Back

Establish, implement, and maintain a privacy framework that protects restricted data.


CONTROL ID
11850
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Privacy protection for information and data, CC ID: 00008

This Control has the following implementation support Control(s):
  • Include the roles and responsibilities of the organization's legal counsel in the privacy framework., CC ID: 14862
  • Establish, implement, and maintain a personal data transparency program., CC ID: 00375
  • Establish, implement, and maintain a privacy policy., CC ID: 06281
  • Establish, implement, and maintain a privacy report., CC ID: 14754
  • Protect private communications in keeping with compliance requirements., CC ID: 14334
  • Establish, implement, and maintain personal data choice and consent program., CC ID: 12569
  • Establish, implement, and maintain a personal data accountability program., CC ID: 13432
  • Establish, implement, and maintain Data Processing Contracts., CC ID: 12650
  • Establish, implement, and maintain a personal data use limitation program., CC ID: 13428
  • Include cookie management in the privacy framework., CC ID: 13809
  • Establish, implement, and maintain a personal data collection program., CC ID: 06487
  • Establish, implement, and maintain a data handling program., CC ID: 13427
  • Establish, implement, and maintain a personal data transfer program., CC ID: 00307
  • Establish, implement, and maintain a privacy impact assessment., CC ID: 13712
  • Review compliance with the organization's privacy objectives., CC ID: 13490
  • Develop remedies and sanctions for privacy policy violations., CC ID: 00474


