Back

Document the organization's local environments.


CONTROL ID
06726
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Operational management, CC ID: 00805

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain local environment security profiles., CC ID: 07037


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The objective of the business impact analysis is to identify different kinds of risks to business continuity and to quantify the impact of disruptions. The business impact analysis helps to identify those critical business activities, banking services and internal support functions which, in the eve… (3.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The business impact analysis normally comprises two stages. The first stage is to identify critical services that must be maintained and continued in the event of a disaster. This usually entails an assessment of the overall exposure to the AI if the normal functions or services cannot be performed.… (3.1.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The result of the time-frame assessment in the business impact analysis is the key determination factor for the recovery priority of individual services. The inter-dependency among critical services is another major consideration in determining the recovery strategies and priority. For example, the … (3.2.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The mobilisation phase – This phase aims to notify the recovery teams (e.g. via a call-out tree) and to secure the resources (e.g. recovery services provided by vendors) required to resume business services. This phase might involve determination of the sequence for restoring business services if … (4.3.2 Bullet 1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The alternate processing phase – This phase emphasises the resumption of the business and service delivery at the alternate site and/or in a different way than the normal process. This may entail record reconstruction and verification, establishment of new controls, alternate manual processes, and… (4.3.2 Bullet 2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The full recovery phase – This phase refers to the process for moving back to a permanent site after a disaster. It is as difficult and critical to the business as the process to activate the BCP. (4.3.2 Bullet 3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • There are various business continuity models that could be adopted by AIs to handle prolonged disruptions. The traditional model is an “active/back-up” model, which is widely used by many organisations. This traditional model is based on an “active” operating site with a corresponding altern… (4.5.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • An emerging split operations model, which has already been used by some institutions, is a different business continuity model. This model is to operate with two or more widely separated active sites for the same critical operations, providing inherent back-up for each other (e.g. call centres for c… (4.5.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The split operations model may incur higher operating costs, in terms of maintaining excess capacity at each site and added operating complexity. It may be difficult to maintain appropriately trained staff and pose technological issues at multiple sites. (4.5.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The question of what business continuity model to adopt is for individual institutions’ judgement based on the risk assessment of their business environment and the characteristics of their own operations. (4.5.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Most business continuity efforts are dependent on the availability of an alternate site (i.e. recovery site) for successful execution. The alternate site may be either an external site available through an agreement with a commercial vendor or a site within the AI’s real estate portfolio. A useabl… (5.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Communications networks convey information and provide a channel of access to application systems and systems resources. Given their technical complexity, communications networks can be highly vulnerable to disruption and abuse. Safeguarding communications networks requires robust network design, we… (6.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • While end-user computing may offer advantages (e.g. higher productivity) to an AI, it may also increase the difficulty in controlling the quality of, and access to, the system. AIs should where necessary, therefore, establish control practices and responsibilities with respect to end user computing … (3.5.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • IC-1 “General Risk Management Controls” specifies that AIs should have in place effective risk management systems and that new products and services should be subject to careful evaluation (including a detailed risk assessment) as well as a post-launch review. The same risk management controls a… (2.3.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • IT is a core function of many FIs. When critical systems fail and customers cannot access their accounts, an FI’s business operations may immediately come to a standstill. The impact on customers would be instantaneous, with significant consequences to the FI, including reputational damage, regula… (§ 3.0.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Risk identification entails the determination of the threats and vulnerabilities to the FI’s IT environment which comprises the internal and external networks, hardware, software, applications, systems interfaces, operations and human elements. (§ 4.2.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • A threat may take the form of any condition, circumstance, incident or person with the potential to cause harm by exploiting vulnerability in a system. The source of the threat can be natural, human or environmental. Humans are significant sources of threats through deliberate acts or omissions whic… (§ 4.2.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The extent of risk impact depends on the likelihood of various threat and vulnerability pairings or linkages capable of causing harm to the organisation should an adverse event occur. (§ 4.3.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Risk mitigation entails a methodical approach for evaluating, prioritising and implementing appropriate risk-reduction controls. A combination of technical, procedural, operational and functional controls would provide a rigorous mode of reducing risks. (§ 4.4.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • IT outsourcing comes in many forms and permutations. Some of the most common types of IT outsourcing are in systems development and maintenance, support to DC operations, network administration, disaster recovery services, application hosting, and cloud computing. Outsourcing can involve the provisi… (§ 5.0.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Cloud computing is a service and delivery model for enabling on-demand network access to a shared pool of configurable computing resources (servers, storage and services). Users of such services may not know the exact locations of servers, applications and data within the service provider’s comput… (§ 5.2.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • There are different ways of coding programs which may conceal security threats and loopholes, deliberate or unintentional. System and user acceptance tests are usually ineffective in detecting malicious codes, trojans, backdoors, logic bombs and other malware. Black-box testing is not an effective t… (§ 6.3.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Source code review is a methodical examination of the source code of an application with the objective of finding defects that are due to coding errors, poor coding practices or malicious attempts. It is designed to identify security vulnerabilities and deficiencies, and mistakes in system design or… (§ 6.3.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • There are common business application tools and software which allow business users to develop simple applications to automate their operations, perform data analysis and generate reports for the FI and customers. (§ 6.4.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • A robust IT service management framework is essential for supporting IT systems, services and operations, managing changes, incidents and problems as well as ensuring the stability of the production IT environment. (§ 7.0.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Program migration involves the movement of software codes and scripts from the development environment to test and production environments. Unauthorised and malicious codes which are injected during the migration process could compromise data, systems and processes in the production environment. (§ 7.2.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • While the objective of incident management is to restore the IT service as soon as possible, the aim of problem management is to determine and eliminate the root cause to prevent the occurrence of repeated problems. (§ 7.4.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The reliability, availability, and recoverability of IT systems, networks and infrastructures are crucial in maintaining confidence and trust in the operational and functional capabilities of an FI. When critical systems fail, the disruptive impact on the FI’s operations or customers will usually … (§ 8.0.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Important factors associated with maintaining high system availability are adequate capacity, reliable performance, fast response time, scalability and swift recovery capability. (§ 8.1.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The required speed of recovery will depend on the criticality of resuming business operations, the type of services and whether there are alternative ways and processing means to maintain adequate continuing service levels to satisfy customers. The FI may wish to explore recovery strategies and tech… (§ 8.2.6, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Security threats such as those manifested in denial of service attacks, internal sabotage and malware infestation could cause severe harm and disruption to the operations of an FI with consequential losses for all parties affected. The FI should be vigilant in monitoring such mutating and growing ri… (§ 4.2.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • In performing its due diligence for all forms of outsourcing arrangements, the FI should be aware of cloud computing’s unique attributes and risks especially in areas of data integrity, sovereignty, commingling, platform multi-tenancy, recoverability and confidentiality, regulatory compliance, aud… (§ 5.2.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Never alone principle - Certain systems functions and procedures are of such sensitive and critical nature that FIs should ensure that they are carried out by more than one person at the same time or performed by one person and checked by another. These functions may include critical systems initial… (§ 11.0.1.a, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Some common tactics used by insiders to disrupt operations include planting logic bombs, installing stealth scripts and creating system backdoors to gain unauthorised access as well as sniffing and cracking passwords. System administrators, IT security officers, programmers and staff performing crit… (§ 11.2.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Whilst the internet presents opportunities for FIs to reach new markets and expand its range of products and services, being an open network, it also brings about security risks that are more sophisticated and dynamic than closed networks and proprietary delivery channels. The FI should be cognisant… (§ 12.0.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • There are varying degrees of risks associated with different types of services provided over the internet. Typically, financial services offered via the internet can be classified into information service, interactive information exchange service and transactional service. The highest level of risk … (§ 12.0.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Mobile Online Services refers to the provision of financial services via mobile devices such as mobile phones or tablets. Customers may choose to access these financial services via web browsers on mobile phones or the FI’s self-developed applications on mobile platforms such as Apple’s iOS, Goo… (§ 12.2.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Mobile payment refers to the use of mobile devices to make payments. These payments may be made using various technologies such as near-field communication (NFC). (§ 12.2.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Payment cards allow cardholders the flexibility to make purchases wherever they are. Cardholders may choose to make purchases by physically presenting these cards for payments at the merchant or they could choose to purchase their items over the internet, through mail-order or over the telephone. Pa… (§ 13.0.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Payment cards exist in many forms; with magnetic stripe cards posing the highest security risks. Sensitive payment card data stored on magnetic stripe cards is vulnerable to card skimming attacks. Card skimming attacks can happen at various points of the payment card processing, including ATMs, paym… (§ 13.0.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Types of payment card fraud include counterfeit, lost/stolen, card-not-received (“CNR”) and card-not-present (“CNP”) fraud. (§ 13.0.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The presence of ATMs and payment kiosks (e.g. SAM and AXS machines) has provided cardholders with the convenience of withdrawing cash as well as making payments to billing organisations. However, these systems are targets where card skimming attacks are perpetrated. (§ 13.2.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The purpose of a Threat and Vulnerability Risk Assessment (“TVRA”) is to identify security threats to and operational weaknesses in a DC in order to determine the level and type of protection that should be established to safeguard it. (§ 10.1.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The IT landscape is vulnerable to various forms of cyber attacks, and the frequency and malignancy of attacks are increasing. It is imperative that FIs implement security solutions at the data, application, database, operating systems and network layers to adequately address and contain these threat… (§ 9.0.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • As FIs’ critical systems and data are concentrated and maintained in the DC, it is important that the DC is resilient and physically secured from internal and external threats. (§ 10.0.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • As technology risks evolve with the growing complexity of the IT environment, there is an increasing need for FIs to develop effective internal control systems to manage technology risks. (§ 14.0.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • IT audit provides the board of directors and senior management with an independent and objective assessment of the effectiveness of controls that are applied within the IT environment to manage technology risks. (§ 14.0.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • It is imperative that the FI is able to manage and control risks in a manner that will maintain its financial and operational viability and stability. When deciding on the adoption of alternative controls and security measures, the FI should also be conscious of costs and effectiveness of the contro… (§ 4.4.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Data at endpoint - Data which resides in notebooks, personal computers, portable storage devices and mobile devices; (§ 9.1.2.a., Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Data in motion - Data that traverses a network or that is transported between sites; and (§ 9.1.2.b., Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Data at rest - Data in computer storage which includes files stored on servers, databases, backup media and storage platforms. (§ 9.1.2.c., Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The assessment of threats and vulnerabilities relating to a DC will vary depending on a number of factors, such as criticality of the DC, geographical location, multi-tenancy and type of tenants occupying the DC, impact from natural disasters, and the political and economic climate of the country in… (§ 10.1.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • As part of the data backup and recovery strategy, FIs may implement specific data storage architectures such as Direct-Attached Storage (DAS), Network-Attached Storage (NAS) or Storage Area Network (SAN) sub-systems connected to production servers. In this regard, processes should be in place to rev… (§ 8.4.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should provide its customers and users of its internet services the assurance that online login access and transactions performed over the internet on the FI’s website are adequately protected and authenticated. (§ 12.1.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The Key Management Plan should include a description of the cryptographic environment. (Control: 0510 Table Row "System description", Australian Government Information Security Manual: Controls)
