Back

Establish, implement, and maintain a legal support program.


CONTROL ID
13710
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Human Resources management, CC ID: 00763

This Control has the following implementation support Control(s):
  • Provide security inspectors access to personnel files during site reviews., CC ID: 12300


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Legal advice is sought regarding the development and implementation of a trusted insider program. (Security Control: 1626; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Legal advice is sought regarding the development and implementation of a trusted insider program. (Control: ISM-1626; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Legal advice is sought before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence. (Control: ISM-0137; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Legal advice is sought prior to allowing privately-owned mobile devices to access systems or data. (Control: ISM-1297; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Legal advice is sought on the exact wording of logon banners. (Control: ISM-0979; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Legal advice is sought regarding the development and implementation of a trusted insider program. (Control: ISM-1626; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Legal advice is sought before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence. (Control: ISM-0137; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Legal advice is sought prior to allowing privately-owned mobile devices and desktop computers to access systems or data. (Control: ISM-1297; Revision: 5, Australian Government Information Security Manual, September 2023)
  • For the transfer of risk, the appropriate form of contract is one of the most important aspects. Legal advice should be taken on this, particularly in the case of outsourcing schemes. The decision is taken by management and clearly documented. (§ 6.1 ¶ 12, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • Obtain legal advice about the consequences of different courses of action. (¶ 3.158 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the service auditor believes the event is of such a nature and significance that its disclosure is necessary to prevent report users from being misled, the service auditor should determine whether information about the event is adequately disclosed in the description or in management's assertion.… (¶ 3.219, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Request that the responsible party consult with an appropriately qualified third party, such as the service organization's legal counsel or a regulator. (¶ 3.158 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Obtaining legal advice about the consequences of different courses of action (¶ 3.191 Bullet 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Obtaining legal advice about the consequences of different courses of action (¶ 4.102 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Obtaining legal advice about the consequences of different courses of action (¶ 3.222 Bullet 5, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In circumstances in which such matters are identified, the service auditor may consider discussing with legal counsel or others prior to communicating or taking further action. (¶ 3.227, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In accordance with paragraph .49 of AT-C section 205, if the service auditor believes the event is of such a nature and significance that its disclosure is necessary to prevent report users from being misled, the service auditor should determine whether information about the event is adequately disc… (¶ 3.249, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Obtaining legal advice about the consequences of different courses of action (¶ 4.105 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Investigate, exercise, prepare for, or defend actual or anticipated legal claims; (§ 6-1-1304 (3)(a)(IV), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 6-1-1304 (3)(a)(X), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • investigate, establish, exercise, prepare for or defend legal claims; (§ 10 (a)(4), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; (§ 10 (a)(9), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • investigate, establish, exercise, prepare for or defend legal claims; (§ 10 (a)(4), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; (§ 10 (a)(9), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report or prosecute those responsible for any such activity. (§ 12D-110.(a)(9), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Investigate, establish, exercise, prepare for, or defend legal claims. (§ 12D-110.(a)(4), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report or prosecute those responsible for any such activity. (§ 12D-110.(a)(9), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Investigate, establish, exercise, prepare for, or defend legal claims. (§ 12D-110.(a)(4), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security. (§ 501.716(1)(g), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • Investigate, establish, exercise, prepare for, or defend legal claims. (§ 501.716(1)(c), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • Preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security. (§ 501.716(1)(g), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • Investigate, establish, exercise, prepare for, or defend legal claims. (§ 501.716(1)(c), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • Investigate, establish, exercise, prepare for, or defend legal claims. (IC 24-15-8-1(a)(4), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, investigate, report, or prosecute those responsible for any such action, and preserve the integrity or security of systems. (IC 24-15-8-1(a)(7), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • Investigate, establish, exercise, prepare for, or defend legal claims. (IC 24-15-8-1(a)(4), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, investigate, report, or prosecute those responsible for any such action, and preserve the integrity or security of systems. (IC 24-15-8-1(a)(7), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • Investigate, establish, exercise, prepare for, or defend legal claims. (§ 715D.7.1.d., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • Investigate, report, or prosecute those responsible for any such action. (§ 715D.7.1.i., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • Investigate, establish, exercise, prepare for, or defend legal claims. (§ 715D.7.1.d., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • Investigate, report, or prosecute those responsible for any such action. (§ 715D.7.1.i., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • investigate, establish, exercise, prepare for, or defend legal claims; (§ Section 11. (1)(d), Montana Consumer Data Privacy Act)
  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report, or prosecute those responsible for any of these actions; (§ Section 11. (1)(i), Montana Consumer Data Privacy Act)
  • investigate, establish, exercise, prepare for, or defend legal claims; (§ Section 11. (1)(d), Montana Consumer Data Privacy Act 2023)
  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report, or prosecute those responsible for any of these actions; (§ Section 11. (1)(i), Montana Consumer Data Privacy Act 2023)
  • Investigate, establish, exercise, prepare for or defend legal claims; (§ 507-H:10 I.(d), New Hampshire Statutes, Title LII, Chapter 507-H, Expectation of Privacy)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; (§ 507-H:10 I.(i), New Hampshire Statutes, Title LII, Chapter 507-H, Expectation of Privacy)
  • Investigating, establishing, initiating or defending legal claims; (Section 2 (3)(d), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Preventing, detecting, protecting against or responding to, and investigating, reporting or prosecuting persons responsible for, security incidents, identity theft, fraud, harassment or malicious, deceptive or illegal activity or preserving the integrity or security of systems; (Section 2 (3)(e), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Investigate, establish, exercise, prepare for, or defend legal claims; (§ 47-18-3208.(a)(4), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for such action; (§ 47-18-3208.(a)(7), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Investigate, establish, exercise, prepare for, or defend legal claims; (§ 47-18-3208.(a)(4), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for such action; (§ 47-18-3208.(a)(7), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • investigate, establish, exercise, prepare for, or defend legal claims; (§ 541.201 (a)(3), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security; (§ 541.201 (a)(7), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security; (§ 541.201 (a)(7), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • investigate, establish, exercise, prepare for, or defend legal claims; (§ 541.201 (a)(3), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • investigate, establish, exercise, prepare for, or defend a legal claim; (13-61-304 (1)(d), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • investigate, establish, exercise, prepare for, or defend a legal claim; (13-61-304 (1)(d), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • investigate, report, or prosecute a person responsible for an action described in Subsection (1)(h)(i); (13-61-304 (1)(h)(ii), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • Investigate, establish, exercise, prepare for, or defend legal claims; (§ 59.1-582.A.4., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 59.1-582.A.7., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • Investigate, establish, exercise, prepare for, or defend legal claims; (§ 59.1-582.A.4., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act, April 11, 2022)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 59.1-582.A.7., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act, April 11, 2022)