compliance controls are associated with this Policy definition 'Record disclosures of PII to third parties' (8b1da407-5e60-5037-612e-2caa1b590719)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| hipaa |
0209.09m3Organizational.7-09.m |
hipaa-0209.09m3Organizational.7-09.m |
0209.09m3Organizational.7-09.m |
02 Endpoint Protection |
0209.09m3Organizational.7-09.m 09.06 Network Security Management |
Shared |
n/a |
File sharing is disabled on wireless-enabled devices. |
|
6 |
| hipaa |
1713.03c1Organizational.3-03.c |
hipaa-1713.03c1Organizational.3-03.c |
1713.03c1Organizational.3-03.c |
17 Risk Management |
1713.03c1Organizational.3-03.c 03.01 Risk Management Program |
Shared |
n/a |
The organization mitigates any harmful effect that is known to the organization of a use or disclosure of sensitive information (e.g., PII) by the organization or its business partners, vendors, contractors, or similar third-parties in violation of its policies and procedures. |
|
9 |
| hipaa |
1902.06d1Organizational.2-06.d |
hipaa-1902.06d1Organizational.2-06.d |
1902.06d1Organizational.2-06.d |
19 Data Protection & Privacy |
1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
When required, consent is obtained before any PII (e.g., about a client/customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the organization. |
|
11 |
| ISO27001-2013 |
A.12.4.2 |
ISO27001-2013_A.12.4.2 |
ISO 27001:2013 A.12.4.2 |
Operations Security |
Protection of log information |
Shared |
n/a |
Logging facilities and log information shall be protected against tampering and unauthorized access. |
link |
8 |
| PCI_DSS_v4.0 |
12.8.2 |
PCI_DSS_v4.0_12.8.2 |
PCI DSS v4.0 12.8.2 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risk to information assets associated with third-party service provider (TPSP) relationships is managed |
Shared |
n/a |
Written agreements with TPSPs are maintained as follows:
• Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE.
• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE. |
link |
15 |
| PCI_DSS_v4.0 |
12.9.1 |
PCI_DSS_v4.0_12.9.1 |
PCI DSS v4.0 12.9.1 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Third-party service providers (TPSPs) support their customers’ PCI DSS compliance |
Shared |
n/a |
TPSPs acknowledge in writing to customers that they are responsible for the security of account data the TPSP possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s CDE. |
link |
3 |
| SOC_2 |
CC9.2 |
SOC_2_CC9.2 |
SOC 2 Type 2 CC9.2 |
Risk Mitigation |
Vendors and business partners risk management |
Shared |
The customer is responsible for implementing this recommendation. |
Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes specific requirements for a vendor and business partner engagement
that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels.
• Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic
basis, the risks that vendors and business partners (and those entities’ vendors and
business partners) represent to the achievement of the entity's objectives.
• Assigns Responsibility and Accountability for Managing Vendors and Business
Partners — The entity assigns responsibility and accountability for the management
of risks associated with vendors and business partners.
• Establishes Communication Protocols for Vendors and Business Partners — The
entity establishes communication and resolution protocols for service or product issues related to vendors and business partners.
• Establishes Exception Handling Procedures From Vendors and Business Partners
— The entity establishes exception handling procedures for service or product issues related to vendors and business partners.
• Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance of vendors and business partners.
• Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments — The entity implements procedures for addressing issues identified with vendor and business partner relationships.
• Implements Procedures for Terminating Vendor and Business Partner Relationships
— The entity implements procedures for terminating vendor and business partner
relationships.
Additional points of focus that apply only to an engagement using the trust services criteria for
confidentiality:
• Obtains Confidentiality Commitments from Vendors and Business Partners — The
entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who
have access to confidential information.
• Assesses Compliance With Confidentiality Commitments of Vendors and Business
Partners — On a periodic and as-needed basis, the entity assesses compliance by
vendors and business partners with the entity’s confidentiality commitments and requirements.
Additional points of focus that apply only to an engagement using the trust services criteria for
privacy:
• Obtains Privacy Commitments from Vendors and Business Partners — The entity
obtains privacy commitments, consistent with the entity’s privacy commitments and
requirements, from vendors and business partners who have access to personal information.
• Assesses Compliance with Privacy Commitments of Vendors and Business Partners
— On a periodic and as-needed basis, the entity assesses compliance by vendors
and business partners with the entity’s privacy commitments and requirements and
takes corrective action as necessary |
|
20 |
| SOC_2 |
P6.1 |
SOC_2_P6.1 |
SOC 2 Type 2 P6.1 |
Additional Criteria For Privacy |
Personal information third party disclosure |
Shared |
The customer is responsible for implementing this recommendation. |
• Communicates Privacy Policies to Third Parties — Privacy policies or other specific
instructions or requirements for handling personal information are communicated
to third parties to whom personal information is disclosed.
• Discloses Personal Information Only When Appropriate — Personal information is
disclosed to third parties only for the purposes for which it was collected or created
and only when implicit or explicit consent has been obtained from the data subject,
unless a law or regulation specifically requires otherwise.
• Discloses Personal Information Only to Appropriate Third Parties — Personal information
is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the
entity’s privacy notice or other specific instructions or requirements. The entity has
procedures in place to evaluate that the third parties have effective controls to meet
the terms of the agreement, instructions, or requirements.
• Discloses Information to Third Parties for New Purposes and Uses — Personal information
is disclosed to third parties for new purposes or uses only with the prior
implicit or explicit consent of data subjects. |
|
15 |