Back

Include external requirements in the organization's communication protocol.


CONTROL ID
12418
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain communication protocols., CC ID: 12245

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • in the language in which the request is made if that language is Chinese or English; (Part 5 Division 3 Section 29 ¶ 1(a), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • Firms should also note that CDD measures must also be applied when the relevant person has to contact an existing customer in order to fulfil any duty under the International Tax Compliance Regulations 2015. (3.2.4 ¶ 3, Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks, Release 11)
  • A firm must pay due regard to the information needs of its clients, and communicate information to them in a way which is clear, fair and not misleading. (2.1.1 Principle 7 Communications with clients, Principles for Businesses)
  • Ensure that notification pathways comply with specific requirements established in the locale where the notice originates and where the organization operates. (OCEG GRC Capability Model, v. 3.0, P6.3 Adhere to Data Protection Requirements, OCEG GRC Capability Model, v 3.0)
  • The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. (§ 3 Principle 15 Points of Focus: Selects Relevant Method of Communication, COSO Internal Control - Integrated Framework (2013))
  • The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service req… (§ 8.3.2 ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • who is allowed to communicate externally and internally (e.g. in special cases such as a data breach), allocating to specific roles with the appropriate authority. For example, official communication officers can be defined with the appropriate authority. They could be a public relations officer for… (§ 7.4 Guidance ¶ 3(k), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • the designed process and the method to ensure messages are sent and have been correctly received and understood. (§ 7.4 Guidance ¶ 3(p), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • the communication means and channels. Communication should use dedicated means and channels, to make sure that the message is official and bears the appropriate authority. Communication channels should address any needs for the protection of the confidentiality and integrity of the information trans… (§ 7.4 Guidance ¶ 3(o), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The message must be in a form that conforms to the prescribed requirements and must (Section 6(2), An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act)
  • the message complies with subsection (2). (Section 6(1)(b), An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act)
  • The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. (CC2.3 Selects Relevant Method of Communication, Trust Services Criteria)
  • The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. (CC2.3 ¶ 3 Bullet 5 Selects Relevant Method of Communication, Trust Services Criteria, (includes March 2020 updates))
  • Omit to state, or cause another person to omit to state, any material fact necessary in order to make statements made, in light of the circumstances under which the statements were made, not misleading to an accountant in connection with any audit, review or communication required under this regulat… (Section 16.A.(2), Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Make or cause to be made a materially false or misleading statement to an accountant in connection with any audit, review or communication required under this regulation; or (Section 16.A.(1), Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Propose policy which governs interactions with external coordination groups. (T0766, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Propose policy which governs interactions with external coordination groups. (T0766, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)