This Control has the following implementation support Control(s):
Publish a Statement of Compliance for the organization's external requirements., CC ID: 12350
Include a commitment to comply with recommendations from applicable statutory bodies in the Statement of Compliance., CC ID: 12371
Include a commitment to cooperate with applicable statutory bodies in the Statement of Compliance., CC ID: 12370
Include a Statement of Compliance in the tactical Information Technology plan., CC ID: 06842
Include the verification method in the Statement of Compliance., CC ID: 16820
Include the statutory bodies having jurisdiction over privacy rights violations in the Statement of Compliance., CC ID: 12369
Include a description of the awareness and training program in the Statement of Compliance., CC ID: 16817
Include contact information for the handling of requests and issues in the Statement of Compliance., CC ID: 16816
Include a description of the organization's privacy policy in the Statement of Compliance., CC ID: 12362
Include the organization's fax number in the Statement of Compliance., CC ID: 12361
Include the organization's telephone number in the Statement of Compliance., CC ID: 12360
Include the organization's e-mail address in the Statement of Compliance., CC ID: 12359
Include the organization's name in the Statement of Compliance., CC ID: 12351
Include the organization's mailing address in the Statement of Compliance., CC ID: 12358
Describe how the organization processes personal data in the Statement of Compliance., CC ID: 12377
Approve and sign the Statement of Compliance., CC ID: 12392
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The organization should report the information for the same reporting period as covered in its financial reporting. The organization should also publish the information at the same time as its financial reporting, where this is possible. (Guidance to 2-3-a and 2-3-b ¶ 2, GRI 2: General Disclosures, 2021)
Additional requirement for service providers only: Maintain documentation of quarterly review process to include:
- Documenting results of the reviews
- Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program (12.11.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Maintain documentation of quarterly review process to include:
- Documenting results of the reviews
- Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program (12.11.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
For service providers only: Is documentation of the quarterly review process maintained to include:
- Documenting results of the reviews
- Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program (12.11.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are reviews performed at least quarterly? (12.11(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Examine documentation from the quarterly reviews to verify they include:
- Documenting results of the reviews
- Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program (12.11.1, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Additional requirement for service providers only: Reviews conducted in accordance with Requirement 12.4.2 are documented to include: (12.4.2.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Results of the reviews. (12.4.2.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Additional testing procedure for service provider assessments only: Examine documentation from the reviews conducted in accordance with PCI DSS Requirement 12.4.2 to verify the documentation includes all elements specified in this requirement. (12.4.2.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Additional requirement for service providers only: Reviews conducted in accordance with Requirement 12.4.2 are documented to include: (12.4.2.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Results of the reviews. (12.4.2.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
The entity may disclose its compliance with an audit recognized by the RBA Membership Compliance Program or an equivalent code of conduct if the standard and audit are sufficiently similar in scope and enforcement to the VAP. (TC-ES-320a.3. (4), Electronic Manufacturing Services & Original Design Manufacturing Sustainability Accounting Standard, Version 2018-10)
The practitioner should obtain an understanding of relevant portions of internal control over compliance sufficient to plan the engagement and to assess control risk for compliance with specified requirements. In planning the examination, such knowledge should be used to identify types of potential … (AT-C Section 315.15, SSAE No. 18, Attestation Standards: Clarification and Recodification)
the entity complied with the specified requirements or (AT-C Section 315.20 j.(1), SSAE No. 18, Attestation Standards: Clarification and Recodification)
A record, which need not be separate from the advertisements, sales literature, or communications, documenting that the member, broker or dealer has complied with, or adopted policies and procedures reasonably designed to establish compliance with, applicable federal requirements and rules of a self… (§ 240.17a-3 (a)(20), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
a summary of the results of evaluations required to be performed under section 3555; (§ 3553(c)(3), Federal Information Security Modernization Act of 2014)
Annually reviewing management's report on the status of the bank's actions to achieve or maintain compliance with the Information Security Standards. (App A Objective 12:7 f., FFIEC Information Technology Examination Handbook - Management, November 2015)
Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year. This statement shall be submitted by February 15 in such form set forth as Appendix A, certifying that the Covered Entity is in compliance with the requirements set forth in this Par… (§ 500.17 Notices to Superintendent (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
shall be based upon data and documentation sufficient to accurately determine and demonstrate such material compliance, including, to the extent necessary, documentation of officers, employees, representatives, outside vendors and other individuals or entities, as well as other documentation, whethe… (§ 500.17 Notices to Superintendent (b)(1)(i)(b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
acknowledges that, for the prior calendar year, the covered entity did not materially comply with all the requirements of this Part; (§ 500.17 Notices to Superintendent (b)(1)(ii)(a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
a written acknowledgment that: (§ 500.17 Notices to Superintendent (b)(1)(ii), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