  • When corporate or user-owned devices (BYOD) are not connected to the organisation's internal network, how are the firewall controls applied? (A4.1.1, Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Please list your Internet Browser/s (A6.2.1, Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Please list your Malware Protection. (A6.2.2, Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Please list your Email Applications installed on end user devices and sever (A6.2.3, Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Please list all Office Applications that are used to create organisational data. (A6.2.4, Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Which technical controls are used to manage the quality of your passwords within you organisation? (A7.11., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Please describe the process for changing the firewall password. (A4.2.1, Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • When not using multi-factor authentication which option are you using to protect your external service from brute force attacks? (A5.7., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Which method do you use to unlock the devices and what brute force protection is in place? (A5.11., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all operating systems and firmware are applied within 14 days of release? (A6.4.2, Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all applications are applied within 14 days of release? (A6.5.2, Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • If no, is this because MFA is not available for some of your cloud services? List the cloud services that do not allow multi-factor authentication (A7.15., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • If no, is this because software firewalls are not installed by default for the operating system you are using? Please list the operating systems. (A4.12., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • High-risk AI systems shall comply with the requirements established in this Chapter. (Article 8 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • A 'European Artificial Intelligence Board' (the 'Board') is established. (Article 56 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The Board shall provide advice and assistance to the Commission in order to: (Article 56 2., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • contribute to the effective cooperation of the national supervisory authorities and the Commission with regard to matters covered by this Regulation; (Article 56 2(a), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • coordinate and contribute to guidance and analysis by the Commission and the national supervisory authorities and other competent authorities on emerging issues across the internal market with regard to matters covered by this Regulation; (Article 56 2(b), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • assist the national supervisory authorities and the Commission in ensuring the consistent application of this Regulation. (Article 56 2(c), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The Board shall be composed of the national supervisory authorities, who shall be represented by the head or equivalent high-level official of that authority, and the European Data Protection Supervisor. Other national authorities may be invited to the meetings, where the issues discussed are of rel… (Article 57 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The Board shall adopt its rules of procedure by a simple majority of its members, following the consent of the Commission. The rules of procedure shall also contain the operational aspects related to the execution of the Board's tasks as listed in Article 58. The Board may establish sub-groups as ap… (Article 57 2., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The Board shall be chaired by the Commission. The Commission shall convene the meetings and prepare the agenda in accordance with the tasks of the Board pursuant to this Regulation and with its rules of procedure. The Commission shall provide administrative and analytical support for the activities … (Article 57 3., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The Board may invite external experts and observers to attend its meetings and may hold exchanges with interested third parties to inform its activities to an appropriate extent. To that end the Commission may facilitate exchanges between the Board and other Union bodies, offices, agencies and advis… (Article 57 4., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where necessary to assess the conformity of the high-risk AI system with the requirements set out in Title III, Chapter 2 and upon a reasoned request, the market surveillance authorities shall be granted access to the source code of the AI system. (Article 64 2., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • National public authorities or bodies which supervise or enforce the respect of obligations under Union law protecting fundamental rights in relation to the use of high-risk AI systems referred to in Annex III shall have the power to request and access any documentation created or maintained under t… (Article 64 3., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • By 3 months after the entering into force of this Regulation, each Member State shall identify the public authorities or bodies referred to in paragraph 3 and make a list publicly available on the website of the national supervisory authority. Member States shall notify the list to the Commission an… (Article 64 4., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where the documentation referred to in paragraph 3 is insufficient to ascertain whether a breach of obligations under Union law intended to protect fundamental rights has occurred, the public authority or body referred to paragraph 3 may make a reasoned request to the market surveillance authority t… (Article 64 5., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Any information and documentation obtained by the national public authorities or bodies referred to in paragraph 3 pursuant to the provisions of this Article shall be treated in compliance with the confidentiality obligations set out in Article 70. (Article 64 6., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • AI systems presenting a risk shall be understood as a product presenting a risk defined in Article 3, point 19 of Regulation (EU) 2019/1020 insofar as risks to the health or safety or to the protection of fundamental rights of persons are concerned. (Article 65 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where the market surveillance authority of a Member State has sufficient reasons to consider that an AI system presents a risk as referred to in paragraph 1, they shall carry out an evaluation of the AI system concerned in respect of its compliance with all the requirements and obligations laid down… (Article 65 2. ¶ 1, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where, in the course of that evaluation, the market surveillance authority finds that the AI system does not comply with the requirements and obligations laid down in this Regulation, it shall without delay require the relevant operator to take all appropriate corrective actions to bring the AI syst… (Article 65 2. ¶ 2, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The market surveillance authority shall inform the relevant notified body accordingly. Article 18 of Regulation (EU) 2019/1020 shall apply to the measures referred to in the second subparagraph. (Article 65 2. ¶ 3, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where the market surveillance authority considers that non-compliance is not restricted to its national territory, it shall inform the Commission and the other Member States of the results of the evaluation and of the actions which it has required the operator to take. (Article 65 3., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The operator shall ensure that all appropriate corrective action is taken in respect of all the AI systems concerned that it has made available on the market throughout the Union. (Article 65 4., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where the operator of an AI system does not take adequate corrective action within the period referred to in paragraph 2, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict the AI system's being made available on its national market, to withdraw… (Article 65 5., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The information referred to in paragraph 5 shall include all available details, in particular the data necessary for the identification of the non-compliant AI system, the origin of the AI system, the nature of the non-compliance alleged and the risk involved, the nature and duration of the national… (Article 65 6., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • a failure of the AI system to meet requirements set out in Title III, Chapter 2; (Article 65 6(a), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • shortcomings in the harmonised standards or common specifications referred to in Articles 40 and 41 conferring a presumption of conformity. (Article 65 6(b), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The market surveillance authorities of the Member States other than the market surveillance authority of the Member State initiating the procedure shall without delay inform the Commission and the other Member States of any measures adopted and of any additional information at their disposal relatin… (Article 65 7., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where, within three months of receipt of the information referred to in paragraph 5, no objection has been raised by either a Member State or the Commission in respect of a provisional measure taken by a Member State, that measure shall be deemed justified. This is without prejudice to the procedura… (Article 65 8., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The market surveillance authorities of all Member States shall ensure that appropriate restrictive measures are taken in respect of the product concerned, such as withdrawal of the product from their market, without delay. (Article 65 9., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where, within three months of receipt of the notification referred to in Article 65(5), objections are raised by a Member State against a measure taken by another Member State, or where the Commission considers the measure to be contrary to Union law, the Commission shall without delay enter into co… (Article 66 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • If the national measure is considered justified, all Member States shall take the measures necessary to ensure that the non-compliant AI system is withdrawn from their market, and shall inform the Commission accordingly. If the national measure is considered unjustified, the Member State concerned s… (Article 66 2., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where the national measure is considered justified and the non-compliance of the AI system is attributed to shortcomings in the harmonised standards or common specifications referred to in Articles 40 and 41 of this Regulation, the Commission shall apply the procedure provided for in Article 11 of R… (Article 66 3., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where, having performed an evaluation under Article 65, the market surveillance authority of a Member State finds that although an AI system is in compliance with this Regulation, it presents a risk to the health or safety of persons, to the compliance with obligations under Union or national law in… (Article 67 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The provider or other relevant operators shall ensure that corrective action is taken in respect of all the AI systems concerned that they have made available on the market throughout the Union within the timeline prescribed by the market surveillance authority of the Member State referred to in par… (Article 67 2., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The Member State shall immediately inform the Commission and the other Member States. That information shall include all available details, in particular the data necessary for the identification of the AI system concerned, the origin and the supply chain of the AI system, the nature of the risk inv… (Article 67 3., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The Commission shall without delay enter into consultation with the Member States and the relevant operator and shall evaluate the national measures taken. On the basis of the results of that evaluation, the Commission shall decide whether the measure is justified or not and, where necessary, propos… (Article 67 4., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where the market surveillance authority of a Member State makes one of the following findings, it shall require the relevant provider to put an end to the non- compliance concerned: (Article 68 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the conformity marking has been affixed in violation of Article 49; (Article 68 1(a), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the conformity marking has not been affixed; (Article 68 1(b), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the EU declaration of conformity has not been drawn up; (Article 68 1(c), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the EU declaration of conformity has not been drawn up correctly; (Article 68 1(d), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the identification number of the notified body, which is involved in the conformity assessment procedure, where applicable, has not been affixed; (Article 68 1(e), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where the non-compliance referred to in paragraph 1 persists, the Member State concerned shall take all appropriate measures to restrict or prohibit the high-risk AI system being made available on the market or ensure that it is recalled or withdrawn from the market. (Article 68 2., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • In compliance with the terms and conditions laid down in this Regulation, Member States shall lay down the rules on penalties, including administrative fines, applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are properly and effectively impleme… (Article 71 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The Member States shall notify the Commission of those rules and of those measures and shall notify it, without delay, of any subsequent amendment affecting them. (Article 71 2., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The following infringements shall be subject to administrative fines of up to 30 000 000 EUR or, if the offender is company, up to 6 % of its total worldwide annual turnover for the preceding financial year, whichever is higher: (Article 71 3., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • non-compliance with the prohibition of the artificial intelligence practices referred to in Article 5; (Article 71 3(a), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • non-compliance of the AI system with the requirements laid down in Article 10. (Article 71 3(b), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The non-compliance of the AI system with any requirements or obligations under this Regulation, other than those laid down in Articles 5 and 10, shall be subject to administrative fines of up to 20 000 000 EUR or, if the offender is a company, up to 4 % of its total worldwide annual turnover for the… (Article 71 4., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The supply of incorrect, incomplete or misleading information to notified bodies and national competent authorities in reply to a request shall be subject to administrative fines of up to 10 000 000 EUR or, if the offender is a company, up to 2 % of its total worldwide annual turnover for the preced… (Article 71 5., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following: (Article 71 6., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the nature, gravity and duration of the infringement and of its consequences; (Article 71 6(a), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • whether administrative fines have been already applied by other market surveillance authorities to the same operator for the same infringement. (Article 71 6(b), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the size and market share of the operator committing the infringement; (Article 71 6(c), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Each Member State shall lay down rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State. (Article 71 7., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Depending on the legal system of the Member States, the rules on administrative fines may be applied in such a manner that the fines are imposed by competent national courts of other bodies as applicable in those Member States. The application of such rules in those Member States shall have an equiv… (Article 71 8., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The European Data Protection Supervisor may impose administrative fines on Union institutions, agencies and bodies falling within the scope of this Regulation. When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, all re… (Article 72 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the nature, gravity and duration of the infringement and of its consequences; (Article 72 1(a), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the cooperation with the European Data Protection Supervisor in order to remedy the infringement and mitigate the possible adverse effects of the infringement, including compliance with any of the measures previously ordered by the European Data Protection Supervisor against the Union institution or… (Article 72 1(b), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • any similar previous infringements by the Union institution, agency or body; (Article 72 1(c), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Before taking decisions pursuant to this Article, the European Data Protection Supervisor shall give the Union institution, agency or body which is the subject of the proceedings conducted by the European Data Protection Supervisor the opportunity of being heard on the matter regarding the possible … (Article 72 4., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The rights of defense of the parties concerned shall be fully respected in the proceedings. They shall be entitled to have access to the European Data Protection Supervisor's file, subject to the legitimate interest of individuals or undertakings in the protection of their personal data or business … (Article 72 5., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Funds collected by imposition of fines in this Article shall be the income of the general budget of the Union. (Article 72 6., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing i… (Art. 30.5., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Where processing referred to in paragraphs 2 and 3 serves at the same time another purpose, the derogations shall apply only to processing for the purposes referred to in those paragraphs. (Art. 89.4., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them. (Art. 88.3., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Where personal data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18, 19, 20 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as su… (Art. 89.3., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Articl… (Art. 89.2., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the con… (Art. 88.1., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article. (Art. 92.1., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The delegation of power referred to in Article 12(8) and Article 43(8) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following that of its publicat… (Art. 92.3., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The delegation of power referred to in Article 12(8) and Article 43(8) shall be conferred on the Commission for an indeterminate period of time from 24 May 2016. (Art. 92.2., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. (Art. 92.4., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • A delegated act adopted pursuant to Article 12(8) and Article 43(8) shall enter into force only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the… (Art. 92.5., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • What is included in the organization's definition of information assets? (Table Row I.12, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • System security management should include the implementation of security strategy and delegation. (¶ 19.2 Bullet 1, Good Practices For Computerized systems In Regulated GXP Environments)
