| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| hipaa |
1713.03c1Organizational.3-03.c |
hipaa-1713.03c1Organizational.3-03.c |
1713.03c1Organizational.3-03.c |
17 Risk Management |
1713.03c1Organizational.3-03.c 03.01 Risk Management Program |
Shared |
n/a |
The organization mitigates any harmful effect that is known to the organization of a use or disclosure of sensitive information (e.g., PII) by the organization or its business partners, vendors, contractors, or similar third-parties in violation of its policies and procedures. |
|
9 |
| hipaa |
1911.06d1Organizational.13-06.d |
hipaa-1911.06d1Organizational.13-06.d |
1911.06d1Organizational.13-06.d |
19 Data Protection & Privacy |
1911.06d1Organizational.13-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Records with sensitive personal information are protected during transfer to organizations lawfully collecting such information. |
|
5 |
| hipaa |
19242.06d1Organizational.14-06.d |
hipaa-19242.06d1Organizational.14-06.d |
19242.06d1Organizational.14-06.d |
19 Data Protection & Privacy |
19242.06d1Organizational.14-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Covered information storage is kept to a minimum. |
|
4 |
| hipaa |
19243.06d1Organizational.15-06.d |
hipaa-19243.06d1Organizational.15-06.d |
19243.06d1Organizational.15-06.d |
19 Data Protection & Privacy |
19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization specifies where covered information can be stored. |
|
9 |
| hipaa |
19245.06d2Organizational.2-06.d |
hipaa-19245.06d2Organizational.2-06.d |
19245.06d2Organizational.2-06.d |
19 Data Protection & Privacy |
19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization has implemented technical means to ensure covered information is stored in organization-specified locations. |
|
7 |
| ISO27001-2013 |
A.12.4.1 |
ISO27001-2013_A.12.4.1 |
ISO 27001:2013 A.12.4.1 |
Operations Security |
Event Logging |
Shared |
n/a |
Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. |
link |
53 |
| PCI_DSS_v4.0 |
3.2.1 |
PCI_DSS_v4.0_3.2.1 |
PCI DSS v4.0 3.2.1 |
Requirement 03: Protect Stored Account Data |
Storage of account data is kept to a minimum |
Shared |
n/a |
Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following:
• Coverage for all locations of stored account data.
• Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.
• Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements.
• Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification.
• Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy.
• A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable. |
link |
8 |
| PCI_DSS_v4.0 |
3.3.1 |
PCI_DSS_v4.0_3.3.1 |
PCI DSS v4.0 3.3.1 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
SAD is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process. |
link |
8 |
| PCI_DSS_v4.0 |
3.3.1.1 |
PCI_DSS_v4.0_3.3.1.1 |
PCI DSS v4.0 3.3.1.1 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
The full contents of any track are not retained upon completion of the authorization process. |
link |
8 |
| PCI_DSS_v4.0 |
3.3.1.2 |
PCI_DSS_v4.0_3.3.1.2 |
PCI DSS v4.0 3.3.1.2 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
The card verification code is not retained upon completion of the authorization process. |
link |
5 |
| PCI_DSS_v4.0 |
3.3.1.3 |
PCI_DSS_v4.0_3.3.1.3 |
PCI DSS v4.0 3.3.1.3 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
The personal identification number (PIN) and the PIN block are not retained upon completion of the authorization process. |
link |
8 |
| PCI_DSS_v4.0 |
3.3.3 |
PCI_DSS_v4.0_3.3.3 |
PCI DSS v4.0 3.3.3 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is:
• Limited to that which is needed for a legitimate issuing business need and is secured.
• Encrypted using strong cryptography. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. |
link |
13 |
| SOC_2 |
P4.1 |
SOC_2_P4.1 |
SOC 2 Type 2 P4.1 |
Additional Criteria For Privacy |
Personal information use |
Shared |
The customer is responsible for implementing this recommendation. |
• Uses Personal Information for Intended Purposes — Personal information is used
only for the intended purposes for which it was collected and only when implicit or
explicit consent has been obtained, unless a law or regulation specifically requires
otherwise. |
|
5 |