| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| hipaa |
0670.10hCSPSystem.2-10.h |
hipaa-0670.10hCSPSystem.2-10.h |
0670.10hCSPSystem.2-10.h |
06 Configuration Management |
0670.10hCSPSystem.2-10.h 10.04 Security of System Files |
Shared |
n/a |
Structured and unstructured data is available to the organization (customer) and provided to them upon request in an industry-standard format (e.g., .docx, .xlsx, pdf, logs, and flat files). |
|
3 |
| hipaa |
1211.09aa3System.4-09.aa |
hipaa-1211.09aa3System.4-09.aa |
1211.09aa3System.4-09.aa |
12 Audit Logging & Monitoring |
1211.09aa3System.4-09.aa 09.10 Monitoring |
Shared |
n/a |
The organization verifies every 90 days for each extract of covered information recorded that the data is erased or its use is still required. |
|
9 |
| hipaa |
1713.03c1Organizational.3-03.c |
hipaa-1713.03c1Organizational.3-03.c |
1713.03c1Organizational.3-03.c |
17 Risk Management |
1713.03c1Organizational.3-03.c 03.01 Risk Management Program |
Shared |
n/a |
The organization mitigates any harmful effect that is known to the organization of a use or disclosure of sensitive information (e.g., PII) by the organization or its business partners, vendors, contractors, or similar third-parties in violation of its policies and procedures. |
|
9 |
| hipaa |
1826.09p1Organizational.1-09.p |
hipaa-1826.09p1Organizational.1-09.p |
1826.09p1Organizational.1-09.p |
18 Physical & Environmental Security |
1826.09p1Organizational.1-09.p 09.07 Media Handling |
Shared |
n/a |
The organization securely disposes of media containing sensitive information. |
|
3 |
| hipaa |
1904.06.d2Organizational.1-06.d |
hipaa-1904.06.d2Organizational.1-06.d |
1904.06.d2Organizational.1-06.d |
19 Data Protection & Privacy |
1904.06.d2Organizational.1-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Covered information is retained only for as long as required. |
|
3 |
| hipaa |
19142.06c1Organizational.8-06.c |
hipaa-19142.06c1Organizational.8-06.c |
19142.06c1Organizational.8-06.c |
19 Data Protection & Privacy |
19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Guidelines are issued by the organization on the ownership, classification, retention, storage, handling and disposal of all records and information. |
|
9 |
| hipaa |
19144.06c2Organizational.1-06.c |
hipaa-19144.06c2Organizational.1-06.c |
19144.06c2Organizational.1-06.c |
19 Data Protection & Privacy |
19144.06c2Organizational.1-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization has established a formal records document retention program. |
|
7 |
| hipaa |
19145.06c2Organizational.2-06.c |
hipaa-19145.06c2Organizational.2-06.c |
19145.06c2Organizational.2-06.c |
19 Data Protection & Privacy |
19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Specific controls for record storage, access, retention, and destruction have been implemented. |
|
8 |
| ISO27001-2013 |
A.11.2.7 |
ISO27001-2013_A.11.2.7 |
ISO 27001:2013 A.11.2.7 |
Physical And Environmental Security |
Secure disposal or re-use of equipment |
Shared |
n/a |
All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. |
link |
5 |
| ISO27001-2013 |
A.12.3.1 |
ISO27001-2013_A.12.3.1 |
ISO 27001:2013 A.12.3.1 |
Operations Security |
Information backup |
Shared |
n/a |
Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. |
link |
13 |
| ISO27001-2013 |
A.12.4.2 |
ISO27001-2013_A.12.4.2 |
ISO 27001:2013 A.12.4.2 |
Operations Security |
Protection of log information |
Shared |
n/a |
Logging facilities and log information shall be protected against tampering and unauthorized access. |
link |
8 |
| ISO27001-2013 |
A.14.3.1 |
ISO27001-2013_A.14.3.1 |
ISO 27001:2013 A.14.3.1 |
System Acquisition, Development And Maintenance |
Protection of test data |
Shared |
n/a |
Test data shall be selected carefully, protected and controlled. |
link |
11 |
| PCI_DSS_v4.0 |
3.2.1 |
PCI_DSS_v4.0_3.2.1 |
PCI DSS v4.0 3.2.1 |
Requirement 03: Protect Stored Account Data |
Storage of account data is kept to a minimum |
Shared |
n/a |
Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following:
• Coverage for all locations of stored account data.
• Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.
• Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements.
• Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification.
• Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy.
• A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable. |
link |
8 |
| PCI_DSS_v4.0 |
3.3.1 |
PCI_DSS_v4.0_3.3.1 |
PCI DSS v4.0 3.3.1 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
SAD is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process. |
link |
8 |
| PCI_DSS_v4.0 |
3.3.1.1 |
PCI_DSS_v4.0_3.3.1.1 |
PCI DSS v4.0 3.3.1.1 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
The full contents of any track are not retained upon completion of the authorization process. |
link |
8 |
| PCI_DSS_v4.0 |
3.3.1.3 |
PCI_DSS_v4.0_3.3.1.3 |
PCI DSS v4.0 3.3.1.3 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
The personal identification number (PIN) and the PIN block are not retained upon completion of the authorization process. |
link |
8 |
| PCI_DSS_v4.0 |
9.4.6 |
PCI_DSS_v4.0_9.4.6 |
PCI DSS v4.0 9.4.6 |
Requirement 09: Restrict Physical Access to Cardholder Data |
Media with cardholder data is securely stored, accessed, distributed, and destroyed |
Shared |
n/a |
Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows:
• Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.
• Materials are stored in secure storage containers prior to destruction. |
link |
4 |
| PCI_DSS_v4.0 |
9.4.7 |
PCI_DSS_v4.0_9.4.7 |
PCI DSS v4.0 9.4.7 |
Requirement 09: Restrict Physical Access to Cardholder Data |
Media with cardholder data is securely stored, accessed, distributed, and destroyed |
Shared |
n/a |
Electronic media with cardholder data is destroyed when no longer needed for business or legal reasons via one of the following:
• The electronic media is destroyed.
• The cardholder data is rendered unrecoverable so that it cannot be reconstructed. |
link |
4 |
| SOC_2 |
P4.3 |
SOC_2_P4.3 |
SOC 2 Type 2 P4.3 |
Additional Criteria For Privacy |
Personal information disposal |
Shared |
The customer is responsible for implementing this recommendation. |
• Captures, Identifies, and Flags Requests for Deletion — Requests for deletion of
personal information are captured and information related to the requests is identified
and flagged for destruction to meet the entity’s objectives related to privacy.
• Disposes of, Destroys, and Redacts Personal Information — Personal information
no longer retained is anonymized, disposed of, or destroyed in a manner that prevents
loss, theft, misuse, or unauthorized access.
• Destroys Personal Information — Policies and procedures are implemented to
erase or otherwise destroy personal information that has been identified for destruction. |
|
2 |