  • Having a checklist may help organizations plan and manage their security awareness training program. The information listed below may be used to assist with security awareness training and education planning. Inclusion and use of this information is not a requirement. (§ 4 ¶ 1, Information Supplement: Best Practices for Implementing a Security Awareness Program, Version 1.0)
  • How is separation between tenants assured? (Appendix D, Build and Maintain a Secure Network Bullet 1, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • What technologies are used in the provision of the cloud service—e.g., hardware, software, virtual technologies? (Appendix D, Build and Maintain a Secure Network Bullet 6, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • How are configuration standards assured on different components of the infrastructure? (Appendix D, Build and Maintain a Secure Network Bullet 7, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Who has physical access to data centers and systems? (Appendix D, Implement Strong Access Control Measures Bullet 13, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • How would a breach at one client impact other clients on the same infrastructure? (Appendix D, Maintain an Information Security Policy Bullet 7 Sub-bullet 4, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • What happens to client data in the event of a breach to CSP systems? (Appendix D, Maintain an Information Security Policy Bullet 8, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Where are the “known” data storage locations? Where are data centers located? (Appendix D, Protect Cardholder Data Bullet 1, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Where are encryption/decryption processes being performed? Who controls each process? (Appendix D, Protect Cardholder Data Bullet 8, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • What is the process for each layer of the cloud service—e.g., physical network devices, host operating systems, hypervisors, virtualized components (including VMs, virtual network devices), applications, etc.? (Appendix D, Maintain a Vulnerability Management Program Bullet 3 Sub-bullet 1, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Which CSP personnel have ability to access client data? (Appendix D, Implement Strong Access Control Measures Bullet 3, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • What testing are clients allowed to perform on their internet-facing systems? (Appendix D, Regularly Monitor and Test Networks Bullet 11 Sub-bullet 1, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Does the CSP outsource any aspect of the cloud service to other providers (e.g., data storage, security services, etc.)? (Appendix D, Maintain an Information Security Policy Bullet 5, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Does de-provisioning apply across all geographically distributed locations? (Appendix D, Implement Strong Access Control Measures Bullet 7 Sub-bullet 1, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Risk profiling is the presentation of all risks to an asset, together with threats and vulnerabilities and their respective risk scores. Risk profiling enables asset owners to evaluate risks and take necessary risk-mitigation measures. (§ 4.2.2 ¶ 1, Information Supplement: PCI DSS Risk Assessment Guidelines, Version 2.0)
  • Qualitative risk assessment – Qualitative risk assessments categorize risk parameters according to the level of intensity or impact to an asset. The categorization of risk parameters is accomplished by evaluating the risk components using expert judgment, experience, and situational awareness. The… (§ 4.2.2.2 b), Information Supplement: PCI DSS Risk Assessment Guidelines, Version 2.0)
  • Quantitative risk assessment – A quantitative risk assessment assigns numerical values to elements of the risk assessment (usually in monetary terms). This is accomplished by incorporating historical data, financial valuation of assets, and industry trends. Quantitative risk assessments can be re… (§ 4.2.2.2 a), Information Supplement: PCI DSS Risk Assessment Guidelines, Version 2.0)
  • Risk evaluation allows an organization to determine the significance of risks in order to prioritize mitigation efforts. This helps organizations achieve the optimum usage of resources. Risk-measurement techniques used during the evaluation process can be quantitative, qualitative, or a combination … (§ 4.2.2.2 ¶ 1, Information Supplement: PCI DSS Risk Assessment Guidelines, Version 2.0)
  • In addition, it should be noted that a third party may itself be dependent upon other third parties for critical PCI-related services. It may not be necessary or appropriate to extend the risk assessment to the second level of third parties but it is appropriate to know that they exist and may have … (§ 5.1 ¶ 4, Information Supplement: PCI DSS Risk Assessment Guidelines, Version 2.0)
  • This requirement applies only to service providers. (2.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • This testing procedure applies only to Issuers. (3.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • This testing procedure applies only to Issuers. (3.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • This testing procedure applies only to service providers. (3.6 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • This testing procedure applies only to service providers. (8.1.6 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • This requirement applies only to service providers. (8.5.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • This testing procedure applies only to service providers. (8.2.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • This testing procedure applies only to service providers. (8.2.5 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • This testing procedure applies only to service providers. (8.2.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • This testing procedure applies only to service providers. (8.2.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • This requirement applies only to service providers. (12.9, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • This requirement applies only to service providers. (2.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • This testing procedure applies only to Issuers. (3.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • This testing procedure applies only to Issuers. (3.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • This requirement applies only to service providers (3.5.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • This testing procedure applies only to service providers. (3.6(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • This testing procedure applies only to service providers. (8.1.6(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • This testing procedure applies only to service providers. (8.2.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • This testing procedure applies only to service providers. (8.2.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • This testing procedure applies only to service providers. (8.2.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • This testing procedure applies only to service providers. (8.2.5(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • This requirement applies only to service providers. (8.5.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • This requirement applies only to service providers. (12.9, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • This requirement applies only to service providers (12.11, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • This requirement applies only to service providers (12.4.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • This requirement applies only to service providers (11.3.4.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • This requirement applies only to service providers (10.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Do visitor badges or other identification expire? (9.4.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Do visitor badges or other identification expire? (9.4.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • The key-management techniques implemented in the HSM conform to ISO 11568 and/or ANSI X9.24. Key-management techniques must support ANSI TR-31 key-derivation methodology or an equivalent methodology for maintaining the TDEA key bundle. (B11, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 2.0)
  • If the HSM is designed to be used for PIN management, the HSM shall meet the PIN-management requirements of ISO 9564. The PIN- encryption technique implemented in the HSM is a technique included in ISO 9564. (B15, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 2.0)
  • Private and secret key entry is performed using accepted techniques according to the table below. (B8, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 2.0)
  • The HSM has the ability to return its unique device ID. (B19, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 2.0)
  • Merchants should only implement mobile payment-acceptance solutions that meet all relevant security requirements. Specific requirements intended to assist merchants in choosing an appropriate solution are provided in Appendix C: Solution Provider Selection Criteria. (¶ 6.1.1, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls. (§ 3 Principle 10 Points of Focus: Evaluates a Mix of Control Activity Types, COSO Internal Control - Integrated Framework (2013))
  • The method of communication considers the timing, audience, and nature of the information. (§ 3 Principle 14 Points of Focus: Selects Relevant Method of Communication, COSO Internal Control - Integrated Framework (2013))
  • Information systems capture internal and external sources of data. (§ 3 Principle 13 Points of Focus: Captures Internal and External Sources of Data, COSO Internal Control - Integrated Framework (2013))
  • Information systems process and transform relevant data into information. (§ 3 Principle 13 Points of Focus: Processes Relevant Data into Information, COSO Internal Control - Integrated Framework (2013))
  • All individuals with access to organizational data shall receive appropriate awareness training and regular updates in organizational procedures, process and policies, relating to their function relative to the organization. (IS-11, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • The organization shall describe the organizational characteristics that are relevant to project plan measurement. (§ 6.3.7.3(a)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • When determining this scope, the organization shall consider — the external and internal issues referred to in 4.1, and — the requirements referred to in 4.2. (§ 4.3.1 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • When planning for the BCMS, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to - ensure the management system can achieve its intended outcome(s), - prevent, or reduce, undesired… (§ 6.1 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • evaluate the effectiveness of these actions (see 9.1). (§ 6.1 ¶ 2 b) 2), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • To achieve its business continuity objectives, the organization shall determine — who will be responsible, — what will be done, — what resources will be required, — when it will be completed, and — how the results will be evaluated. (§ 6.2 ¶ 4, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • These issues shall be taken into account when establishing, implementing and maintaining the organization's BCMS. (§ 4.1 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • buildings, work environment and associated utilities, (§ 8.3.2 ¶ 1 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • facilities, equipment and consumables, (§ 8.3.2 ¶ 1 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • information and communication technology (ICT) systems, (§ 8.3.2 ¶ 1 e), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • transportation, (§ 8.3.2 ¶ 1 f), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • people, (§ 8.3.2 ¶ 1 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • information and data, (§ 8.3.2 ¶ 1 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • finance, and (§ 8.3.2 ¶ 1 g), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • partners and suppliers. (§ 8.3.2 ¶ 1 h), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The intensional definition is a concise statement of what the concept is. It states the superordinate concept to concept expressed by the designation and its delimiting characteristics, and it shall be based on the concept relations determined during analysis. (§ 6.3.5 ¶ 2, ISO 704:2009 Terminology work -- Principles and methods)
  • To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. (§ 5.1 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To establish a management framework to initiate and control the implementation and operation of information security within the organization. (§ 6.1 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure the security of teleworking and use of mobile devices. (§ 6.2 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. (§ 7.1 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure that employees and contractors are aware of and fulfill their information security responsibilities. (§ 7.2 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To protect the organization’s interests as part of the process of changing or terminating employment. (§ 7.3 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To identify organizational assets and define appropriate protection responsibilities. (§ 8.1 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. (§ 8.3 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To limit access to information and information processing facilities. (§ 9.1 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure authorized user access and to prevent unauthorized access to systems and services. (§ 9.2 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To make users accountable for safeguarding their authentication information. (§ 9.3 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To prevent unauthorized access to systems and applications. (§ 9.4 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. (§ 10.1 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. (§ 11.1 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. (§ 11.2 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure correct and secure operations of information processing facilities. (§ 12.1 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure that information and information processing facilities are protected against malware. (§ 12.2 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To protect against loss of data. (§ 12.3 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To record events and generate evidence. (§ 12.4 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure the integrity of operational systems. (§ 12.5 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To prevent exploitation of technical vulnerabilities. (§ 12.6 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To minimise the impact of audit activities on operational systems. (§ 12.7 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure the protection of information in networks and its supporting information processing facilities. (§ 13.1 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To maintain the security of information transferred within an organization and with any external entity. (§ 13.2 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. (§ 14.1 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure that information security is designed and implemented within the development lifecycle of information systems. (§ 14.2 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure protection of the organization’s assets that is accessible by suppliers. (§ 15.1 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To maintain an agreed level of information security and service delivery in line with supplier agreements. (§ 15.2 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. (§ 16.1 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Information security continuity should be embedded in the organization’s business continuity management systems. (§ 17.1 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure availability of information processing facilities. (§ 17.2 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. (§ 18.1 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure that information security is implemented and operated in accordance with the organizational policies and procedures. (§ 18.2 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. (§ 8.2 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • To ensure the protection of data used for testing. (§ 14.3 Objective, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Information about the organization should be collected to determine the environment it operates in and its relevance to the information security risk management process. (§ 7.3 ¶ 3, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • Control 9.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 9.2.2 ¶ 1, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The objective specified in clause 12.4 of ISO/IEC 27002 applies. (§ 12.4 ¶ 1, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Control 12.4.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 12.4.1 ¶ 1, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Control 12.5.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 12.5.1 ¶ 1, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • (no additional implementation guidance) (§ 15.1.3 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The objective specified in clause 18.2 of ISO/IEC 27002 applies. (§ 18.2 ¶ 1, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Control 18.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 18.2.2 ¶ 1, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • To clarify the relationship regarding shared roles and responsibilities between the cloud service customer and the cloud service provider for information security management. (Annex A: § CLD.6.3 Objective, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The objective specified in ISO/IEC 27002:2013, 5.1 applies. (§ 5.