Back

Review compliance with the organization's privacy objectives.


CONTROL ID
13490
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a privacy framework that protects restricted data., CC ID: 11850

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Compliance with objectives related to privacy are reviewed and documented and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented. (M9.1 Documents and reports compliance review results, Privacy Management Framework, Updated March 1, 2020)
  • The entity has established policies and procedures for identifying, classifying and prioritizing the criticality of its collected PI. The entity also has procedures for evaluating potential vulnerabilities and the risk of unauthorized privacy information access, removal and destruction. The entity h… (M1.3, Privacy Management Framework, Updated March 1, 2020)
  • Changes to privacy agreements are communicated in formal notices to affected data subjects. The updated agreements are re-executed by data subjects to reflect the changes made to the entity's privacy practices. Data subjects are also notified, and the agreements are updated in situations where the o… (N2.2, Privacy Management Framework, Updated March 1, 2020)
  • Once an organisation has voluntarily decided to certify under the EU-U.S. DPF, its effective compliance with the Principles is compulsory and enforceable. Under the Recourse, Enforcement and Liability Principle, EU-U.S. DPF organisations must provide effective mechanisms to ensure compliance with th… (2.2.7 (45), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Allocate security and privacy requirements to the system and to the environment of operation. (TASK P-17, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable. (Task M-6, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Compliance with objectives related to privacy are reviewed and documented and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented. (P8.1 ¶ 2 Bullet 4 Documents and Reports Compliance Review Results, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • When establishing structures, reporting lines, and authorities, management considers legal and contractual privacy requirements and objectives. (CC1.3 ¶ 5 Bullet 1 Establishes Structures, Reporting Lines, and Authorities to Support Compliance With Legal and Contractual Privacy Requirements, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Compliance with objectives related to privacy are reviewed and documented, and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented. (P8.1 Documents and Reports Compliance Review Results, Trust Services Criteria)
  • Compliance with objectives related to privacy are reviewed and documented and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented. (P8.1 ¶ 2 Bullet 4 Documents and Reports Compliance Review Results, Trust Services Criteria, (includes March 2020 updates))
  • follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of noncompliance; and (II.7.a.ii., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations must provide follow-up procedures for verifying that the attestations and assertions they make about their EU-U.S. DPF privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Principles. (III.7.a., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Where the organization has chosen self-assessment, such verification must demonstrate that its privacy policy regarding personal information received from the EU is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complied with). I… (III.7.c., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Where the organization has chosen outside compliance review, such verification must demonstrate that its privacy policy regarding personal information received from the EU is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complie… (III.7.d., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non- compliance; and (ii.7.a.ii., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations must provide follow-up procedures for verifying that the attestations and assertions they make about their Swiss-U.S. DPF privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Principles. (iii.7.a., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Where the organization has chosen self-assessment, such verification must demonstrate that its privacy policy regarding personal information received from Switzerland is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complied wit… (iii.7.c., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Where the organization has chosen outside compliance review, such verification must demonstrate that its privacy policy regarding personal information received from Switzerland is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being co… (iii.7.d., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of noncompliance; and (II.7.a.ii., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations must provide follow-up procedures for verifying that the attestations and assertions they make about their EU-U.S. DPF privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Principles. (III.7.a., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Where the organization has chosen self-assessment, such verification must demonstrate that its privacy policy regarding personal information received from the EU is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complied with). I… (III.7.c., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Where the organization has chosen outside compliance review, such verification must demonstrate that its privacy policy regarding personal information received from the EU is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complie… (III.7.d., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Undertake a comprehensive review of the company's data and privacy projects and ensure that they are consistent with corporate privacy and data security goals and policies. (T0893, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Ensure compliance with privacy practices and consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization's workforce, extended workforce and for all business associates in cooperation with Human Resources, the information security officer, … (T0889, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Undertake a comprehensive review of the company's data and privacy projects and ensure that they are consistent with corporate privacy and data security goals and policies. (T0893, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Ensure compliance with privacy practices and consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization's workforce, extended workforce and for all business associates in cooperation with Human Resources, the information security officer, … (T0889, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • A controller shall take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business. (§ 6-1-1308 (5) ¶ 1, Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • An operator of a commercial internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the internet website, online or cloud computing service, online application, or mobile application from users of its in… (§ 1205C(c), Delaware Code, Title 6, Commerce and Trade, Subtitle II, Other Laws Relating to Commerce and Trade, Chapter 12C, Online and Personal Privacy Protection)
  • A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices required under this subdivision must be appropriate to the volum… (IC 24-15-4-1 ¶ 1(3), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • A controller shall adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue. (§ 715D.4.1., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • A controller shall adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue. (§ 715D.4.1., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices, as described in § 47-18-3213, to protect the confidentiality, integrity, and accessibility of personal information. The data security practices must be appropriate to the volume and nature… (§ 47-18-3204.(a)(3), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices, as described in § 47-18-3213, to protect the confidentiality, integrity, and accessibility of personal information. The data security practices must be appropriate to the volume and nature… (§ 47-18-3204.(a)(3), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Considering the controller's business size, scope, and type, a controller shall use data security practices that are appropriate for the volume and nature of the personal data at issue. (13-61-302 (2)(b), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue; (§ 59.1-578.A.3., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue; (§ 59.1-578.A.3., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act, April 11, 2022)