Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
hipaa |
1787.10a2Organizational.1-10.a |
hipaa-1787.10a2Organizational.1-10.a |
1787.10a2Organizational.1-10.a |
17 Risk Management |
1787.10a2Organizational.1-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
Information security and privacy are addressed in all phases of the project management methodology. |
|
5 |
hipaa |
19134.05j1Organizational.5-05.j |
hipaa-19134.05j1Organizational.5-05.j |
19134.05j1Organizational.5-05.j |
19 Data Protection & Privacy |
19134.05j1Organizational.5-05.j 05.02 External Parties |
Shared |
n/a |
The public has access to information about the organization's security and privacy activities and is able to communicate with its senior security official and senior privacy official. |
|
12 |
hipaa |
19243.06d1Organizational.15-06.d |
hipaa-19243.06d1Organizational.15-06.d |
19243.06d1Organizational.15-06.d |
19 Data Protection & Privacy |
19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization specifies where covered information can be stored. |
|
9 |
SOC_2 |
P6.5 |
SOC_2_P6.5 |
SOC 2 Type 2 P6.5 |
Additional Criteria For Privacy |
Third party unauthorized disclosure notification |
Shared |
The customer is responsible for implementing this recommendation. |
• Remediates Misuse of Personal Information by a Third Party — The entity takes
remedial action in response to misuse of personal information by a third party to
whom the entity has transferred such information.
• Reports Actual or Suspected Unauthorized Disclosures — A process exists for obtaining
commitments from vendors and other third parties to report to the entity actual
or suspected unauthorized disclosures of personal information. |
|
12 |
SOC_2 |
P6.6 |
SOC_2_P6.6 |
SOC 2 Type 2 P6.6 |
Additional Criteria For Privacy |
Privacy incident notification |
Shared |
The customer is responsible for implementing this recommendation. |
• Remediates Misuse of Personal Information by a Third Party — The entity takes
remedial action in response to misuse of personal information by a third party to
whom the entity has transferred such information.
• Provides Notice of Breaches and Incidents — The entity has a process for providing
notice of breaches and incidents to affected data subjects, regulators, and others to
meet the entity’s objectives related to privacy. |
|
2 |
SOC_2 |
P8.1 |
SOC_2_P8.1 |
SOC 2 Type 2 P8.1 |
Additional Criteria For Privacy |
Privacy complaint management and compliance management |
Shared |
The customer is responsible for implementing this recommendation. |
• Communicates to Data Subjects — Data subjects are informed about how to contact
the entity with inquiries, complaints, and disputes.
• Addresses Inquiries, Complaints, and Disputes — A process is in place to address
inquiries, complaints, and disputes.
• Documents and Communicates Dispute Resolution and Recourse — Each complaint
is addressed and the resolution is documented and communicated to the individual.
• Documents and Reports Compliance Review Results — Compliance with objectives
related to privacy are reviewed and documented and the results of such reviews are
reported to management. If problems are identified, remediation plans are developed
and implemented.
• Documents and Reports Instances of Noncompliance — Instances of noncompliance
with objectives related to privacy are documented and reported and, if needed, corrective
and disciplinary measures are taken on a timely basis.
• Performs Ongoing Monitoring — Ongoing procedures are performed for monitoring
the effectiveness of controls over personal information and for taking timely
corrective actions when necessary. |
|
5 |