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 5.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 5.1.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 5.1.2 and the associated implementation guidance specified in ISO/IEC 27002 apply. (§ 5.1.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in ISO/IEC 27002:2013, 6.1 applies. (§ 6.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 6.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 6.1.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 6.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 6.1.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 6.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 6.1.3 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 6.1.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 6.1.4 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 6.1.5 and the associated implementation guidance specified in ISO/IEC 27002 apply. (§ 6.1.5 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in, and the contents of, ISO/IEC 27002:2013, 6.2 apply. (§ 6.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in, and the contents of, ISO/IEC 27002:2013, 7.1 apply. (§ 7.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in ISO/IEC 27002:2013, 7.2 applies. (§ 7.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 7.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 7.2.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 7.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 7.2.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 7.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 7.2.3 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in, and the contents of, ISO/IEC 27002:2013, 7.3 apply. (§ 7.3 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 8 apply. (§ 8 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in, and the contents of, ISO/IEC 27002:2013, 9.1 apply. (§ 9.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in ISO/IEC 27002:2013, 9.2 applies. The following sector-specific guidance also applies to the implementation of all of the controls under this subclause (9.2). (§ 9.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 9.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 9.2.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 9.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 9.2.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 9.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 9.2.3 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 9.2.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 9.2.4 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 9.2.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 9.2.5 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 9.2.6 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 9.2.6 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in ISO/IEC 27002:2013, 9.3 applies. (§ 9.3 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 9.3.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. (§ 9.3.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 9.4.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. (§ 9.4.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 9.4.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 9.4.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 9.4.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 9.4.3 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 9.4.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 9.4.4 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 9.4.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 9.4.5 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 10.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 10.1.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 10.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 10.1.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in, and the contents of, ISO/IEC 27002:2013, 11.1 apply. (§ 11.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in ISO/IEC 27002:2013, 11.2 applies. (§ 11.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 11.2.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. (§ 11.2.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 11.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 11.2.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 11.2.3 and the associated implementation guidance specified in ISO/IEC 27002 apply. (§ 11.2.3 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 11.2.4 and the associated implementation guidance specified in ISO/IEC 27002 apply. (§ 11.2.4 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 11.2.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 11.2.5 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 11.2.6 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 11.2.6 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 11.2.7 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 11.2.7 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 11.2.8 and the associated implementation guidance specified in ISO/IEC 27002 apply. (§ 11.2.8 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 11.2.9 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 11.2.9 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in ISO/IEC 27002:2013, 12.1 applies. (§ 12.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 12.1.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. (§ 12.1.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 12.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 12.1.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 12.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 12.1.3 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 12.1.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 12.1.4 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.2 apply. (§ 12.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in ISO/IEC 27002:2013, 12.3 applies. (§ 12.3 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 12.3.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 12.3.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • NOTE 1 Individual jurisdictions may impose specific requirements regarding the frequency of backups. Organizations operating in these jurisdictions should ensure that they comply with these requirements. (§ 12.3.1 ¶ 5, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • NOTE 2 Individual jurisdictions may impose specific requirements regarding the frequency of reviews of backup and recovery procedures. Organizations operating in these jurisdictions should ensure that they comply with these requirements. (§ 12.3.1 ¶ 8, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in ISO/IEC 27002:2013, 12.4 applies. (§ 12.4 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 12.4.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 12.4.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 12.4.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 12.4.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 12.4.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 12.4.3 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 12.4.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 12.4.4 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.5 apply. (§ 12.5 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.6 apply. (§ 12.6 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.7 apply. (§ 12.7 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in ISO/IEC 27002:2013, 13.2 applies. (§ 13.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 13.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 13.2.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 13.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 13.2.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 13.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 13.2.3 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 13.2.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 13.2.4 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 14 apply. (§ 14 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 15 apply. (§ 15 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in ISO/IEC 27002:2013, 16.1 applies. The following sector-specific guidance also applies to the implementation of all of the controls under this subclause (16.1). (§ 16.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 16.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 16.1.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 16.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 16.1.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 16.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 16.1.3 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 16.1.4 and the associated implementation guidance specified in ISO/IEC 27002 apply. (§ 16.1.4 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 16.1.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 16.1.5 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 16.1.6 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 16.1.6 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 16.1.7 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 16.1.7 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 17 apply. (§ 17 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in, and the contents of, ISO/IEC 27002:2013, 18.1 apply. (§ 18.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in ISO/IEC 27002:2013, 18.2 applies. (§ 18.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 18.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. (§ 18.2.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 18.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 18.2.2 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Control 18.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. (§ 18.2.3 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • For the purposes of secure disposal or re-use, equipment containing storage media that may possibly contain PII should be treated as though it does. (§ 11.2.7 ¶ 3, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The use of sub-contractors to store replicated or backup copies of data being processed is covered by the controls in this International Standard applying to sub-contracted PII processing. Where physical media transfers take place this is also covered by controls in this International Standard. (§ 12.3.1 ¶ 9, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in, and the contents of, ISO/IEC 27002:2013, 13.1 apply. (§ 13.1 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • In the context of the whole cloud computing reference architecture, there may be shared roles in the management of information security incidents and making improvements. There may be a need for the public cloud PII processor to cooperate with the cloud service customer in implementing the controls … (§ 16.1 ¶ 3, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • An information security event should not necessarily trigger such a review. An information security event is one that does not result in actual, or the significant probability of, unauthorized access to PII or to any of the public cloud PII processor’s equipment or facilities storing PII, and may … (§ 16.1.1 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • No additional controls are relevant to this privacy principle. (§ A.3 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Implementation guidance on PII erasure is provided in A.10.11. (§ A.4.1 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • An example of a possible prohibition on disclosure would be a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation. (§ A.5.1 ¶ 5, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • No additional controls are relevant to this privacy principle. (§ A.6 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • No additional controls are relevant to this privacy principle. (§ A.8 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • In some jurisdictions, relevant legislation or regulations may require the public cloud PII processor to directly notify appropriate regulatory authorities (e.g. a PII protection authority) of a data breach involving PII. (§ A.9.1 ¶ 7, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Review of current and historical policies and procedures may be required, e.g. in the cases of customer dispute resolution and investigation by a PII protection authority. A minimum retention period of five years is recommended in the absence of a specific legal or contractual requirement. (§ A.9.2 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • At some point in time, PII may need to be disposed of in some manner. This may involve returning the PII to the cloud service customer, transferring it to another public cloud PII processor or to a PII controller (e.g. as a result of a merger), securely deleting or otherwise destroying it, anonymizi… (§ A.9.3 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Hardcopy material includes material created by printing. (§ A.10.2 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • In some cases, e.g. the exchange of e-mail, the inherent characteristics of public data-transmission network systems might require that some header or traffic data be exposed for effective transmission. (§ A.10.6 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Where multiple service providers are involved in providing service from different service categories of the cloud computing reference architecture, there may be varied or shared roles in implementing this guidance. (§ A.10.6 ¶ 5, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • In the context of the whole cloud computing reference architecture, the cloud service customer may be responsible for some or all aspects of user ID management for cloud service users under its control. (§ A.10.10 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Information security and PII protection obligations relevant to the public cloud PII processor may arise directly from applicable law. Where this is not the case, PII protection obligations relevant to the public cloud PII processor should be covered in the contract. (§ A.10.11 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The use of sub-contractors to store backup copies is covered by this control (see A.7.1). (§ A.10.12 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Upon deletion by a cloud service user of data held in an information system, performance issues may mean that explicit erasure of those data is impractical. This creates the risk that another user may be able to read the data. Such risk should be avoided by specific technical measures. (§ A.10.13 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • No specific guidance is especially appropriate for dealing with all cases in implementing this control. However, as an example, some cloud infrastructure, platforms or applications will return zeroes if a cloud service user attempts to read storage space which has not been overwritten by that user  (§ A.10.13 ¶ 5, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The PII controller’s obligations in this respect may be defined by law, by regulations or by contract. These obligations may include matters where the cloud service customer uses the services of the public cloud PII processor for implementation. For example, this could include the correction or de… (§ A.1.1 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Instructions may be contained in the contract between the public cloud PII processor and the cloud service customer including, e.g. the objective and time frame to be achieved by the service. (§ A.2.1 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Where the PII controller depends on the public cloud PII processor for information or technical measures to facilitate the exercise of PII principals’ rights, the relevant information or technical measures should be specified in the contract. (§ A.1.1 ¶ 5, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • In order to achieve the cloud service customer’s purpose, there may be technical reasons why it is appropriate for a public cloud PII processor to determine the method for processing PII, consistent with the general instructions of the cloud service customer but without the cloud service customerâ… (§ A.2.1 ¶ 5, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The public cloud PII processor should provide the cloud service customer with all relevant information, in a timely fashion, to allow the cloud service customer to ensure the public cloud PII processor’s compliance with purpose specification and limitation principles and ensure that no PII is proc… (§ A.2.1 ¶ 6, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Information systems may create temporary files in the normal course of their operation. Such files are specific to the system or application, but may include file system roll-back journals and temporary files associated with the updating of databases and the operation of other application software. … (§ A.4.1 ¶ 5, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • PII processing information systems should implement a periodic check that unused temporary files above a specified age are deleted. (§ A.4.1 ¶ 6, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The public cloud PII processor should provide contractual guarantees that it will reject any requests for PII disclosure that are not legally binding, consult the corresponding cloud service customer where legally permissible before making any PII disclosure and accept any contractually agreed reque… (§ A.5.1 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • PII may be disclosed during the course of normal operations. These disclosures should be recorded (see 12.4.1). Any additional disclosures to third parties, such as those arising from lawful investigations or external audits, should also be recorded. The records should include the source of the disc… (§ A.5.2 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Provisions for the use of sub-contractors to process PII should be transparent in the contract between the public cloud PII processor and the cloud service customer. The contract should specify that sub-contractors may only be commissioned on the basis of a consent that can generally be given by the… (§ A.7.1 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Information disclosed should cover the fact that sub-contracting is used and the names of relevant sub-contractors, but not any business-specific details. The information disclosed should also include the countries in which sub-contractors may process data (see A.11.1) and the means by which sub-con… (§ A.7.1 ¶ 5, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • In the event that a data breach involving PII has occurred, a record should be