| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| hipaa |
0107.02d1Organizational.1-02.d |
hipaa-0107.02d1Organizational.1-02.d |
0107.02d1Organizational.1-02.d |
01 Information Protection Program |
0107.02d1Organizational.1-02.d 02.03 During Employment |
Shared |
n/a |
The organization has an information security workforce improvement program. |
|
1 |
| hipaa |
0110.02d2Organizational.1-02.d |
hipaa-0110.02d2Organizational.1-02.d |
0110.02d2Organizational.1-02.d |
01 Information Protection Program |
0110.02d2Organizational.1-02.d 02.03 During Employment |
Shared |
n/a |
An individual or dedicated team is assigned to manage the information security of the organization's users. |
|
2 |
| hipaa |
0118.05a1Organizational.2-05.a |
hipaa-0118.05a1Organizational.2-05.a |
0118.05a1Organizational.2-05.a |
01 Information Protection Program |
0118.05a1Organizational.2-05.a 05.01 Internal Organization |
Shared |
n/a |
Senior management assigns an individual or group to ensure the effectiveness of the information protection program through program oversight; establish and communicate the organization's priorities for organizational mission, objectives, and activities; review and update of the organization's security plan; ensure compliance with the security plan by the workforce; and evaluate and accept security risks on behalf of the organization. |
|
8 |
| hipaa |
0135.02f1Organizational.56-02.f |
hipaa-0135.02f1Organizational.56-02.f |
0135.02f1Organizational.56-02.f |
01 Information Protection Program |
0135.02f1Organizational.56-02.f 02.03 During Employment |
Shared |
n/a |
The organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures, and notifies defined personnel (e.g., supervisors) within a defined time frame (e.g., 24 hours) when a formal sanction process is initiated, identifying the individual sanctioned and the reason for the sanction. Further, the organization includes specific procedures for license, registration, and certification denial or revocation and other disciplinary action. |
|
4 |
| hipaa |
1525.11a1Organizational.6-11.a |
hipaa-1525.11a1Organizational.6-11.a |
1525.11a1Organizational.6-11.a |
15 Incident Management |
1525.11a1Organizational.6-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
The organization takes disciplinary action against workforce members that fail to cooperate with federal and state investigations. |
|
6 |
| ISO27001-2013 |
A.7.2.2 |
ISO27001-2013_A.7.2.2 |
ISO 27001:2013 A.7.2.2 |
Human Resources Security |
Information security awareness, education and training |
Shared |
n/a |
All employees of the organization and, where relevant, contractors shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. |
link |
15 |
| PCI_DSS_v4.0 |
12.6.1 |
PCI_DSS_v4.0_12.6.1 |
PCI DSS v4.0 12.6.1 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Security awareness education is an ongoing activity |
Shared |
n/a |
A formal security awareness program is implemented to make all personnel aware of the entity’s information security policy and procedures, and their role in protecting the cardholder data. |
link |
2 |