compliance controls are associated with this Policy definition 'Update privacy plan, policies, and procedures' (96333008-988d-4add-549b-92b3a8c42063)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| hipaa |
19134.05j1Organizational.5-05.j |
hipaa-19134.05j1Organizational.5-05.j |
19134.05j1Organizational.5-05.j |
19 Data Protection & Privacy |
19134.05j1Organizational.5-05.j 05.02 External Parties |
Shared |
n/a |
The public has access to information about the organization's security and privacy activities and is able to communicate with its senior security official and senior privacy official. |
|
12 |
| ISO27001-2013 |
A.18.1.1 |
ISO27001-2013_A.18.1.1 |
ISO 27001:2013 A.18.1.1 |
Compliance |
Identification applicable legislation and contractual requirements |
Shared |
n/a |
All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. |
link |
30 |
| ISO27001-2013 |
A.18.2.2 |
ISO27001-2013_A.18.2.2 |
ISO 27001:2013 A.18.2.2 |
Compliance |
Compliance with security policies and standards |
Shared |
n/a |
Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. |
link |
36 |
| ISO27001-2013 |
A.5.1.1 |
ISO27001-2013_A.5.1.1 |
ISO 27001:2013 A.5.1.1 |
Information Security Policies |
Policies for information security |
Shared |
n/a |
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. |
link |
42 |
| ISO27001-2013 |
A.5.1.2 |
ISO27001-2013_A.5.1.2 |
ISO 27001:2013 A.5.1.2 |
Information Security Policies |
Review of the policies for information security |
Shared |
n/a |
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. |
link |
29 |
| ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
| ISO27001-2013 |
C.4.4 |
ISO27001-2013_C.4.4 |
ISO 27001:2013 C.4.4 |
Context of the organization |
Information security management system |
Shared |
n/a |
The organization shall establish, implement, maintain and continually improve an information security
management system, in accordance with the requirements of this International Standard. |
link |
5 |
| ISO27001-2013 |
C.5.1.a |
ISO27001-2013_C.5.1.a |
ISO 27001:2013 C.5.1.a |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
a) ensuring the information security policy and the information security objectives are established
and are compatible with the strategic direction of the organization; |
link |
6 |
| ISO27001-2013 |
C.5.1.b |
ISO27001-2013_C.5.1.b |
ISO 27001:2013 C.5.1.b |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
b) ensuring the integration of the information security management system requirements into the
organization’s processes. |
link |
28 |
| ISO27001-2013 |
C.5.2.a |
ISO27001-2013_C.5.2.a |
ISO 27001:2013 C.5.2.a |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
a) is appropriate to the purpose of the organization. |
link |
4 |
| ISO27001-2013 |
C.5.2.b |
ISO27001-2013_C.5.2.b |
ISO 27001:2013 C.5.2.b |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
b) includes information security objectives (see 6.2) or provides the framework for setting information
security objectives. |
link |
4 |
| ISO27001-2013 |
C.5.2.c |
ISO27001-2013_C.5.2.c |
ISO 27001:2013 C.5.2.c |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
c) includes a commitment to satisfy applicable requirements related to information security. |
link |
23 |
| ISO27001-2013 |
C.5.2.d |
ISO27001-2013_C.5.2.d |
ISO 27001:2013 C.5.2.d |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
d) includes a commitment to continual improvement of the information security management system. |
link |
23 |
| ISO27001-2013 |
C.5.2.e |
ISO27001-2013_C.5.2.e |
ISO 27001:2013 C.5.2.e |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy. The information security policy shall:
e) be available as documented information. |
link |
4 |
| ISO27001-2013 |
C.5.2.f |
ISO27001-2013_C.5.2.f |
ISO 27001:2013 C.5.2.f |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy. The information security policy shall:
f) be communicated within the organization. |
link |
4 |
| ISO27001-2013 |
C.5.2.g |
ISO27001-2013_C.5.2.g |
ISO 27001:2013 C.5.2.g |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy. The information security policy shall:
g) be available to interested parties, as appropriate. |
link |
1 |
|
mp.info.1 Personal data |
mp.info.1 Personal data |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.info.6 Backups |
mp.info.6 Backups |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
127 |
| PCI_DSS_v4.0 |
12.4.1 |
PCI_DSS_v4.0_12.4.1 |
PCI DSS v4.0 12.4.1 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
PCI DSS compliance is managed |
Shared |
n/a |
Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program to include:
• Overall accountability for maintaining PCI DSS compliance.
• Defining a charter for a PCI DSS compliance program and communication to executive management. |
link |
5 |
| PCI_DSS_v4.0 |
3.1.1 |
PCI_DSS_v4.0_3.1.1 |
PCI DSS v4.0 3.1.1 |
Requirement 03: Protect Stored Account Data |
Processes and mechanisms for protecting stored account data are defined and understood |
Shared |
n/a |
All security policies and operational procedures that are identified in Requirement 3 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties. |
link |
3 |