maintained with a description of the incident, the time period, the consequences of the incident, the name of the reporter, to whom the incident was reported, the steps taken to resolve the incident (including the person … (§ A.9.1 ¶ 5, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Provisions covering the notification of a data breach involving PII should form part of the contract between the public cloud PII processor and the cloud service customer. The contract should specify how the public cloud PII processor will provide the information necessary for the cloud service cust… (§ A.9.1 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • In the event that a data breach involving PII has occurred, the record should also include a description of the data compromised, if known; and if notifications were performed, the steps taken to notify the cloud service customer and/or regulatory agencies. (§ A.9.1 ¶ 6, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The public cloud PII processor should provide the information necessary to allow the cloud service customer to ensure that PII processed under a contract is erased (by the public cloud PII processor and any of its sub-contractors) from wherever they are stored, including for the purposes of backup a… (§ A.9.3 ¶ 5, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The public cloud PII processor should develop and implement a policy in respect of the disposition of PII and should make this policy available to cloud service customer. (§ A.9.3 ¶ 6, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The policy should cover the retention period for PII before its destruction after termination of a contract, to protect the cloud service customer from losing PII through an accidental lapse of the contract. (§ A.9.3 ¶ 7, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • A confidentiality agreement, in whatever form, between the public cloud PII processor, its employees and its agents should ensure that employees and agents do not disclose PII for purposes independent of the instructions of the cloud service customer (see A.2.1). The obligations of the confidentiali… (§ A.10.1 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The log of data restoration efforts should contain: the person responsible, a description of the restored data, and the data that were restored manually. (§ A.10.3 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • A user profile should be maintained for all users whose access is authorized by the public cloud PII processor. The profile of a user comprises the set of data about that user, including user ID, necessary to implement the technical controls providing authorized access to the information system. (§ A.10.9 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The controls in this International Standard, together with the controls in ISO/IEC 27002, are intended as a reference catalogue of measures to assist in entering into an information processing contract in respect of PII. The public cloud PII processor should inform a prospective cloud service custom… (§ A.10.11 ¶ 5, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The public cloud PII processor should be transparent about its capabilities during the process of entering into a contract. However, it is ultimately the cloud service customer’s responsibility to ensure that the measures implemented by the public cloud PII processor meet its obligations. (§ A.10.11 ¶ 6, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The identities of the countries where PII might possibly be stored should be made available to cloud service customers. The identities of the countries arising from the use of sub-contracted PII processing should be included. Where specific contractual agreements apply to the international transfer … (§ A.11.1 ¶ 4, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The objective specified in ISO/IEC 27002:2013, 9.4 applies. (§ 9.4 ¶ 1, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Identify Intensive Care Unit capacity (Pillar 7 Step 1 Action 2, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • The prohibition in a. above applies during the period in which the member or member's firm is engaged to perform any of the services listed above and the per.period covered by any historical financial statements involved in any such listed services (1.510.001.02, AICPA Code of Professional Conduct, August 31, 2016)
  • Except as stated in the next sentence, a contingent fee is a fee established for the performance of any service pursuant to an arrangement in which no fee will be charged unless a specified finding or result is attained, or in which the amount of the fee is otherwise dependent upon the finding or re… (1.510.001.03, AICPA Code of Professional Conduct, August 31, 2016)
  • Verify the practitioner in charge of the engagement has an understanding of how the organization is enabled by or depends on Information Technology and how Information Systems record and maintain financial information. (Ques. AT411 Item 6, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • In order to develop and adopt appropriate ISSPs, Members may consider several resources available appropriate to their size, sophistication and role in the financial industry. For example, in developing procedures, NFA suggests that Members review the cybersecurity best practices and standards promu… (Information Security Program Bullet 1 Written Program ¶ 2, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Examples of evidence may include, but are not limited to, policy documents; revision history, records of review, or workflow evidence from a document management system that indicate review of each cyber security policy at least once every 15 calendar months; and documented approval by the CIP Senior… (B. M1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • An example of evidence may include, but is not limited to, a dated and approved document from a high level official designating the name of the individual identified as the CIP Senior Manager. (B. M3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • An example of evidence may include, but is not limited to, a dated document, approved by the CIP Senior Manager, listing individuals (by name or title) who are delegated the authority to approve or authorize specifically identified items. (B. M4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Evidence shall include each of the documented cyber security plan(s) that collectively include each of the sections in Attachment 1 and additional evidence to demonstrate implementation of the cyber security plan(s). Additional examples of evidence per section are located in Attachment 2. (B. M2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Do third parties have access to scoped systems and data or processing facilities? (§ C.2, Shared Assessments Standardized Information Gathering Questionnaire - C. Organizational Security, 7.0)
  • Are other tenants using the building that contains scoped systems and data? (§ F.1.2.2, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • Is the data center that contains scoped systems and data shared with other tenants? (§ F.2.1, Shared Assessments Standardized Information Gathering Questionnaire - F. Physical and Environmental, 7.0)
  • Does the organization support a web site that has access to scoped systems and data? (§ I.4, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Does the organization host a web site that has access to scoped systems and data? (§ I.4, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Does the organization maintain a web site that has access to scoped systems and data? (§ I.4, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Are cloud computing services furnished? (§ V.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the organization use the software as a service service model for cloud computing? (§ V.1.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the organization use the platform as a service service model for cloud computing? (§ V.1.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the organization use the infrastructure as a service service model for cloud computing? (§ V.1.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • What deployment models does the organization furnish for cloud computing? (§ V.1.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is a private cloud used for cloud computing? (§ V.1.4.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is a public cloud used for cloud computing? (§ V.1.4.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is a community cloud used for cloud computing? (§ V.1.4.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is a hybrid cloud used for cloud computing? (§ V.1.4.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Where is the cloud computing infrastructure hosted? (§ V.1.5, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is a single tenancy datacenter used to host the cloud computing infrastructure? (§ V.1.5.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is a co-location: dedicated server used to host the cloud computing infrastructure? (§ V.1.5.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is a co-location: shared server used to host the cloud computing infrastructure? (§ V.1.5.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is a co-location: dedicated cabinet used to host the cloud computing infrastructure? (§ V.1.5.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is a co-location: shared cabinet used to host the cloud computing infrastructure?. (§ V.1.5.5, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is a co-location: dedicated cage used to host the cloud computing infrastructure? (§ V.1.5.6, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is a cloud provider used to host the cloud computing infrastructure? (§ V.1.5.8, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • What legal jurisdiction does the cloud computing data reside in? (§ V.1.6, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the cloud computing data reside in the legal jurisdiction of the United States of America? (§ V.1.6.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the cloud computing data reside in the legal jurisdiction of canada? (§ V.1.6.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the cloud computing data reside in the legal jurisdiction of asia? (§ V.1.6.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the cloud computing data reside in the legal jurisdiction of south america? (§ V.1.6.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the cloud computing data reside in the legal jurisdiction of australia? (§ V.1.6.5, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the cloud computing data reside in the legal jurisdiction of asia-pacific? (§ V.1.6.6, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the cloud computing data reside in the legal jurisdiction of africa? (§ V.1.6.7, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the cloud computing data reside in the legal jurisdiction of europe (European Union)? (§ V.1.6.8, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the cloud computing data reside in the legal jurisdiction of europe (non-european union)? (§ V.1.6.9, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Does the cloud computing data reside in another legal jurisdiction? (§ V.1.6.10, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, are the application instances shared with other clients? (§ V.1.8.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, are database instances shared with other clients? (§ V.1.9.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, are there application self service features or an Internet accessible self-service portal available to clients? (§ V.1.15, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, are the following documents available during a client audit? (§ V.1.20, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, do client's have the ability to specify where their data will be stored? (§ V.1.34, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, can a client specify that their data be stored in a data classification zone based on security classification level? (§ V.1.34.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, can a client specify the datacenter to store their data? (§ V.1.34.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, may a client specify which country their data will be stored? (§ V.1.34.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, can a client specify which location based on legal jurisdiction their data be stored? (§ V.1.34.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are clients allowed to run their own firewall inside their own cloud computing environment? (§ V.1.53.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are clients allowed to run their own Intrusion Detection System or Intrusion Protection System inside their own cloud computing environment? (§ V.1.53.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are clients allowed to use their own data integrity monitoring (host based integrity) services inside their own cloud computing environment? (§ V.1.53.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are clients allowed to use their own anti-virus services inside their own cloud computing environment? (§ V.1.53.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are clients allowed to run other of their own security services inside their own cloud computing environment? (§ V.1.53.5, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, how many different critical vendors is the live cloud platform running on at any one time? (§ V.1.58, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Is there only one critical vendor running on the live cloud platform at any one time? (§ V.1.58.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are there more than one and less than two critical vendors running on the live cloud platform at any one time? (§ V.1.58.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Are there more than 2 critical vendors running on the live cloud platform at any one time? (§ V.1.58.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • The Act and this part do not prevent educational agencies or institutions from giving students rights in addition to those given to parents. (§ 99.5(b), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Any educational agency or institution; and (§ 99.10(a)(1), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Any State educational agency (SEA) and its components. (§ 99.10(a)(2), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • For the purposes of subpart B of this part, an SEA and its components constitute an educational agency or institution. (§ 99.10(a)(2)(i), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • An SEA and its components are subject to subpart B of this part if the SEA maintains education records on students who are or have been in attendance at any school of an educational agency or institution subject to the Act and this part. (§ 99.10(a)(2)(ii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • A contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions may be considered a school official under this paragraph provided that the outside party— (§ 99.31(a)(1)(i)(B), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Performs an institutional service or function for which the agency or institution would otherwise use employees; (§ 99.31(a)(1)(i)(B)(1), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and (§ 99.31(a)(1)(i)(B)(2), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Is subject to the requirements of §99.33(a) governing the use and redisclosure of personally identifiable information from education records. (§ 99.31(a)(1)(i)(B)(3), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • As used in paragraph (a)(4)(i) of this section, financial aid means a payment of funds provided to an individual (or a payment in kind of tangible or intangible property to the individual) that is conditioned on the individual's attendance at an educational agency or institution. (§ 99.31(a)(4)(ii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Paragraph (a)(5)(i) of this section does not prevent a State from further limiting the number or type of State or local officials to whom disclosures may be made under that paragraph. (§ 99.31(a)(5)(ii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Nothing in the Act or this part prevents a State or local educational authority or agency headed by an official listed in paragraph (a)(3) of this section from entering into agreements with organizations conducting studies under paragraph (a)(6)(i) of this section and redisclosing personally identif… (§ 99.31(a)(6)(ii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • An educational agency or institution or State or local educational authority or Federal agency headed by an official listed in paragraph (a)(3) of this section is not required to initiate a study or agree with or endorse the conclusions or results of the study. (§ 99.31(a)(6)(iv), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • For the purposes of paragraph (a)(6) of this section, the term organization includes, but is not limited to, Federal, State, and local agencies, and independent organizations. (§ 99.31(a)(6)(v), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Paragraph (a)(15) of this section does not supersede any provision of State law that prohibits an institution of postsecondary education from disclosing information. (§ 99.31(a)(15)(ii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Paragraphs (a) and (b) of this section do not require an educational agency or institution or any other party to disclose education records or information from education records to any party except for parties under paragraph (a)(12) of this section. (§ 99.31(d), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • An educational agency or institution that has not recorded the further disclosures under paragraph (b)(1) of this section; or (§ 99.32(b)(2)(i)(A), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Another State or local educational authority or Federal official or agency listed in §99.31(a)(3). (§ 99.32(b)(2)(i)(B), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • A State or local educational authority or Federal official or agency that records further disclosures of information under paragraph (b)(2)(i) of this section may maintain the record by the student's class, school, district, or other appropriate grouping rather than by the name of the student. (§ 99.32(b)(2)(ii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Upon request of an educational agency or institution, a State or local educational authority or Federal official or agency listed in §99.31(a)(3) that maintains a record of further disclosures under paragraph (b)(2)(i) of this section must provide a copy of the record of further disclosures to the … (§ 99.32(b)(2)(iii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The parent or eligible student; (§ 99.32(d)(1), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • A school official under §99.31(a)(1); (§ 99.32(d)(2), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • A party with written consent from the parent or eligible student; (§ 99.32(d)(3), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • A party seeking directory information; or (§ 99.32(d)(4), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • A party seeking or receiving records in accordance with §99.31(a)(9)(ii)(A) through (C). (§ 99.32(d)(5), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Confidential letters and confidential statements of recommendation placed in the student's education records after January 1, 1975, if: (§ 99.12(b)(3), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Those letters and statements are related to the student's: (§ 99.12(b)(3)(ii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Paragraph (a) of this section does not apply to disclosures under §§99.31(a)(8), (9), (11), (12), (14), (15), and (16), and to information that postsecondary institutions are required to disclose under the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act, 20 U.S.C.