Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
hipaa |
1201.06e1Organizational.2-06.e |
hipaa-1201.06e1Organizational.2-06.e |
1201.06e1Organizational.2-06.e |
12 Audit Logging & Monitoring |
1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization provides notice that the employee's actions may be monitored, and that the employee consents to such monitoring. |
|
12 |
hipaa |
1713.03c1Organizational.3-03.c |
hipaa-1713.03c1Organizational.3-03.c |
1713.03c1Organizational.3-03.c |
17 Risk Management |
1713.03c1Organizational.3-03.c 03.01 Risk Management Program |
Shared |
n/a |
The organization mitigates any harmful effect that is known to the organization of a use or disclosure of sensitive information (e.g., PII) by the organization or its business partners, vendors, contractors, or similar third-parties in violation of its policies and procedures. |
|
9 |
hipaa |
1902.06d1Organizational.2-06.d |
hipaa-1902.06d1Organizational.2-06.d |
1902.06d1Organizational.2-06.d |
19 Data Protection & Privacy |
1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
When required, consent is obtained before any PII (e.g., about a client/customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the organization. |
|
11 |
hipaa |
1911.06d1Organizational.13-06.d |
hipaa-1911.06d1Organizational.13-06.d |
1911.06d1Organizational.13-06.d |
19 Data Protection & Privacy |
1911.06d1Organizational.13-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Records with sensitive personal information are protected during transfer to organizations lawfully collecting such information. |
|
5 |
hipaa |
19242.06d1Organizational.14-06.d |
hipaa-19242.06d1Organizational.14-06.d |
19242.06d1Organizational.14-06.d |
19 Data Protection & Privacy |
19242.06d1Organizational.14-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Covered information storage is kept to a minimum. |
|
4 |
hipaa |
19243.06d1Organizational.15-06.d |
hipaa-19243.06d1Organizational.15-06.d |
19243.06d1Organizational.15-06.d |
19 Data Protection & Privacy |
19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization specifies where covered information can be stored. |
|
9 |
hipaa |
19245.06d2Organizational.2-06.d |
hipaa-19245.06d2Organizational.2-06.d |
19245.06d2Organizational.2-06.d |
19 Data Protection & Privacy |
19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization has implemented technical means to ensure covered information is stored in organization-specified locations. |
|
7 |
ISO27001-2013 |
A.13.2.2 |
ISO27001-2013_A.13.2.2 |
ISO 27001:2013 A.13.2.2 |
Communications Security |
Agreements on information transfer |
Shared |
n/a |
Agreements shall address the secure transfer of business information between the organization and external parties. |
link |
11 |
ISO27001-2013 |
A.7.1.2 |
ISO27001-2013_A.7.1.2 |
ISO 27001:2013 A.7.1.2 |
Human Resources Security |
Terms and conditions of employment |
Shared |
n/a |
The contractual agreements with employees and contractors shall state their and the organization's responsibilities for information security. |
link |
24 |
PCI_DSS_v4.0 |
3.2.1 |
PCI_DSS_v4.0_3.2.1 |
PCI DSS v4.0 3.2.1 |
Requirement 03: Protect Stored Account Data |
Storage of account data is kept to a minimum |
Shared |
n/a |
Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following:
• Coverage for all locations of stored account data.
• Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.
• Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements.
• Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification.
• Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy.
• A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable. |
link |
8 |
PCI_DSS_v4.0 |
3.3.1 |
PCI_DSS_v4.0_3.3.1 |
PCI DSS v4.0 3.3.1 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
SAD is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process. |
link |
8 |
PCI_DSS_v4.0 |
3.3.1.1 |
PCI_DSS_v4.0_3.3.1.1 |
PCI DSS v4.0 3.3.1.1 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
The full contents of any track are not retained upon completion of the authorization process. |
link |
8 |
PCI_DSS_v4.0 |
3.3.1.2 |
PCI_DSS_v4.0_3.3.1.2 |
PCI DSS v4.0 3.3.1.2 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
The card verification code is not retained upon completion of the authorization process. |
link |
5 |
PCI_DSS_v4.0 |
3.3.1.3 |
PCI_DSS_v4.0_3.3.1.3 |
PCI DSS v4.0 3.3.1.3 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
The personal identification number (PIN) and the PIN block are not retained upon completion of the authorization process. |
link |
8 |
PCI_DSS_v4.0 |
3.3.3 |
PCI_DSS_v4.0_3.3.3 |
PCI DSS v4.0 3.3.3 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is:
• Limited to that which is needed for a legitimate issuing business need and is secured.
