compliance controls are associated with this Policy definition 'Restrict communications' (5020f3f4-a579-2f28-72a8-283c5a0b15f9)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| hipaa |
1902.06d1Organizational.2-06.d |
hipaa-1902.06d1Organizational.2-06.d |
1902.06d1Organizational.2-06.d |
19 Data Protection & Privacy |
1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
When required, consent is obtained before any PII (e.g., about a client/customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the organization. |
|
11 |
| hipaa |
19243.06d1Organizational.15-06.d |
hipaa-19243.06d1Organizational.15-06.d |
19243.06d1Organizational.15-06.d |
19 Data Protection & Privacy |
19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization specifies where covered information can be stored. |
|
9 |
| ISO27001-2013 |
A.10.1.1 |
ISO27001-2013_A.10.1.1 |
ISO 27001:2013 A.10.1.1 |
Cryptography |
Policy on the use of cryptographic controls |
Shared |
n/a |
A policy on the use of cryptographic controls for protection of information shall be developed and implemented. |
link |
17 |
|
mp.info.3 Electronic signature |
mp.info.3 Electronic signature |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.si.2 Cryptography |
mp.si.2 Cryptography |
404 not found |
|
|
|
n/a |
n/a |
|
32 |
|
mp.si.4 Transport |
mp.si.4 Transport |
404 not found |
|
|
|
n/a |
n/a |
|
24 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
| PCI_DSS_v4.0 |
3.3.1 |
PCI_DSS_v4.0_3.3.1 |
PCI DSS v4.0 3.3.1 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
SAD is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process. |
link |
8 |
| PCI_DSS_v4.0 |
3.3.1.1 |
PCI_DSS_v4.0_3.3.1.1 |
PCI DSS v4.0 3.3.1.1 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
The full contents of any track are not retained upon completion of the authorization process. |
link |
8 |
| PCI_DSS_v4.0 |
3.3.1.2 |
PCI_DSS_v4.0_3.3.1.2 |
PCI DSS v4.0 3.3.1.2 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
The card verification code is not retained upon completion of the authorization process. |
link |
5 |
| PCI_DSS_v4.0 |
3.3.1.3 |
PCI_DSS_v4.0_3.3.1.3 |
PCI DSS v4.0 3.3.1.3 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
The personal identification number (PIN) and the PIN block are not retained upon completion of the authorization process. |
link |
8 |
| PCI_DSS_v4.0 |
3.3.3 |
PCI_DSS_v4.0_3.3.3 |
PCI DSS v4.0 3.3.3 |
Requirement 03: Protect Stored Account Data |
Sensitive authentication data (SAD) is not stored after authorization |
Shared |
n/a |
Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is:
• Limited to that which is needed for a legitimate issuing business need and is secured.
• Encrypted using strong cryptography. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. |
link |
13 |
| PCI_DSS_v4.0 |
3.4.1 |
PCI_DSS_v4.0_3.4.1 |
PCI DSS v4.0 3.4.1 |
Requirement 03: Protect Stored Account Data |
Access to displays of full PAN and ability to copy cardholder data are restricted |
Shared |
n/a |
PAN is masked when displayed (the BIN and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the BIN and last four digits of the PAN. |
link |
3 |
| PCI_DSS_v4.0 |
3.4.2 |
PCI_DSS_v4.0_3.4.2 |
PCI DSS v4.0 3.4.2 |
Requirement 03: Protect Stored Account Data |
Access to displays of full PAN and ability to copy cardholder data are restricted |
Shared |
n/a |
When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need. |
link |
3 |
| SOC_2 |
CC2.3 |
SOC_2_CC2.3 |
SOC 2 Type 2 CC2.3 |
Communication and Information |
COSO Principle 15 |
Shared |
The customer is responsible for implementing this recommendation. |
Communicates to External Parties — Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners,
owners, regulators, customers, financial analysts, and other external parties.
• Enables Inbound Communications — Open communication channels allow input
from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information.
• Communicates With the Board of Directors — Relevant information resulting from
assessments conducted by external parties is communicated to the board of directors.
