Back

Establish and maintain end user support communications.


CONTROL ID
06615
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Systems design, build, and implementation, CC ID: 00989

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain user documentation., CC ID: 12250
  • Establish, implement, and maintain a vulnerability disclosure program., CC ID: 16492
  • Establish, implement, and maintain a vulnerability disclosure policy., CC ID: 14934


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • When new operating features or functions, particularly those relating to security, integrity and authentication, are being introduced, the bank should ensure that customers have sufficient instruction and information to be able to properly utilize them. (Critical components of information security 31) (ii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization must establish and implement mechanisms to promote collaboration and communication with applicable external entities to coordinate health services for consumers. (CORE - 36, URAC Health Utilization Management Standards, Version 6)
  • For service providers only: Do service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the securi… (PCI DSS Question 12.9, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • The security profile shall contain important details about the technology used in the local environment, including communications and telephony equipment (e.g., Voice over Internet Protocol, wireless networks, Internet connections, and teleconferencing). (CF.12.01.05d, The Standard of Good Practice for Information Security)
  • The security profile shall contain important details about the technology used in the local environment, including communications and telephony equipment (e.g., Voice over Internet Protocol, wireless networks, Internet connections, and teleconferencing). (CF.12.01.05d, The Standard of Good Practice for Information Security, 2013)
  • The organization shall implement effective ways to communicate with customers about product information; contracts, inquiries, or order handling; customer complaints and feedback; and advisory notices. (§ 7.2.3, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The service provider shall establish a communication mechanism for customers. (§ 7.1 ¶ 3, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • the processes by which communication shall be effected. (§ 7.4 ¶ 1 e), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall determine the internal and external communications relevant to the quality management system, including: (7.4 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • Monitoring external communications, such as complaints from user entities relevant to the services performed by the subservice organization (¶ 2.53 Bullet 6, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)