Back

Establish, implement, and maintain a Code of Conduct.


CONTROL ID
04897
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Human Resources management, CC ID: 00763

This Control has the following implementation support Control(s):
  • Include classifications of ethics violations in the Code of Conduct., CC ID: 14769
  • Include definitions of ethics violations in the Code of Conduct., CC ID: 14768
  • Include exercising due professional care in the Code of Conduct., CC ID: 14210
  • Include organizational values in the Code of Conduct., CC ID: 12919
  • Include key policies in the Code of Conduct., CC ID: 12890
  • Include the vision statement in the Code of Conduct., CC ID: 12889
  • Include the organization's mission in the Code of Conduct., CC ID: 12875
  • Include classifications of desired conduct in the Code of Conduct., CC ID: 12851
  • Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment., CC ID: 12029
  • Include that Information Security responsibilities extend outside normal business hours and organizational facilities in the Terms and Conditions of employment., CC ID: 04580
  • Implement a sanctions process for personnel who fail to comply to the organizational compliance program., CC ID: 01442
  • Include the legal intellectual property responsibilities in the Code of Conduct., CC ID: 04898
  • Include definitions of desirable conduct in the Code of Conduct., CC ID: 12846
  • Include notification procedures for allegations of undesirable conduct in the Code of Conduct., CC ID: 12855
  • Include procedures to identify positive outcomes in the Code of Conduct., CC ID: 12854
  • Take disciplinary actions against individuals who violate the Code of Conduct., CC ID: 06435
  • Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment., CC ID: 06664


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • An organization of providers of information and communications services may establish and implement a code of conduct applicable to providers of information and communications services with an objective to protect users and render information and communications services in a safer and more reliable … (Article 44-4 ¶ 1, Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • A credit provider or credit reporting agency must not perform an act or engage in a practice that breaches the Code of Conduct. (§ 18B, Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The Commission and the Board shall encourage and facilitate the drawing up of codes of conduct intended to foster the voluntary application to AI systems of requirements related for example to environmental sustainability, accessibility for persons with a disability, stakeholders participation in th… (Article 69 2., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Codes of conduct may be drawn up by individual providers of AI systems or by organisations representing them or by both, including with the involvement of users and any interested stakeholders and their representative organisations. Codes of conduct may cover one or more AI systems taking into accou… (Article 69 3., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The Commission and the Member States shall encourage and facilitate the drawing up of codes of conduct intended to foster the voluntary application to AI systems other than high-risk AI systems of the requirements set out in Title III, Chapter 2 on the basis of technical specifications and solutions… (Article 69 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • A firm must observe proper standards of market conduct. (2.1.1 Principle 5 Market conduct, Principles for Businesses)
  • In domestically implementing the principles of Parts Two and Three, Member countries should establish administrative, legal, or other procedures or institutions to protect privacy and individual liberties with respect to personal data. Member countries should support and encourage self-regulation, s… (¶ 19(b), OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data)
  • Determine the types of desired conduct including definitions, classifications, and procedures necessary to identify those who contribute to positive outcomes and those who notify the organization when they identify allegations or indications of undesirable conduct. (OCEG GRC Capability Model, v. 3.0, P5.1 Define Desired Conduct, OCEG GRC Capability Model, v 3.0)
  • Work with appropriate stakeholders to develop codes of conduct that address the organizational mission, vision, values, key policies, and expected business conduct. (OCEG GRC Capability Model, v. 3.0, P2.1 Develop Codes of Conduct, OCEG GRC Capability Model, v 3.0)
  • Implement policies and associated procedures to address opportunities, threats and requirements and set clear expectations of conduct for the governing authority, management, the workforce and the extended enterprise. (OCEG GRC Capability Model, v. 3.0, P2 Policies, OCEG GRC Capability Model, v 3.0)
  • The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners. (§ 3 Principle 1 Points of Focus: Establishes Standards of Conduct, COSO Internal Control - Integrated Framework (2013))
  • Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the organization and implement corrective action as necessary. (§ 3 Principle 5 Points of Focus: Enforces Accountability through Structures, Authorities, and Responsibilities, COSO Internal Control - Integrated Framework (2013))
  • The development of a compliance culture requires the active, visible, consistent and sustained commitment of the governing body, top management and management towards a common, published standard of behaviour that is required throughout every area of the organization. (§ 7.3.2.3 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Controls should be put in place to manage the identified compliance obligations and associated compliance risk and to achieve desired behaviour. (§ 8.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Aligning individual behavior with culture is critical. The most powerful influence comes from management who creates and sustains the organizational agenda. Explicitly, the organization develops policies, rules, and standards of conduct. Implicitly, the organization should lead by example to reflect… (Embracing a Risk-Aware Culture ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Management provides guidance to personnel so they understand the risks. Management also demonstrates leadership by communicating the expectations of conduct for all aspects of enterprise risk management. Such leadership from the top helps to establish and enforce accountability and a common purpose. (Enforcing Accountability ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Management and the board of directors clearly communicating the expectations (e.g., developing and enforcing standards of conduct). (Enforcing Accountability ¶ 3 Bullet 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Verify the practitioner in charge of the engagement has an understanding of the aicpa's code of professional conduct. (Ques. AT411 Item 1, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Reading documents about the service organization's security awareness and training programs, communication of code of conduct, employee handbooks, information security policies, incident notification procedures, and other available documentation to understand the service organization's processes for… (¶ 3.59 Bullet 8, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary. (CC1.5 Enforces Accountability Through Structures, Authorities, and Responsibilities, Trust Services Criteria)
  • The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity's standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners. (CC1.1 Establishes Standards of Conduct, Trust Services Criteria)
  • Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary. (CC1.5 ¶ 2 Bullet 1 Enforces Accountability Through Structures, Authorities, and Responsibilities, Trust Services Criteria, (includes March 2020 updates))
  • The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners. (CC1.1 ¶ 3 Bullet 2 Establishes Standards of Conduct, Trust Services Criteria, (includes March 2020 updates))
  • The entity has established workforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and system requirements as they relate to [insert the principle(s) addressed by the engagement: security, … (CC1.4, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Written standards of conduct must be maintained by the grantee to govern the performance of employees who are involved in the award and administration of contracts. The standards should include the following: that employees, officers, or agents may not participate in selecting, awarding, or administ… (§ 495.348(c), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • CODE OF ETHICS DISCLOSURE.—The Commission shall issue rules to require each issuer, together with periodic reports required pursuant to section 13(a) or 15(d) of the Securities Exchange Act of 1934, to disclose whether or not, and if not, the reason therefor, such issuer has adopted a code of ethi… (§ 406(a), The Sarbanes-Oxley Act of 2002 (SOX), July 30, 2002.)
  • Agencies that maintain a system of records shall develop rules of conduct for personnel involved in designing, developing, maintaining, or operating a system of records or in maintaining records and train persons on the rules and requirements, including, but not limited to, other rules and procedure… (§ 552a(e)(9), 5 USC § 552a, Records maintained on individuals (Privacy Act of 1974))
  • Personnel policies and practices are in effect; (TIER II OBJECTIVES AND PROCEDURES E.1. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • Does the Credit Union personnel policy include a Code of Ethics policy or fraud policy? (IT - Policy Checklist Q 29, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The organization must provide employees, third parties, and contractors with the Terms and Conditions of employment, their legal rights, the expectations of conduct, their duties, and their responsibilities. (SG.PS-9 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Entities or associations that represent users of or persons responsible for privately-held data banks may create professional practice codes of conduct that establish the rules for processing personal data that tend to improve and assure the operational conditions of the information systems based on… (§ 30, Argentina Personal Data Protection Act)