compliance controls are associated with this Policy definition 'Appoint a senior information security officer' (c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| hipaa |
0110.02d2Organizational.1-02.d |
hipaa-0110.02d2Organizational.1-02.d |
0110.02d2Organizational.1-02.d |
01 Information Protection Program |
0110.02d2Organizational.1-02.d 02.03 During Employment |
Shared |
n/a |
An individual or dedicated team is assigned to manage the information security of the organization's users. |
|
2 |
| hipaa |
01110.05a1Organizational.5-05.a |
hipaa-01110.05a1Organizational.5-05.a |
01110.05a1Organizational.5-05.a |
01 Information Protection Program |
01110.05a1Organizational.5-05.a 05.01 Internal Organization |
Shared |
n/a |
If the senior-level information security official is employed by the organization, one of its affiliates, or a third-party service, the organization retains responsibility for its cybersecurity program, designates a senior member of the organization responsible for direction and oversight, and requires the third-party service to maintain an appropriate cybersecurity program of its own. |
|
4 |
| hipaa |
01111.05a2Organizational.5-05.a |
hipaa-01111.05a2Organizational.5-05.a |
01111.05a2Organizational.5-05.a |
01 Information Protection Program |
01111.05a2Organizational.5-05.a 05.01 Internal Organization |
Shared |
n/a |
The CISO of the organization reports in writing on the organization's cybersecurity program and material cybersecurity risks, at least annually, to the organization's board of directors, equivalent governing body, or suitable committee. |
|
1 |
| hipaa |
0117.05a1Organizational.1-05.a |
hipaa-0117.05a1Organizational.1-05.a |
0117.05a1Organizational.1-05.a |
01 Information Protection Program |
0117.05a1Organizational.1-05.a 05.01 Internal Organization |
Shared |
n/a |
A senior-level information security official is appointed and is responsible for ensuring security processes are in place, communicated to all stakeholders, and consider and address organizational requirements. |
|
1 |
| hipaa |
0118.05a1Organizational.2-05.a |
hipaa-0118.05a1Organizational.2-05.a |
0118.05a1Organizational.2-05.a |
01 Information Protection Program |
0118.05a1Organizational.2-05.a 05.01 Internal Organization |
Shared |
n/a |
Senior management assigns an individual or group to ensure the effectiveness of the information protection program through program oversight; establish and communicate the organization's priorities for organizational mission, objectives, and activities; review and update of the organization's security plan; ensure compliance with the security plan by the workforce; and evaluate and accept security risks on behalf of the organization. |
|
8 |
| hipaa |
0124.05a3Organizational.1-05.a |
hipaa-0124.05a3Organizational.1-05.a |
0124.05a3Organizational.1-05.a |
01 Information Protection Program |
0124.05a3Organizational.1-05.a 05.01 Internal Organization |
Shared |
n/a |
An information security management committee is chartered and active. |
|
2 |
| hipaa |
1901.06d1Organizational.1-06.d |
hipaa-1901.06d1Organizational.1-06.d |
1901.06d1Organizational.1-06.d |
19 Data Protection & Privacy |
1901.06d1Organizational.1-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization has formally appointed a qualified data protection officer, reporting to senior management, and who is directly and fully responsible for the privacy of covered information. |
|
3 |
| hipaa |
19134.05j1Organizational.5-05.j |
hipaa-19134.05j1Organizational.5-05.j |
19134.05j1Organizational.5-05.j |
19 Data Protection & Privacy |
19134.05j1Organizational.5-05.j 05.02 External Parties |
Shared |
n/a |
The public has access to information about the organization's security and privacy activities and is able to communicate with its senior security official and senior privacy official. |
|
12 |
| hipaa |
19143.06c1Organizational.9-06.c |
hipaa-19143.06c1Organizational.9-06.c |
19143.06c1Organizational.9-06.c |
19 Data Protection & Privacy |
19143.06c1Organizational.9-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Designated senior management within the organization reviews and approves the security categorizations and associated guidelines. |
|
6 |
| ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
| ISO27001-2013 |
C.5.1.a |
ISO27001-2013_C.5.1.a |
ISO 27001:2013 C.5.1.a |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
a) ensuring the information security policy and the information security objectives are established
and are compatible with the strategic direction of the organization; |
link |
6 |
| ISO27001-2013 |
C.5.1.b |
ISO27001-2013_C.5.1.b |
ISO 27001:2013 C.5.1.b |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
b) ensuring the integration of the information security management system requirements into the
organization’s processes. |
link |
28 |
| ISO27001-2013 |
C.5.1.c |
ISO27001-2013_C.5.1.c |
ISO 27001:2013 C.5.1.c |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
c) ensuring that the resources needed for the information security management system are available. |
link |
10 |
| ISO27001-2013 |
C.5.1.d |
ISO27001-2013_C.5.1.d |
ISO 27001:2013 C.5.1.d |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
d) communicating the importance of effective information security management and of conforming to
the information security management system requirements. |
link |
1 |
| ISO27001-2013 |
C.5.1.e |
ISO27001-2013_C.5.1.e |
ISO 27001:2013 C.5.1.e |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
e) ensuring that the information security management system achieves its intended outcome(s). |
link |
3 |
| ISO27001-2013 |
C.5.1.f |
ISO27001-2013_C.5.1.f |
ISO 27001:2013 C.5.1.f |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
f) directing and supporting persons to contribute to the effectiveness of the information security
management system. |
link |
9 |
| ISO27001-2013 |
C.5.1.g |
ISO27001-2013_C.5.1.g |
ISO 27001:2013 C.5.1.g |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
g) promoting continual improvement. |
link |
3 |
| ISO27001-2013 |
C.5.1.h |
ISO27001-2013_C.5.1.h |
ISO 27001:2013 C.5.1.h |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
h) supporting other relevant management roles to demonstrate their leadership as it applies to their
areas of responsibility. |
link |
1 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
127 |
| PCI_DSS_v4.0 |
12.1.4 |
PCI_DSS_v4.0_12.1.4 |
PCI DSS v4.0 12.1.4 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current |
Shared |
n/a |
Responsibility for information security is formally assigned to a Chief Information Security Officer or other information security knowledgeable member of executive management. |
link |
1 |
| SOC_2 |
CC1.2 |
SOC_2_CC1.2 |
SOC 2 Type 2 CC1.2 |
Control Environment |
COSO Principle 2 |
Shared |
The customer is responsible for implementing this recommendation. |
• Establishes Oversight Responsibilities — The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations.
• Applies Relevant Expertise — The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action.
• Operates Independently — The board of directors has sufficient members who are independent from management and objective in evaluations and decision making. |
|
5 |
| SOC_2 |
CC1.3 |
SOC_2_CC1.3 |
SOC 2 Type 2 CC1.3 |
Control Environment |
COSO Principle 3 |
Shared |
The customer is responsible for implementing this recommendation. |
Considers All Structures of the Entity — Management and the board of directors
consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement
of objectives.
• Establishes Reporting Lines — Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities
and flow of information to manage the activities of the entity.
• Defines, Assigns, and Limits Authorities and Responsibilities — Management and
the board of directors delegate authority, define responsibilities, and use appropriate
processes and technology to assign responsibility and segregate duties as necessary
at the various levels of the organization
• Addresses Specific Requirements When Defining Authorities and Responsibilities —
Management and the board of directors consider requirements relevant to security,
availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities.
• Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities — Management and the board of directors consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities, and responsibilities |
|
5 |