… (§ 99.33 (c), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The disclosure is initiated by the parent or eligible student; or (§ 99.34(a)(1)(i), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Identifies and authenticates a particular person as the source of the electronic consent; and (§ 99.30(d)(1), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Indicates such person's approval of the information contained in the electronic consent. (§ 99.30(d)(2), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The Comptroller General of the United States; (§ 99.31(a)(3)(i), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The Attorney General of the United States; (§ 99.31(a)(3)(ii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The Secretary; or (§ 99.31(a)(3)(iii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • State and local educational authorities. (§ 99.31(a)(3)(iv), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Determine eligibility for the aid; (§ 99.31(a)(4)(i)(A), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Determine the amount of the aid; (§ 99.31(a)(4)(i)(B), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Determine the conditions for the aid; or (§ 99.31(a)(4)(i)(C), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Enforce the terms and conditions of the aid. (§ 99.31(a)(4)(i)(D), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • When a student becomes an eligible student, the rights accorded to, and consent required of, parents under this part transfer from the parents to the student. (§ 99.5(a)(1), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The record code is used for no purpose other than identifying a de-identified record for purposes of education research and cannot be used to ascertain personally identifiable information about a student; and (§ 99.31(b)(2)(ii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The record code is not based on a student's social security number or other personal information. (§ 99.31(b)(2)(iii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The parent or eligible student. (§ 99.32(c)(1), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The school official or his or her assistants who are responsible for the custody of the records. (§ 99.32(c)(2), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Those parties authorized in §99.31(a) (1) and (3) for the purposes of auditing the recordkeeping procedures of the educational agency or institution. (§ 99.32(c)(3), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • A waiver under paragraph (b)(3)(i) of this section may be revoked with respect to any actions occurring after the revocation. (§ 99.12(c)(3)(i), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • A revocation under paragraph (c)(3)(i) of this section must be in writing. (§ 99.12(c)(3)(ii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The disclosures meet the requirements of §99.31; and (§ 99.33(b)(1)(i), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The educational agency or institution has complied with the requirements of §99.32(b); or (§ 99.33(b)(1)(ii)(A), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • A State or local educational authority or Federal official or agency listed in §99.31(a)(3) has complied with the requirements of §99.32(b)(2). (§ 99.33(b)(1)(ii)(B), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The State or local educational authority or agency headed by an official listed in §99.31(a)(3) is responsible for using reasonable methods to ensure to the greatest extent practicable that any entity or individual designated as its authorized representative— (§ 99.35(a)(2), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The parent or eligible student has given written consent for the disclosure under §99.30; or (§ 99.35(c)(1), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The collection of personally identifiable information is specifically authorized by Federal law. (§ 99.35(c)(2), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • In its public notice to parents and eligible students in attendance at the agency or institution that is described in paragraph (a) of this section, an educational agency or institution may specify that disclosure of directory information will be limited to specific parties, for specific purposes, o… (§ 99.37(d), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The Office investigates a timely complaint filed by a parent or eligible student, or conducts its own investigation when no complaint has been filed or a complaint has been withdrawn, to determine whether an educational agency or institution or other recipient of Department funds under any program a… (§ 99.64(b), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • A timely complaint is defined as an allegation of a violation of the Act that is submitted to the Office within 180 days of the date of the alleged violation or of the date that the complainant knew or reasonably should have known of the alleged violation. (§ 99.64(c), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The Office may extend the time limit in this section for good cause shown. (§ 99.64(d), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The Office may require an educational agency or institution, other recipient of Department funds under any program administered by the Secretary to which personally identifiable information from education records is non-consensually disclosed, or any third party outside of an educational agency or i… (§ 99.62 ¶ 1, 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The disclosure meets the requirements of paragraph (a) of this section. (§ 99.34(b)(2), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • A complaint must contain specific allegations of fact giving reasonable cause to believe that a violation of the Act or this part has occurred. A complaint does not have to allege that a violation is based on a policy or practice of the educational agency or institution, other recipient of Departmen… (§ 99.64(a), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The educational agency or institution does not require the waiver as a condition for admission to or receipt of a service or benefit from the agency or institution; and (§ 99.12(c)(1)(i), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The waiver is made in writing and signed by the student, regardless of age. (§ 99.12(c)(1)(ii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • This section applies only to disciplinary proceedings in which the final results were reached on or after October 7, 1998. (§ 99.31(a)(14)(iii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Given U.S. constitutional protections for freedom of the press and the Directive's exemption for journalistic material, where the rights of a free press embodied in the First Amendment of the U.S. Constitution intersect with privacy protection interests, the First Amendment must govern the balancing… (§ III.2.a., EU-U.S. Privacy Shield Framework Principles)
  • Privacy Shield benefits are assured from the date on which the Department has placed the organization's self-certification submission on the Privacy Shield List after having determined that the submission is complete. (§ III.6.a., EU-U.S. Privacy Shield Framework Principles)
  • The Privacy Shield Principles are relevant only when individually identified records are transferred or accessed. Statistical reporting relying on aggregate employment data and containing no personal data or the use of anonymized data does not raise privacy concerns. (§ III.9.a.ii., EU-U.S. Privacy Shield Framework Principles)
  • The FTC has committed to reviewing on a priority basis referrals alleging non-compliance with the Principles received from: (i) privacy self-regulatory organizations and other independent dispute resolution bodies; (ii) EU Member States; and (iii) the Department, to determine whether Section 5 of th… (§ III.11.f.ii., EU-U.S. Privacy Shield Framework Principles)
  • Where an organization is found to have intentionally made personal information public in contravention of the Principles so that it or others may benefit from these exceptions, it will cease to qualify for the benefits of the Privacy Shield. (§ III.15.c., EU-U.S. Privacy Shield Framework Principles)
  • The information provided by the Privacy Shield organizations in these reports together with information that has been released by the intelligence community, along with other information, can be used to inform the annual joint review of the functioning of the Privacy Shield in accordance with the Pr… (§ III.16.b., EU-U.S. Privacy Shield Framework Principles)
  • The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles under the circumstances described below. (§ III.4.a., EU-U.S. Privacy Shield Framework Principles)
  • Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients … (§ III.10.a.iii., EU-U.S. Privacy Shield Framework Principles)
  • The Department will remove an organization from the Privacy Shield List in response to any notification it receives of persistent failure to comply, whether it is received from the organization itself, from a privacy self-regulatory body or another independent dispute resolution body, or from a gove… (§ III.11.g.iii., EU-U.S. Privacy Shield Framework Principles)
  • Determine the need to proceed to Tier II objectives and procedures for additional validation to support conclusions related to any of the Tier I objectives and procedures. (TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:1 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Are appropriately implemented and enforced. (App A Objective 6.1.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • As part of management's process to secure the operating system and all system components, determine whether management does the following: (App A Objective 6.21, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • If the institution outsources cloud computing or storage to a third-party service provider, refer to the FFIEC's "Outsourced Cloud Computing" statement. (App A Objective 6.32, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • If the institution outsources the management of security services to a third-party service provider, refer to the information available in appendix D of the IT Handbook's "Outsourcing Technology Services" booklet and the related examination procedures. (App A Objective 6.33, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Using results from the review of the IT audit function, including any necessary Tier II procedures: (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 14:3, FFIEC IT Examination Handbook - Audit, April 2012)
  • Adequacy and timing of corrective action; (TIER I OBJECTIVES AND PROCEDURES Objective 1:3. Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Regulatory, audit, and security reports from key service providers; (TIER I OBJECTIVES AND PROCEDURES Objective 1:1. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • Audit information and summary packages submitted to the board or its audit committee; (TIER I OBJECTIVES AND PROCEDURES Objective 1:1. Bullet 4, FFIEC IT Examination Handbook - Audit, April 2012)
  • Institution's risk assessment, (TIER I OBJECTIVES AND PROCEDURES Objective 7:1. Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Products or services delivered to either internal or external users, (TIER I OBJECTIVES AND PROCEDURES Objective 7:1. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Loss or addition of key personnel, and (TIER I OBJECTIVES AND PROCEDURES Objective 7:1. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • Technology service providers and software vendor listings. (TIER I OBJECTIVES AND PROCEDURES Objective 7:1. Bullet 4, FFIEC IT Examination Handbook - Audit, April 2012)
  • Regulatory reports of examination; (TIER I OBJECTIVES AND PROCEDURES Objective 1:1. Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Internal and external audit reports, including correspondence/communication between the institution and auditors; (TIER I OBJECTIVES AND PROCEDURES Objective 1:1. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Audit plans and scopes, including any external audit or internal audit outsourcing engagement letters; and (TIER I OBJECTIVES AND PROCEDURES Objective 1:1. Bullet 5, FFIEC IT Examination Handbook - Audit, April 2012)
  • Institution's overall risk assessment. (TIER I OBJECTIVES AND PROCEDURES Objective 1:1. Bullet 6, FFIEC IT Examination Handbook - Audit, April 2012)
  • Resolution of root causes rather than just specific issues; and (TIER I OBJECTIVES AND PROCEDURES Objective 1:3. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Existence of any outstanding issues. (TIER I OBJECTIVES AND PROCEDURES Objective 1:3. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • IT audit policies, procedures, and processes. (TIER I OBJECTIVES AND PROCEDURES Objective 1:4. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • IT audit personnel qualifications and compare them to the job descriptions; (TIER I OBJECTIVES AND PROCEDURES Objective 4:1. Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Whether staff competency is commensurate with the technology in use at the institution; and (TIER I OBJECTIVES AND PROCEDURES Objective 4:1. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Trends in IT audit staffing to identify any negative trends in the adequacy of staffing. (TIER I OBJECTIVES AND PROCEDURES Objective 4:1. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • Review the most recent IT internal and external audit reports in order to determine: (TIER I OBJECTIVES AND PROCEDURES Objective 1:2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Outsourcing contracts and engagement letters, (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 11:1. Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Outsourced internal audit reports, and (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 11:1. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Policies on outsourced audit. (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 11:1. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • Audit staff and IT qualifications, and (TIER I OBJECTIVES AND PROCEDURES Objective 1:4. Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Suggest either the examiners or the institution perform additional verification procedures where warranted. (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 14:2. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Review preliminary examination conclusions with the examiner-in-charge (EIC) regarding: (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 14:4, FFIEC IT Examination Handbook - Audit, April 2012)
  • Discuss corrective actions and communicate findings. (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 14, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine the need to perform Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives. (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 14:1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Prior examination work papers, including any documentation obtained through on- going supervision. (App A Tier 1 Objectives and Procedures Objective 2:1 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Audit reports and other required reporting addressing business continuity, security, and other facets of the outsourcing relationship. (App A Tier 2 Objectives and Procedures O.6 Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine whether financial institution management assessed the availability, coverage, and suitability of insurance related to RDC. If coverage has been obtained, describe. (App A Tier 2 Objectives and Procedures N.6 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Does the Credit Union accept applications via the website? (IT - Web Site Review Q 10, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • While these are the primary focus areas for the Cybersecurity Examination Initiative, examiners may select additional areas based on risks identified during the course of the examinations. As part of OCIE’s efforts to promote compliance and to share with the industry where it sees cybersecurity-re… (§ II. ¶ 2, OCIE’s 2015 Cybersecurity Examination Initiative, Volume IV, Issue 8)
  • In light of recent cybersecurity breaches and continuing cybersecurity threats against financial services firms, the Cybersecurity Examination Initiative is designed to build on OCIE’s previous examinations in this area and further assess cybersecurity preparedness in the securities industry, incl… (§ II. ¶ 1, OCIE’s 2015 Cybersecurity Examination Initiative, Volume IV, Issue 8)
  • The Division has identified the cybersecurity of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue. Both funds and advisers increasingly use technology to conduct their business activities and need to protect confidential and sens… (CYBERSECURITY GUIDANCE ¶ 1, IM Guidance Update: Cybersecurity Guidance, No. 2015-02)
  • Cyber attacks on a wide range of financial services firms highlight the need for firms to review their cybersecurity measures. Discussions concerning cybersecurity with fund boards and senior management at advisers during the course of the Division’s senior level engagement and monitoring efforts … (CYBERSECURITY GUIDANCE ¶ 2, IM Guidance Update: Cybersecurity Guidance, No. 2015-02)
  • The state legislature determines that security system breach notification is a matter of statewide concern. The power to regulate security breach notification is preempted by this state and this section shall supersede and preempt all municipal and county laws, charters, ordinances and rules relatin… (¶ 18-545.I, Arizona Revised Statutes Title 18, Chapter 5, Article 3, Section 18-545, Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions)
