Back

Include compliance requirements in the privacy policy.


CONTROL ID
14666
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define what is included in the privacy policy., CC ID: 00404

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • establishing and improving the personal information protection compliance system in accordance with the provisions of the state and establishing an independent organization mainly composed of external members to supervise the protection of personal information; (Article 58 ¶ 1(1), Personal Information Protection Law of the People's Republic of China)
  • Privacy and security policies and procedures need to be consistent with applicable laws, directives, policies, regulations, standards and guidance. Often, the main justification for this requirement is legal prosecution of violators and proving intentional breach. This capability is thus necessary t… (5.14.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; (PM-18a.4., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; (PM-18a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; (PM-18a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; (PM-18a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; (PM-18a.4., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; (PM-18a.4., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Agency Privacy Programs. In order to manage Federal information resources that involve PII, agencies must develop, implement, document, maintain, and oversee agency-wide privacy programs that include people, processes, and technologies. Agencies' privacy programs are led by the Senior Agency Officia… (Section VII (A) ¶ 3, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Compliance with a comparable state or federal law. (§ 47-18-3213.(b)(5), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0." or other documented policies, standards, and procedures designed to safeguard consumer privacy; and (§ 47-18-3213.(a)(1)(A), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Compliance with a comparable state or federal law. (§ 47-18-3213.(b)(5), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0." or other documented policies, standards, and procedures designed to safeguard consumer privacy; and (§ 47-18-3213.(a)(1)(A), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)