• Encrypted using strong cryptography. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. |
link |
13 |
SOC_2 |
P2.1 |
SOC_2_P2.1 |
SOC 2 Type 2 P2.1 |
Additional Criteria For Privacy |
Privacy consent |
Shared |
The customer is responsible for implementing this recommendation. |
• Communicates to Data Subjects — Data subjects are informed (a) about the choices
available to them with respect to the collection, use, and disclosure of personal information
and (b) that implicit or explicit consent is required to collect, use, and
disclose personal information, unless a law or regulation specifically requires or allows
otherwise.
• Communicates Consequences of Denying or Withdrawing Consent — When personal
information is collected, data subjects are informed of the consequences of refusing
to provide personal information or denying or withdrawing consent to use
personal information for purposes identified in the notice.
• Obtains Implicit or Explicit Consent — Implicit or explicit consent is obtained from
data subjects at or before the time personal information is collected or soon there-after. The individual’s preferences expressed in his or her consent are confirmed
and implemented.
• Documents and Obtains Consent for New Purposes and Uses — If information that
was previously collected is to be used for purposes not previously identified in the
privacy notice, the new purpose is documented, the data subject is notified, and implicit
or explicit consent is obtained prior to such new use or purpose.
• Obtains Explicit Consent for Sensitive Information — Explicit consent is obtained
directly from the data subject when sensitive personal information is collected,
used, or disclosed, unless a law or regulation specifically requires otherwise.
• Obtains Consent for Data Transfers — Consent is obtained before personal information
is transferred to or from an individual’s computer or other similar device. |
|
4 |
SOC_2 |
P3.1 |
SOC_2_P3.1 |
SOC 2 Type 2 P3.1 |
Additional Criteria For Privacy |
Consistent personal information collection |
Shared |
The customer is responsible for implementing this recommendation. |
• Limits the Collection of Personal Information — The collection of personal information
is limited to that necessary to meet the entity’s objectives.
• Collects Information by Fair and Lawful Means — Methods of collecting personal
information are reviewed by management before they are implemented to confirm
that personal information is obtained (a) fairly, without intimidation or deception,
and (b) lawfully, adhering to all relevant rules of law, whether derived from statute
or common law, relating to the collection of personal information.
• Collects Information From Reliable Sources — Management confirms that third
parties from whom personal information is collected (that is, sources other than the
individual) are reliable sources that collect information fairly and lawfully.
• Informs Data Subjects When Additional Information Is Acquired — Data subjects
are informed if the entity develops or acquires additional information about them
for its use. |
|
4 |
SOC_2 |
P3.2 |
SOC_2_P3.2 |
SOC 2 Type 2 P3.2 |
Additional Criteria For Privacy |
Personal information explicit consent |
Shared |
The customer is responsible for implementing this recommendation. |
• Obtains Explicit Consent for Sensitive Information — Explicit consent is obtained
directly from the data subject when sensitive personal information is collected,
used, or disclosed, unless a law or regulation specifically requires otherwise.
• Documents Explicit Consent to Retain Information — Documentation of explicit
consent for the collection, use, or disclosure of sensitive personal information is retained
in accordance with objectives related to privacy. |
|
2 |
SOC_2 |
P4.1 |
SOC_2_P4.1 |
SOC 2 Type 2 P4.1 |
Additional Criteria For Privacy |
Personal information use |
Shared |
The customer is responsible for implementing this recommendation. |
• Uses Personal Information for Intended Purposes — Personal information is used
only for the intended purposes for which it was collected and only when implicit or
explicit consent has been obtained, unless a law or regulation specifically requires
otherwise. |
|
5 |