Back

Establish, implement, and maintain a legal support program.


CONTROL ID
13710
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Human Resources management, CC ID: 00763

This Control has the following implementation support Control(s):
  • Provide security inspectors access to personnel files during site reviews., CC ID: 12300


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Legal advice is sought regarding the development and implementation of a trusted insider program. (Security Control: 1626; Revision: 0, Australian Government Information Security Manual)
  • For the transfer of risk, the appropriate form of contract is one of the most important aspects. Legal advice should be taken on this, particularly in the case of outsourcing schemes. The decision is taken by management and clearly documented. (§ 6.1 ¶ 12, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • Obtain legal advice about the consequences of different courses of action. (¶ 3.158 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the service auditor believes the event is of such a nature and significance that its disclosure is necessary to prevent report users from being misled, the service auditor should determine whether information about the event is adequately disclosed in the description or in management's assertion.… (¶ 3.219, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Request that the responsible party consult with an appropriately qualified third party, such as the service organization's legal counsel or a regulator. (¶ 3.158 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Obtaining legal advice about the consequences of different courses of action (¶ 3.191 Bullet 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Obtaining legal advice about the consequences of different courses of action (¶ 4.102 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • investigate, establish, exercise, prepare for, or defend a legal claim; (13-61-304 (1)(d), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • Investigate, establish, exercise, prepare for, or defend legal claims; (§ 59.1-582.A.4., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 59.1-582.A.7., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)