  • A person subject to title V of the Gramm-Leach-Bliley act (P.L. 106-102; 113 Stat. 1338; 15 United States Code sections 6801 through 6809). (¶ 18-545.J.1, Arizona Revised Statutes Title 18, Chapter 5, Article 3, Section 18-545, Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions)
  • Covered entities and business associates as defined under regulations implementing the health insurance portability and accountability act of 1996, 45 Code of Federal Regulations section 160.103 (2003). (¶ 18-545.J.2, Arizona Revised Statutes Title 18, Chapter 5, Article 3, Section 18-545, Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions)
  • The department of public safety, a county sheriff's department, a municipal police department, a prosecution agency and a court shall create and maintain an information security policy that includes notification procedures for a breach of the security system of the department of public safety, the c… (¶ 18-545.K, Arizona Revised Statutes Title 18, Chapter 5, Article 3, Section 18-545, Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions)
  • The text of the notice and any other notice provided pursuant to this section shall be no smaller than 10-point type. (§ 1798.29(d)(1)(C), California Civil Code Section 1798.29)
  • For a written notice described in paragraph (1) of subdivision (i), use of the model security breach notification form prescribed below or use of the headings described in this paragraph with the information described in paragraph (2), written in plain language, shall be deemed to be in compliance w… (§ 1798.29(d)(1)(D), California Civil Code Section 1798.29)
  • For an electronic notice described in paragraph (2) of subdivision (i), use of the headings described in this paragraph with the information described in paragraph (2), written in plain language, shall be deemed to be in compliance with this subdivision. (§ 1798.29(d)(1)(E), California Civil Code Section 1798.29)
  • The format of the notice shall be designed to call attention to the nature and significance of the information it contains. (§ 1798.29(d)(1)(A), California Civil Code Section 1798.29)
  • The title and headings in the notice shall be clearly and conspicuously displayed. (§ 1798.29(d)(1)(B), California Civil Code Section 1798.29)
  • Notwithstanding subdivision (i), an agency that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part shall be deemed to be in compliance with the notificatio… (§ 1798.29(j), California Civil Code Section 1798.29)
  • All copies of data constituting confidential information of any type, including, but not limited to, any modifications or additions to data that contain confidential information, are subject to the provisions of this section in the same manner as the original data. (¶ 4e-70(d), Connecticut General Statutes, Title 4e, Chapter 62a, Section 4e-70, Requirements for state contractors who receive confidential information)
  • The Attorney General may investigate any violation of this section. If the Attorney General finds that a contractor has violated or is violating any provision of this section, the Attorney General may bring a civil action in the superior court for the judicial district of Hartford under this section… (¶ 4e-70(g), Connecticut General Statutes, Title 4e, Chapter 62a, Section 4e-70, Requirements for state contractors who receive confidential information)
  • If the confidential information or personally identifiable information, as defined in 34 CFR 99.3, that has been subject to a confidential information breach consists of education records, the contractor may be subject to a five-year ban from receiving access to such information imposed by the State… (¶ 4e-70(h), Connecticut General Statutes, Title 4e, Chapter 62a, Section 4e-70, Requirements for state contractors who receive confidential information)
  • The requirements of this section shall be in addition to the requirements of section 36a-701b, and nothing in this section shall be construed to supersede a contractor's obligations pursuant to the Health Insurance Portability and Accountability Act of 1996 P.L. 104-191 (HIPAA), the Family Education… (¶ 4e-70(i), Connecticut General Statutes, Title 4e, Chapter 62a, Section 4e-70, Requirements for state contractors who receive confidential information)
  • Immediately cease all use of the data provided by the state contracting agency or developed internally by the contractor pursuant to a written agreement with the state if so directed by the state contracting agency; and (¶ 4e-70(b)(7), Connecticut General Statutes, Title 4e, Chapter 62a, Section 4e-70, Requirements for state contractors who receive confidential information)
  • The civil penalties for failure to notify provided in this paragraph apply per breach and not per individual affected by the breach. (¶ 501.171(9)(b) § 2, Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • A covered entity may provide the department with supplemental information regarding a breach at any time. (¶ 501.171(3)(d), Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • ANNUAL REPORT.—By February 1 of each year, the department shall submit a report to the President of the Senate and the Speaker of the House of Representatives describing the nature of any reported breaches of security by governmental entities or third-party agents of governmental entities in the p… (¶ 501.171(7), Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • NO PRIVATE CAUSE OF ACTION.—This section does not establish a private cause of action. (¶ 501.171(10), Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • An agent may provide notice as required under subsections (3) and (4) on behalf of the covered entity; however, an agent's failure to provide proper notice shall be deemed a violation of this section against the covered entity. (¶ 501.171(6)(b), Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • A violation of this section shall be treated as an unfair or deceptive trade practice in any action brought by the department under s. 501.207 against a covered entity or third-party agent. (¶ 501.171(9)(a), Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • In the amount of $1,000 for each day up to the first 30 days following any violation of subsection (3) or subsection (4) and, thereafter, $50,000 for each subsequent 30-day period or portion thereof for up to 180 days. (¶ 501.171(9)(b)1, Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • If the violation continues for more than 180 days, in an amount not to exceed $500,000. (¶ 501.171(9)(b)2, Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • All penalties collected pursuant to this subsection shall be deposited into the General Revenue Fund. (¶ 501.171(9)(c), Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • All information received by the department pursuant to a notification required by this section, or received by the department pursuant to an investigation by the department or a law enforcement agency, is confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution, until… (¶ 501.171(11)(a), Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • In the furtherance of its official duties and responsibilities; (¶ 501.171(11)(b)1, Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • For print, publication, or broadcast if the department determines that such release would assist in notifying the public or locating or identifying a person that the department believes to be a victim of a data breach or improper disposal of customer records, except that information made confidentia… (¶ 501.171(11)(b)2, Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • To another governmental entity in the furtherance of its official duties and responsibilities. (¶ 501.171(11)(b)3, Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • All information to which another public records exemption applies. (¶ 501.171(11)(c)1, Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • Personal information. (¶ 501.171(11)(c)2, Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • A computer forensic report. (¶ 501.171(11)(c)3, Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • Information that would otherwise reveal weaknesses in a covered entity's data security. (¶ 501.171(11)(c)4, Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • Information that would disclose a covered entity's proprietary information. (¶ 501.171(11)(c)5, Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • This subsection is subject to the Open Government Sunset Review Act in accordance with s. 119.15 and shall stand repealed on October 2, 2019, unless reviewed and saved from repeal through reenactment by the Legislature. (¶ 501.171(11)(e), Florida Statutes, Title XXXII, Chapter 501, Section 501.171, Security of confidential personal information)
  • A violation of this Code section constitutes an unfair or deceptive practice in consumer transactions within the meaning of Part 2 of Article 15 of Chapter 1 of Title 10, the "Fair Business Practices Act of 1975." (¶ 46-5-214(d), Georgia Code Title 46, Chapter 5, Article 6, Section 46-5-214, Action in event of telephone record security breach; notification to Georgia residents; law enforcement exception; violations shall be unfair or deceptive practice in consumer transactions)
  • The provisions of this section and the requirements for nonaffiliated third parties in KRS Chapter 61 shall not apply to any person who is subject to the provisions of Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, as amended, or the federal Health Insurance Portability and Acco… (¶ 365.732(8), Kentucky Revised Statutes, Title XXIX, Chapter 365, Section .732, Notification to affected persons of computer security breach involving their unencrypted personally identifiable information)
  • available technology. (¶ 10-1303 § 1(4), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • the sensitivity of the records; (¶ 10-1301 § 1(1), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • the nature of the unit and its operations; (¶ 10-1303 § 1(2), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • the costs and benefits of different destruction methods; and (¶ 10-1303 § 1(3), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • is publicly available information that is lawfully made available to the general public from federal, State, or local government records; (¶ 10-1302(a)(1), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • an individual has consented to have publicly disseminated or listed; (¶ 10-1302(a)(2), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • except for a medical record that a person is prohibited from redisclosing under § 4-302(d) of the Health - General Article, is disclosed in accordance with the federal Health Insurance Portability and Accountability Act; or (¶ 10-1302(a)(3), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • is disclosed in accordance with the federal Family Educational Rights and Privacy Act. (¶ 10-1302(a)(4), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • Branch of State government. -- This subtitle does not apply to the Legislative or Judicial Branch of State government. (¶ 10-1302(b), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • This subsection shall apply to a written contract or agreement that is entered into on or after July 1, 2014. (¶ 10-1304(b)(1), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • Waiver deemed void and unenforceable. -- A waiver of any provision of this section is contrary to public policy and is void and unenforceable. (¶ 10-1305(i), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • Compliance does not relieve unit from duties under federal law. -- Compliance with this section does not relieve a unit from a duty to comply with any other requirements of federal law relating to the protection and privacy of personal information. (¶ 10-1305(j), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • The provisions of this subtitle are exclusive and shall preempt any provision of local law. (¶ 10-1306 § 1, Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • Names and other information not required. -- This section does not require the inclusion of the names or other personal identifying information of recipients of notices of the breach of the security of a system. (¶ 10-1307(b), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • are appropriate to the nature of the personal information disclosed to the nonaffiliated third party; and (¶ 10-1304(b)(2)(i), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • are reasonably designed to help protect the personal information from unauthorized access, use, modification, disclosure, or destruction. (¶ 10-1304(b)(2)(ii), Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • the Federal Trade Commission; and (¶ 10-1305(g)(4)(i)1, Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • the Office of the Attorney General; and (¶ 10-1305(g)(4)(i)2, Code of Maryland State Government, Title 10, Subtitle 13, Sections 10-1301 to 10-1308)
  • Except as provided in subsection (4), each state agency that is created after October 1, 2015, shall complete the requirements of this section within 1 year of its creation. (¶ 2-6-1502(3), Montana Code Annotated Title 2., Chapter 6., Part 15., Sections 2-6-1501 to 1503)
  • The chief information officer provided for in 2-17-511 may grant an extension to any state agency subject to the provisions of the Montana Information Technology Act provided for in Title 2, chapter 17, part 5. The chief information officer shall inform the information technology board, the office o… (¶ 2-6-1502(4), Montana Code Annotated Title 2., Chapter 6., Part 15., Sections 2-6-1501 to 1503)
  • The notification must be made without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection (3) or with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. (¶ 2-6-1503(1)(b), Montana Code Annotated Title 2., Chapter 6., Part 15., Sections 2-6-1501 to 1503)
  • make reasonable efforts upon discovery or notification of a breach to notify any person whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person as part of the breach. This notification must be provided in the same manner as the notification requi… (¶ 2-6-1503(2)(a)(ii), Montana Code Annotated Title 2., Chapter 6., Part 15., Sections 2-6-1501 to 1503)
  • A state agency notified of a breach by a third party has no independent duty to provide notification of the breach if the third party has provided notification of the breach in the manner required by subsection (2)(a) but shall provide notification if the third party fails to do so in a reasonable t… (¶ 2-6-1503(2)(b), Montana Code Annotated Title 2., Chapter 6., Part 15., Sections 2-6-1501 to 1503)
  • Any licensee or insurance-support organization that is required to issue a notification pursuant to this section shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the commissioner, excluding any inf… (¶ 33-19-321(5), Montana Code Annotated Title 33, Chapter 19, Part 3, Section 33-19-321)
  • EXEMPTIONS.--The provisions of the Data Breach Notification Act shall not apply to a person subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996. (¶ 8, New Mexico House Bill 15, Data Breach Notification Act)
  • When the attorney general has a reasonable belief that a violation of the Data Breach Notification Act has occurred, the attorney general may bring an action on the behalf of individuals and in the name of the state alleging a violation of that act. (¶ 11.A, New Mexico House Bill 15, Data Breach Notification Act)
  • STATE OF NEW MEXICO AND POLITICAL SUBDIVISIONS EXEMPTED.--Nothing in the Data Breach Notification Act shall be interpreted to apply to the state of New Mexico or any of its political subdivisions. (¶ 12, New Mexico House Bill 15, Data Breach Notification Act)
  • issue an injunction; and (¶ 11.C(1), New Mexico House Bill 15, Data Breach Notification Act)
  • award damages for actual costs or losses, including consequential financial losses. (¶ 11.C(2), New Mexico House Bill 15, Data Breach Notification Act)
  • The office shall adopt rules and regulations in conformity with the provisions of this article, and specify a model internet privacy policy for state agencies that maintain state agency websites. Such model privacy policy shall include, but not be limited to, the following elements: (§ 203.1, New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • Construction. Nothing in this article shall abridge public access to information available or permitted by any other provision or rule of law, including without limitation article six of the public officers law. Nothing in this article shall authorize the collection or disclosure of information the … (§ 207, New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • "Breach of the security of the system" shall mean unauthorized acquisition or acquisition without valid authorization of computerized data which compromises the security, confidentiality, or integrity of personal information maintained by a state entity. Good faith acquisition of personal informatio… (§ 208.1(b), New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • State entity" shall mean any state board, bureau, division, committee, commission, council, department, public authority, public benefit corporation, office or other governmental entity performing a governmental or proprietary function for the state of New York, except: (§ 208.1(c), New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • the judiciary; and (§ 208.1(c)(1), New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • all cities, counties, municipalities, villages, towns, and other local agencies. (§ 208.1(c)(2), New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • "Private information" shall mean personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired: (§ 208.1(a), New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information; or (§ 208.1(b)(1), New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • indications that the information has been downloaded or copied; or (§ 208.1(b)(2), New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported. (§ 208.1(b)(3), New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • "Consumer reporting agency" shall mean any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consume… (§ 208.1(d), New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • The model internet privacy policy specified by the office shall also be made available at no charge to other public and private entities. (§ 203.3, New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • "Agency of a political subdivision" has the same meaning as in section 1347.12 of the Revised Code. (§ 1349.191(A)(1), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.191 Investigation of noncompliance with disclosure laws..)
