Back

Establish, implement, and maintain an ethics program.


CONTROL ID
11496
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Human Resources management, CC ID: 00763

This Control has the following implementation support Control(s):
  • Include communication protocols for interested personnel and affected parties in the ethics program., CC ID: 12858
  • Establish, implement, and maintain ethical decision-making guidelines., CC ID: 12908
  • Establish, implement, and maintain investigation procedures addressing ethics complaints., CC ID: 12900
  • Establish, implement, and maintain an ethical culture., CC ID: 12781
  • Establish mechanisms for whistleblowers to report compliance violations., CC ID: 06806
  • Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements., CC ID: 13608
  • Refrain from discriminating against employees who are whistleblowers., CC ID: 13609
  • Respond to ethics complaints of ethics violations., CC ID: 11497
  • Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements., CC ID: 13607
  • Apply legal remedies to any person knowingly partaking in illegal actions., CC ID: 11515
  • Include prohibiting counterfeiting in the ethics program., CC ID: 11517
  • Refrain from assigning roles and responsibilities that breach segregation of duties., CC ID: 12055


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Establish ways for the workforce and other stakeholders to seek guidance about future conduct and ask general questions, including the option for anonymity in locations where that is required or allowed. (OCEG GRC Capability Model, v. 3.0, P4.5 Provide Helpline, OCEG GRC Capability Model, v 3.0)
  • it is clear what ethical behaviour is expected as a result of the organizational values; (§ 6.1.3.3 ¶ 1 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the historic, current and aspirational core identity of the organization, including the organizational values and expected ethical behaviour; (§ 6.1.3.2 ¶ 1 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure ethical leadership across all areas. (§ 6.7.3.3 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • can comply with legal and relevant ethical requirements; and (¶ 2.31(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor's report should include a statement that the service auditor is required to be independent and to meet the service auditor's other ethical responsibilities in accordance with relevant ethical requirements related to the examination engagement. (Table 4-3 Column 3 Row 10, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • CODE OF ETHICS DISCLOSURE.—The Commission shall issue rules to require each issuer, together with periodic reports required pursuant to section 13(a) or 15(d) of the Securities Exchange Act of 1934, to disclose whether or not, and if not, the reason therefor, such issuer has adopted a code of ethi… (§ 406(a), The Sarbanes-Oxley Act of 2002 (SOX), July 30, 2002.)
  • The oversight body and management should demonstrate a commitment to integrity and ethical values. (1.01, Standards for Internal Control in the Federal Government)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 6-1-1304 (3)(a)(X), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; (§ 10 (a)(9), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; (§ 10 (a)(9), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report or prosecute those responsible for any such activity. (§ 12D-110.(a)(9), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report or prosecute those responsible for any such activity. (§ 12D-110.(a)(9), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity. (§ 501.716(1)(f), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity. (§ 501.716(1)(f), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, investigate, report, or prosecute those responsible for any such action, and preserve the integrity or security of systems. (IC 24-15-8-1(a)(7), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, investigate, report, or prosecute those responsible for any such action, and preserve the integrity or security of systems. (IC 24-15-8-1(a)(7), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity. (§ 715D.7.1.g., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity. (§ 715D.7.1.g., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report, or prosecute those responsible for any of these actions; (§ Section 11. (1)(i), Montana Consumer Data Privacy Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; (§ 507-H:10 I.(i), New Hampshire Statutes, Title LII, Chapter 507-H, Expectation of Privacy)
  • Preventing, detecting, protecting against or responding to, and investigating, reporting or prosecuting persons responsible for, security incidents, identity theft, fraud, harassment or malicious, deceptive or illegal activity or preserving the integrity or security of systems; (Section 2 (3)(e), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for such action; (§ 47-18-3208.(a)(7), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for such action; (§ 47-18-3208.(a)(7), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; (§ 541.201 (a)(6), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; (§ 541.201 (a)(6), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity; or (13-61-304 (1)(h)(i), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • detect, prevent, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any illegal activity; or (13-61-304 (1)(h)(i), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 59.1-582.A.7., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 59.1-582.A.7., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act, April 11, 2022)