• Provides Separate Communication Lines — Separate communication channels,
such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to
enable anonymous or confidential communication when normal channels are inoperative or ineffective.
• Selects Relevant Method of Communication — The method of communication considers the timing, audience, and nature of the communication and legal, regulatory,
and fiduciary requirements and expectations.
Additional point of focus that applies only to an engagement using the trust services criteria for
confidentiality:
• Communicates Objectives Related to Confidentiality and Changes to Objectives —
The entity communicates, to external users, vendors, business partners, and others
whose products and services are part of the system, objectives and changes to objectives related to confidentiality.Page 20
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
Additional point of focus that applies only to an engagement using the trust services criteria for
privacy:
• Communicates Objectives Related to Privacy and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose
products and services are part of the system, objectives related to privacy and
changes to those objectives.
Additional points of focus that apply only when an engagement using the trust services criteria
is performed at the system level:
• Communicates Information About System Operation and Boundaries — The entity prepares and communicates information about the design and operation of
the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation.
• Communicates System Objectives — The entity communicates its system objectives to appropriate external users.
• Communicates System Responsibilities — External users with responsibility for
designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities.
• Communicates Information on Reporting System Failures, Incidents, Concerns,
and Other Matters — External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate
personnel. |
|
14 |
| SOC_2 |
P4.1 |
SOC_2_P4.1 |
SOC 2 Type 2 P4.1 |
Additional Criteria For Privacy |
Personal information use |
Shared |
The customer is responsible for implementing this recommendation. |
• Uses Personal Information for Intended Purposes — Personal information is used
only for the intended purposes for which it was collected and only when implicit or
explicit consent has been obtained, unless a law or regulation specifically requires
otherwise. |
|
5 |
| SOC_2 |
P6.7 |
SOC_2_P6.7 |
SOC 2 Type 2 P6.7 |
Additional Criteria For Privacy |
Accounting of disclosure of personal information |
Shared |
The customer is responsible for implementing this recommendation. |
• Identifies Types of Personal Information and Handling Process — The types of personal
information and sensitive personal information and the related processes, systems,
and third parties involved in the handling of such information are identified.
• Captures, Identifies, and Communicates Requests for Information — Requests for
an accounting of personal information held and disclosures of the data subjects’
personal information are captured and information related to the requests is identified
and communicated to data subjects to meet the entity’s objectives related to
privacy. |
|
5 |
| SOC_2 |
PI1.1 |
SOC_2_PI1.1 |
SOC 2 Type 2 PI1.1 |
Additional Criteria For Processing Integrity |
Data processing definitions |
Shared |
The customer is responsible for implementing this recommendation. |
• Identifies Information Specifications — The entity identifies information specifications required to support the use of products and services.
• Defines Data Necessary to Support a Product or Service — When data is provided
as part of a service or product or as part of a reporting obligation related to a
product or service:
1. The definition of the data is available to the users of the data
2. The definition of the data includes the following information:
a. The population of events or instances included in the data
b. The nature of each element (for example, field) of the data (that
is, the event or instance to which the data element relates, for example, transaction price of a sale of XYZ Corporation stock for
the last trade in that stock on a given day)
c. Source(s) of the data
d. The unit(s) of measurement of data elements (for example, fields)
e. The accuracy/correctness/precision of measurement
f. The uncertainty or confidence interval inherent in each data element and in the population of those elements
g. The date the data was observed or the period of time during
which the events relevant to the data occurred
h. The factors in addition to the date and period of time used to determine the inclusion and exclusion of items in the data elements
and population
3. The definition is complete and accurate.
4. The description of the data identifies any information that is necessary to
understand each data element and the population in a manner consistent
with its definition and intended purpose (metadata) that has not been included within the data.
The following point of focus, which applies only to an engagement using the trust services criteria for processing integrity for a system that produces, manufactures, or distributes products,
highlights important characteristics relating to this criterion:
• Defines Information Necessary to Support the Use of a Good or Product — When
information provided by the entity is needed to use the good or product in accordance with its specifications:
1. The required information is available to the user of the good or product.
2. The required information is clearly identifiable.
3. The required information is validated for completeness and accuracy |
|
3 |