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction by having regard— (Part II Division 1 9. (1), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • the Data Integrity Principle; and (Part II Division 1 5. (1) (f), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • Systematic and technical measures for preventing unlawful destruction or manipulation of information; (Article 51(3)(2), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Provide protection for the parts of the ICT system or personal data that are still under direct control. (Annex A1: ICT Outsourcing 62 v., Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Ensure that files containing personal data are not accidentally made available on a website or through a web application. Even if the link to such files is not published, it may still be discovered and accessed. (Annex A1: Websites and Web Application Security 57, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Provide clear direction for ICT security goals and policies for personal data protection within the organisation. (Annex A1: Clear accountability 1, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • will ensure that the entity complies with the Australian Privacy Principles and a registered APP code (if any) that binds the entity; and (Schedule 1 Part 1 Clause 1 Subclause 1.2(a), Australian Privacy Act 1988, Compilation No. 77)
  • If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information: (Schedule 1 Part 4 Clause 11 Subclause 11.1, Australian Privacy Act 1988, Compilation No. 77)
  • from misuse, interference and loss; and (Schedule 1 Part 4 Clause 11 Subclause 11.1(a), Australian Privacy Act 1988, Compilation No. 77)
  • from unauthorised access, modification or disclosure. (Schedule 1 Part 4 Clause 11 Subclause 11.1(b), Australian Privacy Act 1988, Compilation No. 77)
  • Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the det… (Art. 25.1., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Where proportionate in relation to the processing, the measures implemented to comply with the duty under subsection (1) must include appropriate data protection policies. (§ 56(2), UK Data Protection Act 2018 Chapter 12)
  • In the case of automated processing, each controller and each processor must, following an evaluation of the risks, implement measures designed to— (§ 66(2), UK Data Protection Act 2018 Chapter 12)
  • the data protection principles are implemented, and (§ 103(2)(a), UK Data Protection Act 2018 Chapter 12)
  • The entity has defined and formally documented data and information privacy policies and procedures for PI collection, usage and processing that are consistent with the entity's objectives related to privacy. (M1.0, Privacy Management Framework, Updated March 1, 2020)
  • The entity has implemented a policy governance and accountability process that defines and formally documents policies and procedures for information privacy that are consistent with the entity's objectives related to privacy. (M1.2, Privacy Management Framework, Updated March 1, 2020)
  • The entity has a process for identifying, locating and classifying its PI. This process is clearly described as an essential aspect of its data governance program which is aligned with its information security controls. Relevant control activity policies and procedures have been designed and placed … (M1.4, Privacy Management Framework, Updated March 1, 2020)
  • Develop systems, products, and business practices based upon a principle of privacy by design and industry best practices. Ensure that systems' privacy settings are configured by default, according to all applicable laws and regulations. (DSP-08, Cloud Controls Matrix, v4.0)
  • The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information. (CIS Control 13: Data Protection, CIS Controls, 7.1)
  • The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information. (CIS Control 13: Data Protection, CIS Controls, V7)
  • Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. (A.18.1.4 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable. (§ 18.1.4 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements. (§ 5.34 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The entity shall describe the information "lifecycle" (i.e., collection, usage, retention, processing, disclosure, and destruction of information) and how information-handling practices at each stage may affect individuals' privacy. (TC-TL-220a.1. 2, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • Allocate security and privacy controls to the system and to the environment of operation. (TASK S-3, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • The controllers are obliged to take all necessary technical and administrative measures to provide a sufficient level of security in order to: (Art 12(1), Turkish Law on The Protection of Personal Data no. 6698)
  • Organizations shall implement policies and practices to give effect to the principles, including (Schedule 1 4.1.4, Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • implementing procedures to protect personal information; (Schedule 1 4.1.4(a), Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • A member in public practice shall not disclose any confidential client information without the specific consent of the client. (1.700.001.01, AICPA Code of Professional Conduct, August 31, 2016)
  • Confidential information is protected during the system design, development, testing, implementation, and change processes to meet the entity’s confidentiality commitments and system requirements. (C1.1, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Ensure the security and confidentiality of customer information; (Section 4 ¶ 1.A., Standards for Safeguarding Customer Information Model Regulation, NAIC MDL-673, April 2002)
  • Protect against any anticipated threats or hazards to the security or integrity of the information; and (Section 4 ¶ 1.B., Standards for Safeguarding Customer Information Model Regulation, NAIC MDL-673, April 2002)
  • Under the Guidelines, an institution must protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. Substantial harm or inconvenience is most likely to result from improper access to sensitive customer information be… (Supplement A § III.A.1 ¶ 1, 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • Ensure the security and confidentiality of customer information; (§ II.B(1), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children (§312.8). (§ 312.3 ¶ 1(e), 16 CFR Part 312, Children's Online Privacy Protection Rule)
  • The operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. The operator must also take reasonable steps to release children's personal information only to service providers and third parties … (§ 312.8 ¶ 1, 16 CFR Part 312, Children's Online Privacy Protection Rule)
  • Protects the personally identifiable information from further disclosures or other uses, except as authorized in paragraph (b)(1) of this section; and (§ 99.35(a)(2)(ii), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • information collected or maintained by or on behalf of an agency; or (§ 3553(a)(2)(A), Federal Information Security Modernization Act of 2014)
  • PRIVACY OBLIGATION POLICY.—It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information. (§ 501(a), GLB Gramm-Leach-Bliley Act (GLB), Title V, Nov. 12, 1999)
  • In furtherance of the objectives of this subtitle, each Federal banking agency (as defined in section 3(z) of the Federal Deposit Insurance Act), the National Credit Union Administration, and the Securities and Exchange Commission or self-regulatory organizations, as appropriate, shall review regula… (§ 525 ¶ 1, GLB Gramm-Leach-Bliley Act (GLB), Title V, Nov. 12, 1999)
  • unauthorized uses or disclosures of the information; and (§ 1173(d)(2)(B)(ii), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature … (§ II.4.a., EU-U.S. Privacy Shield Framework Principles)
  • Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must incl… (§ II.7.a., EU-U.S. Privacy Shield Framework Principles)
  • DoD safeguarding and use of contractor attributional/proprietary information. The Government shall protect against the unauthorized use or release of information obtained from the contractor (or derived from information obtained from the contractor) under this clause that includes contractor attribu… (§ 252.204-7012(h), 252.204-7012, SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (DEC 2019))
  • Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. (§ 164.306(a)(1), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part. The policies and pr… (§ 164.530(i)(1), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Under Part 748.0, a credit union must protect against unauthorized access to or use of member information that could result in substantial harm or inconvenience to any member. Substantial harm or inconvenience is most likely to result from improper access to sensitive member information because this… (§ 748 Appendix B. III.A.1. ¶ 1, 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Ensure the security and confidentiality of member records, protect against the anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or serious inconvenience to a member; (§ 748.0 (b)(2), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and (PM-11a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and (PM-11a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Develop and document a map of system data actions. (CM-13 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • All PII collected as part of the enrollment process SHALL be protected to ensure confidentiality, integrity, and attribution of the information source. (4.2 ¶ 1.8, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • Direct and oversee privacy specialists and coordinate privacy and data security programs with senior executives globally to ensure consistency across the organization (T0888, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Periodically revise the privacy program considering changes in laws, regulatory or company policy (T0899, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The policies, processes, and procedures for ongoing review of the organization's privacy posture are understood and inform the management of privacy risk. (Monitoring and Review (GV.MT-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Policies, processes, and procedures are maintained and used to manage data processing (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment) consistent with the organization's risk strategy to protect individuals' privacy. (Data Processing Policies, Processes, and Procedures (CT.PO-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Develop and implement appropriate data processing safeguards. (PROTECT-P (PR-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Security and privacy policies (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment), processes, and procedures are maintained and used to manage the protection of data. (Data Protection Policies, Processes, and Procedures (PR.PO-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Direct and oversee privacy specialists and coordinate privacy and data security programs with senior executives globally to ensure consistency across the organization (T0888, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Periodically revise the privacy program considering changes in laws, regulatory or company policy (T0899, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Establish and administer a process for receiving, documenting, tracking, investigating and taking corrective action as appropriate on complaints concerning the company's privacy policies and procedures. (T0922, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and (AR-1e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures; (AR-1d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and (PM-11a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop and document a map of system data actions. (CM-13 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Protect against any anticipated threats or hazards to the security or integrity of such information; (§ II. B. 2., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and (§ II. B. 3., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • Ensure the security and confidentiality of customer information; (§ II. B. 1., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means. (§ III. C. 1.(a), Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • Under the Guidelines, an institution must protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. Substantial harm or inconvenience is most likely to result from improper access to sensitive customer information be… (Supp A § III. A. 1. ¶ 1, Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • To protect personal identifying information, as defined in section 6-1-713 (2), from unauthorized access, use, modification, disclosure, or destruction, a covered entity that maintains, owns, or licenses personal identifying information of an individual residing in the state shall implement and main… (6-1-713.5 (1), Colorado Revised Statutes, Title 6, Consumer and Commercial Affairs, Fair Trade and Restraint of Trade, Article 1, Colorado Consumer Protection Act)
  • protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and (§ 899-bb. 2(b)(ii)(C)(3), New York General Business Law Chapter 20, Article 39-F, Section 899-BB)
  • Protecting against unauthorized access to or use of personal information during or after collecting, transporting, destroying or disposing of the personal information; and (§ 646A.622(2)(d)(C)(iii), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • are adapted to the structure, scale and volume of her/his operations, as well as to the sensitivity of the processed data; (Art. 50 § 2 I(c), Brazilian Law No. 13709, of August 14, 2018)
  • are applicable to the entire set of personal data under her/his control, irrespective of the means used to collect them; (Art. 50 § 2 I(b), Brazilian Law No. 13709, of August 14, 2018)
  • implement governance program for privacy that, as a minimum: (Art. 50 § 2 I, Brazilian Law No. 13709, of August 14, 2018)