implemented process to address inquiries, complaints, and disputes. (Generally Accepted Privacy Principles and Criteria § 10.2.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include a description of how individuals can make complaints, inquiries, and disputes. (Table Ref 10.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
A Medicare Advantage (MA) organization must notify individuals that complaints regarding noncompliance with advance directive requirements may be filed with the state survey and certification agency. (§ 422.128(b)(3), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
The organization should develop tools to facilitate the complaint resolution process, such as standard complaint forms. (FAQ-Dispute Resolution and Enforcement "Recourse Mechanisms", US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
Some information an organization should place on its website is how to file a consumer complaint, how to contact the organization's customer support center, and the name of the organization and the location of its main office and branches. (Pg 38, Obj 1.8, Obj 6.3, FFIEC IT Examination Handbook - E-Banking, August 2003)
Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: (PM-26 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: (PM-26 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: (PM-26 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
The CSP SHALL provide mechanisms for redress of applicant complaints or problems arising from the identity proofing. These mechanisms SHALL be easy for applicants to find and use. The CSP SHALL assess the mechanisms for their efficacy in achieving resolution of complaints or problems. (4.2 ¶ 1.5, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
Policies, processes, and procedures for receiving, tracking, and responding to complaints, concerns, and questions from individuals about organizational privacy practices are established and in place. (GV.MT-P7, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
The organization implements a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices. (IP-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization implements a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices. (IP-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: (PM-26 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: (PM-26 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