  • "Business" has the same meaning as in section 1349.19 of the Revised Code. (§ 1349.191(A)(2), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.191 Investigation of noncompliance with disclosure laws..)
  • "State agency" has the same meaning as in section 1.60 of the Revised Code. (§ 1349.191(A)(3), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.191 Investigation of noncompliance with disclosure laws..)
  • In any investigation conducted pursuant to this section, the attorney general may administer oaths, subpoena witnesses, adduce evidence, and subpoena the production of any book, document, record, or other relevant matter. (§ 1349.191(C), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.191 Investigation of noncompliance with disclosure laws..)
  • The attorney general may conduct an investigation if the attorney general, based on complaints or the attorney general's own inquiries, has reason to believe that a state agency or an agency of a political subdivision has failed or is failing to comply with section 1347.12 of the Revised Code or tha… (§ 1349.191(B), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.191 Investigation of noncompliance with disclosure laws..)
  • If the attorney general under division (C) of this section subpoenas the production of any relevant matter that is located outside this state, the attorney general may designate a representative, including an official of the state in which that relevant matter is located, to inspect the relevant mat… (§ 1349.191(D)(1), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.191 Investigation of noncompliance with disclosure laws..)
  • Compels the requested discovery; (§ 1349.191(F)(1), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.191 Investigation of noncompliance with disclosure laws..)
  • Adjudges the person in contempt of court; (§ 1349.191(F)(2), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.191 Investigation of noncompliance with disclosure laws..)
  • Grants injunctive relief to restrain the person from failing to comply with section 1347.12 or 1349.19 of the Revised Code, whichever is applicable; (§ 1349.191(F)(3), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.191 Investigation of noncompliance with disclosure laws..)
  • Grants injunctive relief to preserve or restore the status quo; (§ 1349.191(F)(4), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.191 Investigation of noncompliance with disclosure laws..)
  • Grants other relief that may be required until the person obeys the subpoena. (§ 1349.191(F)(5), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.191 Investigation of noncompliance with disclosure laws..)
  • Any person who is subpoenaed as a witness or to produce relevant matter pursuant to division (C) of this section may file in the court of common pleas of Franklin county, the county in this state in which the person resides, or the county in this state in which the person's principal place of busine… (§ 1349.191(E), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.191 Investigation of noncompliance with disclosure laws..)
  • Any person who is subpoenaed as a witness or to produce relevant matter pursuant to division (C) of this section shall comply with the terms of the subpoena unless the court orders otherwise prior to the date specified for the return of the subpoena or, if applicable, that date as extended. If a per… (§ 1349.191(F), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.191 Investigation of noncompliance with disclosure laws..)
  • Any civil penalty that is assessed under division (A)(1) of this section shall be deposited into the consumer protection enforcement fund created by section 1345.51 of the Revised Code. (§ 1349.192(A)(2), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.192 Civil action by attorney general for violation of disclosure laws.)
  • If the defendant in the civil action is a state agency, an agency of a political subdivision, or a person that is a business entity, whether or not the high managerial officer, agent, or employee of the agency or business entity having supervisory responsibility for compliance with section 1347.12 o… (§ 1349.192(A)(3)(a), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.192 Civil action by attorney general for violation of disclosure laws.)
  • Any state agency or agency of a political subdivision that is found by the court to have failed to comply with section 1347.12 of the Revised Code or any person that is found by the court to have failed to comply with section 1349.19 of the Revised Code shall be liable to the attorney general for th… (§ 1349.192(B), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.192 Civil action by attorney general for violation of disclosure laws.)
  • The rights and remedies that are provided under this section are in addition to any other rights or remedies that are provided by law. (§ 1349.192(C), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.192 Civil action by attorney general for violation of disclosure laws.)
  • If the defendant in the civil action is a person other than a business entity, whether or not the person acted in bad faith in failing to comply with section 1349.19 of the Revised Code. (§ 1349.192(A)(3)(b), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.192 Civil action by attorney general for violation of disclosure laws.)
  • The attorney general shall have the exclusive authority to bring a civil action in a court of common pleas for appropriate relief under this section, including a temporary restraining order, preliminary or permanent injunction, and civil penalties, if it appears that a state agency or an agency of a… (§ 1349.192(A)(1), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.192 Civil action by attorney general for violation of disclosure laws.)
  • The comptroller of the treasury, in consultation with the state agencies, shall have the authority to establish guidelines for such reports. (§ 8-4-119(b), Tennessee Code Annotated Title 8, Chapter 4, Part 1, Section 8-4-119 Report to comptroller of treasury of government fraud.)
  • As used in this section "state agency" means each state board, commission, committee, department, office, or any other unit of state government. (§ 8-4-119(e), Tennessee Code Annotated Title 8, Chapter 4, Part 1, Section 8-4-119 Report to comptroller of treasury of government fraud.)
  • The information received pursuant to this section shall be confidential working papers of the comptroller of the treasury, and therefore, shall not be an open record pursuant to title 10, chapter 7. (§ 8-4-119(d), Tennessee Code Annotated Title 8, Chapter 4, Part 1, Section 8-4-119 Report to comptroller of treasury of government fraud.)
  • "Reasonable amount of time" means any amount of time that is reasonable under the particular circumstances, but shall not under any circumstances exceed five (5) working days. (§ 8-4-119(c)(2)(C), Tennessee Code Annotated Title 8, Chapter 4, Part 1, Section 8-4-119 Report to comptroller of treasury of government fraud.)
  • "Breach" does not include individual occurrences of malware or spyware; (§ 8-4-119(c)(2)(A), Tennessee Code Annotated Title 8, Chapter 4, Part 1, Section 8-4-119 Report to comptroller of treasury of government fraud.)
  • "Computer information system" and "related security system" mean those computer information systems and security system infrastructures operated and administered by the state agency or an entity with which the state agency contracts for such operation and administration; and (§ 8-4-119(c)(2)(B), Tennessee Code Annotated Title 8, Chapter 4, Part 1, Section 8-4-119 Report to comptroller of treasury of government fraud.)
  • If a law or rule requires a health record to be presented or retained in its original form or provides consequences if the health record is not presented or retained in its original form, that law or rule is satisfied by an electronic health record retained in accordance with subsection (a) of this… (§ 164(b), US Virgin Islands Bill No. 29-0036, Electronic Medical Records Act)
  • This section shall not apply to (i) a person or entity who is a "covered entity" or "business associate" under the Health Insurance Portability and Accountability Act of 1996 (42 USC § 1320d et seq.) and is subject to requirements for notification in the case of a breach of protected health informa… (§ 32.1-127.1:05.F, Code of Virginia Title 32.1, Chapter 5., Section 32.1-127.1:05 Breach of medical information notification.)
  • For purposes of this section, "agency" means the same as in RCW 42.56.010. (§42.56.590(1)(b), Revised Code of Washington Title 42, Chapter 42.56, Section 42.56.590 Personal information—Notice of security breaches.)
  • For purposes of this section, "breach of the security of the system" means unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the agency. Good faith acquisition of personal information by an employee or agent of the age… (§42.56.590(4), Revised Code of Washington Title 42, Chapter 42.56, Section 42.56.590 Personal information—Notice of security breaches.)
  • For purposes of this section, "secured" means encrypted in a manner that meets or exceeds the national institute of standards and technology (NIST) standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person. (§42.56.590(7), Revised Code of Washington Title 42, Chapter 42.56, Section 42.56.590 Personal information—Notice of security breaches.)
  • Any waiver of the provisions of this section is contrary to public policy, and is void and unenforceable. (§42.56.590(11), Revised Code of Washington Title 42, Chapter 42.56, Section 42.56.590 Personal information—Notice of security breaches.)
  • Any agency that violates, proposes to violate, or has violated this section may be enjoined. (§42.56.590(12)(b), Revised Code of Washington Title 42, Chapter 42.56, Section 42.56.590 Personal information—Notice of security breaches.)
  • Notification to affected individuals and to the attorney general must be made in the most expedient time possible and without unreasonable delay, no more than forty-five calendar days after the breach was discovered, unless at the request of law enforcement as provided in subsection (3) of this sect… (§42.56.590(15), Revised Code of Washington Title 42, Chapter 42.56, Section 42.56.590 Personal information—Notice of security breaches.)
  • A covered entity under the federal health insurance portability and accountability act of 1996, 42 U.S.C. Sec. 1320d et seq., is deemed to have complied with the requirements of this section with respect to protected health information if it has complied with section 13402 of the federal health info… (§42.56.590(10), Revised Code of Washington Title 42, Chapter 42.56, Section 42.56.590 Personal information—Notice of security breaches.)
  • The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law. (§42.56.590(12)(c), Revised Code of Washington Title 42, Chapter 42.56, Section 42.56.590 Personal information—Notice of security breaches.)