compliance controls are associated with this Policy definition 'Train staff on PII sharing and its consequences' (8019d788-713d-90a1-5570-dac5052f517d)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| hipaa |
0209.09m3Organizational.7-09.m |
hipaa-0209.09m3Organizational.7-09.m |
0209.09m3Organizational.7-09.m |
02 Endpoint Protection |
0209.09m3Organizational.7-09.m 09.06 Network Security Management |
Shared |
n/a |
File sharing is disabled on wireless-enabled devices. |
|
6 |
| hipaa |
1713.03c1Organizational.3-03.c |
hipaa-1713.03c1Organizational.3-03.c |
1713.03c1Organizational.3-03.c |
17 Risk Management |
1713.03c1Organizational.3-03.c 03.01 Risk Management Program |
Shared |
n/a |
The organization mitigates any harmful effect that is known to the organization of a use or disclosure of sensitive information (e.g., PII) by the organization or its business partners, vendors, contractors, or similar third-parties in violation of its policies and procedures. |
|
9 |
| hipaa |
1902.06d1Organizational.2-06.d |
hipaa-1902.06d1Organizational.2-06.d |
1902.06d1Organizational.2-06.d |
19 Data Protection & Privacy |
1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
When required, consent is obtained before any PII (e.g., about a client/customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the organization. |
|
11 |
| ISO27001-2013 |
A.12.4.2 |
ISO27001-2013_A.12.4.2 |
ISO 27001:2013 A.12.4.2 |
Operations Security |
Protection of log information |
Shared |
n/a |
Logging facilities and log information shall be protected against tampering and unauthorized access. |
link |
8 |
| SOC_2 |
CC9.2 |
SOC_2_CC9.2 |
SOC 2 Type 2 CC9.2 |
Risk Mitigation |
Vendors and business partners risk management |
Shared |
The customer is responsible for implementing this recommendation. |
Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes specific requirements for a vendor and business partner engagement
that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels.
• Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic
basis, the risks that vendors and business partners (and those entities’ vendors and
business partners) represent to the achievement of the entity's objectives.
• Assigns Responsibility and Accountability for Managing Vendors and Business
Partners — The entity assigns responsibility and accountability for the management
of risks associated with vendors and business partners.
• Establishes Communication Protocols for Vendors and Business Partners — The
entity establishes communication and resolution protocols for service or product issues related to vendors and business partners.
• Establishes Exception Handling Procedures From Vendors and Business Partners
— The entity establishes exception handling procedures for service or product issues related to vendors and business partners.
• Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance of vendors and business partners.
• Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments — The entity implements procedures for addressing issues identified with vendor and business partner relationships.
• Implements Procedures for Terminating Vendor and Business Partner Relationships
— The entity implements procedures for terminating vendor and business partner
relationships.
Additional points of focus that apply only to an engagement using the trust services criteria for
confidentiality:
• Obtains Confidentiality Commitments from Vendors and Business Partners — The
entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who
have access to confidential information.
• Assesses Compliance With Confidentiality Commitments of Vendors and Business
Partners — On a periodic and as-needed basis, the entity assesses compliance by
vendors and business partners with the entity’s confidentiality commitments and requirements.
Additional points of focus that apply only to an engagement using the trust services criteria for
privacy:
• Obtains Privacy Commitments from Vendors and Business Partners — The entity
obtains privacy commitments, consistent with the entity’s privacy commitments and
requirements, from vendors and business partners who have access to personal information.
• Assesses Compliance with Privacy Commitments of Vendors and Business Partners
— On a periodic and as-needed basis, the entity assesses compliance by vendors
and business partners with the entity’s privacy commitments and requirements and
takes corrective action as necessary |
|
20 |
| SOC_2 |
P6.1 |
SOC_2_P6.1 |
SOC 2 Type 2 P6.1 |
Additional Criteria For Privacy |
Personal information third party disclosure |
Shared |
The customer is responsible for implementing this recommendation. |
• Communicates Privacy Policies to Third Parties — Privacy policies or other specific
instructions or requirements for handling personal information are communicated
to third parties to whom personal information is disclosed.
• Discloses Personal Information Only When Appropriate — Personal information is
disclosed to third parties only for the purposes for which it was collected or created
and only when implicit or explicit consent has been obtained from the data subject,
unless a law or regulation specifically requires otherwise.
• Discloses Personal Information Only to Appropriate Third Parties — Personal information
is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the
entity’s privacy notice or other specific instructions or requirements. The entity has
procedures in place to evaluate that the third parties have effective controls to meet
the terms of the agreement, instructions, or requirements.
• Discloses Information to Third Parties for New Purposes and Uses — Personal information
is disclosed to third parties for new purposes or uses only with the prior
implicit or explicit consent of data subjects. |
|
15 |
| SOC_2 |
P8.1 |
SOC_2_P8.1 |
SOC 2 Type 2 P8.1 |
Additional Criteria For Privacy |
Privacy complaint management and compliance management |
Shared |
The customer is responsible for implementing this recommendation. |
• Communicates to Data Subjects — Data subjects are informed about how to contact
the entity with inquiries, complaints, and disputes.
• Addresses Inquiries, Complaints, and Disputes — A process is in place to address
inquiries, complaints, and disputes.
• Documents and Communicates Dispute Resolution and Recourse — Each complaint
is addressed and the resolution is documented and communicated to the individual.
• Documents and Reports Compliance Review Results — Compliance with objectives
related to privacy are reviewed and documented and the results of such reviews are
reported to management. If problems are identified, remediation plans are developed
and implemented.
• Documents and Reports Instances of Noncompliance — Instances of noncompliance
with objectives related to privacy are documented and reported and, if needed, corrective
and disciplinary measures are taken on a timely basis.
• Performs Ongoing Monitoring — Ongoing procedures are performed for monitoring
the effectiveness of controls over personal information and for taking timely
corrective actions when necessary. |
|
5 |