compliance controls are associated with this Policy definition 'Evaluate and review PII holdings regularly' (b6b32f80-a133-7600-301e-398d688e7e0c)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| hipaa |
1713.03c1Organizational.3-03.c |
hipaa-1713.03c1Organizational.3-03.c |
1713.03c1Organizational.3-03.c |
17 Risk Management |
1713.03c1Organizational.3-03.c 03.01 Risk Management Program |
Shared |
n/a |
The organization mitigates any harmful effect that is known to the organization of a use or disclosure of sensitive information (e.g., PII) by the organization or its business partners, vendors, contractors, or similar third-parties in violation of its policies and procedures. |
|
9 |
| hipaa |
1911.06d1Organizational.13-06.d |
hipaa-1911.06d1Organizational.13-06.d |
1911.06d1Organizational.13-06.d |
19 Data Protection & Privacy |
1911.06d1Organizational.13-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Records with sensitive personal information are protected during transfer to organizations lawfully collecting such information. |
|
5 |
| hipaa |
19242.06d1Organizational.14-06.d |
hipaa-19242.06d1Organizational.14-06.d |
19242.06d1Organizational.14-06.d |
19 Data Protection & Privacy |
19242.06d1Organizational.14-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Covered information storage is kept to a minimum. |
|
4 |
| hipaa |
19243.06d1Organizational.15-06.d |
hipaa-19243.06d1Organizational.15-06.d |
19243.06d1Organizational.15-06.d |
19 Data Protection & Privacy |
19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization specifies where covered information can be stored. |
|
9 |
| hipaa |
19245.06d2Organizational.2-06.d |
hipaa-19245.06d2Organizational.2-06.d |
19245.06d2Organizational.2-06.d |
19 Data Protection & Privacy |
19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization has implemented technical means to ensure covered information is stored in organization-specified locations. |
|
7 |
| SOC_2 |
P3.1 |
SOC_2_P3.1 |
SOC 2 Type 2 P3.1 |
Additional Criteria For Privacy |
Consistent personal information collection |
Shared |
The customer is responsible for implementing this recommendation. |
• Limits the Collection of Personal Information — The collection of personal information
is limited to that necessary to meet the entity’s objectives.
• Collects Information by Fair and Lawful Means — Methods of collecting personal
information are reviewed by management before they are implemented to confirm
that personal information is obtained (a) fairly, without intimidation or deception,
and (b) lawfully, adhering to all relevant rules of law, whether derived from statute
or common law, relating to the collection of personal information.
• Collects Information From Reliable Sources — Management confirms that third
parties from whom personal information is collected (that is, sources other than the
individual) are reliable sources that collect information fairly and lawfully.
• Informs Data Subjects When Additional Information Is Acquired — Data subjects
are informed if the entity develops or acquires additional information about them
for its use. |
|
4 |
| SOC_2 |
P8.1 |
SOC_2_P8.1 |
SOC 2 Type 2 P8.1 |
Additional Criteria For Privacy |
Privacy complaint management and compliance management |
Shared |
The customer is responsible for implementing this recommendation. |
• Communicates to Data Subjects — Data subjects are informed about how to contact
the entity with inquiries, complaints, and disputes.
• Addresses Inquiries, Complaints, and Disputes — A process is in place to address
inquiries, complaints, and disputes.
• Documents and Communicates Dispute Resolution and Recourse — Each complaint
is addressed and the resolution is documented and communicated to the individual.
• Documents and Reports Compliance Review Results — Compliance with objectives
related to privacy are reviewed and documented and the results of such reviews are
reported to management. If problems are identified, remediation plans are developed
and implemented.
• Documents and Reports Instances of Noncompliance — Instances of noncompliance
with objectives related to privacy are documented and reported and, if needed, corrective
and disciplinary measures are taken on a timely basis.
• Performs Ongoing Monitoring — Ongoing procedures are performed for monitoring
the effectiveness of controls over personal information and for taking timely
corrective actions when necessary. |
|
5 |