Common Control Title

Control ID

UNIFIED COMPLIANCE FRAMEWORK

French Republic

Florida

Federal Republic of Germany

District of Columbia

Delaware

Connecticut

Commonwealth of Puerto Rico

Colorado

Canada

California

Arkansas

Arizona

Alaska

Kingdom of the Netherlands

Kingdom of Sweden

Kingdom of Belguim

Kentucky

Kansas

Ireland

Iowa

Indiana

Illinois

Idaho

Hawaii

Grand Duchy of Luxembourg

Georgia

North Carolina

New York

New Jersey

New Hampshire

Nevada

Nebraska

Montana

Minnesota

Michigan

Massachusetts

Maryland

Maine

Louisiana

US Congress

The International Organization for

Standardization

Texas

Tennessee

Swiss Confedeation

South Carolina

Rhode Island

Republic of Poland

Pennsylvania

Oregon

Oklahoma

Ohio

North Dakota

Internal Guidance

Wyoming

Wisconsin

West Virginia

Washington

Virginia

Vermont

Utah

United States Virgin Islands

United Kingdom of Great Britain and

Northern Ireland

Common Control Title

Leadership and high level objectives
Analyze organizational objectives, functions, and activities.
Document
organizational
Establish and
maintain anobjectives.
information classification standard to use when
establishing information impact levels.
Establish
maintain
information
classificationcompliance
scheme. framework and
Establish
andand
maintain
thean
scope
of the organizational
Information
Assurance
controls.must comply regarding its Information Systems,
with which
the organization
Information
Technology,
and information.
Distribute the list of Authority
Documents that support the organization's
compliance
framework
to
interested
personnel
affected
parties. and
Establish and maintain full documentation
of alland
policies,
standards,
procedures
that support
the organization's
Identify
roles, tasks,
information,
systems, andcompliance
assets that framework.
fall under the
organization's
mandated
Authority
Documents.
Establish and maintain an Information Technology inventory with asset discovery
audit trails.
Establish
and maintain policies, standards, and procedures used to manage compliance
documents.
Approve all compliance documents.
Define the Information Assurance strategic roles and responsibilities.
Establish and maintain a compliance oversight committee.
Establish
and and
maintain
a Governance,
and Compliance
awareness
and trainingthroughout
program.
Establish
maintain
a rapport Risk,
with business
and technical
communities
the organization to promote the value and importance of Information Security.
Audits and risk management
Define
the and
rolesassign
and responsibilities
for personnelTechnology
assigned to audit
tasks staff's
in the Audit
Define
the internal Information
rolesfunction.
and
responsibilities.
Define and assign the external auditor's roles and responsibilities.
Retain copies of external auditor outsourcing contracts and engagement letters.
Include the scope and work to be performed in external auditor outsourcing contracts.
Review the adequacy of the external auditor's work papers and audit reports.
Establish and maintain an audit program.
Assign the audit to impartial auditors.
Include agreement to the audit scope and audit terms in the audit program.
Include audit subject matter in the audit program.
Audit in scope audit items and compliance documents as defined in the audit scope.
Audit the in scope system according to the test plan using relevant evidence.

Control ID

UNIFIED COMPLIANCE FRAMEWORK

00597
00598
09959
00602
00601
01241
00611
01312
01636
00688
00689
06285
06286
00608
00765
06492
06493
00677
00678
00681
00683
01188
01190
01199
00684
07118
06965
07103
06730
07112

Establish and maintain organizational audit reports.

Collect all work papers for the audit and audit report into an engagement file.
Submit an audit report that is complete.
Include the scope and work performed in the audit report.
Review the adequacy of the internal auditor's work papers.
Review the adequacy of the internal auditor's audit reports.
Review past audit reports.
Implement a corrective action plan in response to the audit report.
Review management's response to issues raised in past audit reports.
Establish
andand
maintain
thearisk
Establish
maintain
riskassessment
assessmentframework.
program to manage internal threats and
external threats.
Perform risk assessments for all target environments, as necessary.
Include the results of the risk assessment in the risk assessment report.
Update the risk assessment upon discovery of a new threat.
Update the risk assessment upon changes to the risk profile.
Establish
and maintain
risk assessment
procedures.
Categorize
the systems,
information,
and data by risk profile in the threat and
risk
classification
scheme.
Include the risks to the organization's key personnel and assets in the threat
and
riskaclassification
Assign
probability ofscheme.
occurrence to all types of threats in the threat and
risk classification
Include
the roles and scheme.
responsibilities involved in risk assessments in the risk
assessment program.
Review
the risk
risk assessment
assessment methodologies
procedures, as that
necessary.
Employ
take into account prior risk
assessment findings of the same scope.
Establish
and maintain
a risk assessment
awareness
and training
program.
Communicate
information
about risks
to all interested
personnel
and affected
parties.
Correlate
theabusiness
identified
riskson
in the
Conduct
Businessimpact
ImpactofAnalysis
based
the risk
risk assessment
assessment report.
findings in the risk
assessment report.
Review the issues of non-compliance from past audit reports.
Analyze and quantify the risks to in scope systems and information.
Establish a
and
maintain
a Risk
Scoping
Measurement
Document.
Establish
risk
acceptance
level
that isand
appropriate
to theDefinitions
organization's
risk
appetite.
Perform a gap analysis to review in scope controls for identified risks and implement
new controls, as necessary.
Prioritize
select controls
based
on on
thethe
riskrisk
assessment
findings.
Integrate
the and
corrective
action plan
based
assessment
findings with other
risk
management
activities.
Document and communicate a corrective action plan based on the risk assessment
findings.
Review and agree with the risk assessment findings.
Monitoring and measurement
Establish
maintainand
logging
andoperations
monitoringonoperations.
Enableand
monitoring
logging
all assets that meet the organizational
criteria to maintain event logs.
Establish and maintain intrusion management operations.
Monitor
systems
for inappropriate
usage
other security
violations.
Incorporate
potential
red flags into
theand
organization's
incident
management
system.
Operationalize key monitoring and logging concepts to ensure the audit trails capture
sufficient information.
Establish and maintain event logging procedures.
Enable
logging forsystem
all systems
thattomeet
a traceability
criteria. time source on all
Synchronize
clocks
an accurate
and universal
devices that have logging enabled.
Include a standard to collect and interpret event logs in the event logging procedures.
Protect the event logs from failure.

06731
07001
01145
11621
01146
11620
01155
06777
01149
00685
00687
06452
06481
00708
11627
06446
01443
00698
01173
06450
06460
06478
06453
06718
00686
01147
01148
00701
00703
00706
00704
00707
06457
00705
06485
00636
00637
06312
00580
00585
04652
00638
01335
00640
01340
00643
06290

Review event logs, Intrusion Detection System reports, security incident tracking
reports, and other security logs regularly.
Monitor and evaluate system performance.
Distribute the reviews of audit reports to organizational management.
Establish and maintain a continuous monitoring for Configuration Management program.
Monitor and evaluate user account activity.
Review accounts and access rights when notified of personnel status changes.
Terminate access rights when notified that an individual is terminated.
Revoke asset access when an individual is terminated.
Establish and maintain a risk monitoring program.
Monitor for new vulnerabilities.
Test compliance controls for proper functionality.
Establish and maintain a System Security Plan.
Validate all testing assumptions in the test plans.
Document validated
testingassessment
processes in
the testing
procedures.
Determine
the appropriate
method
for each
testing process in the
test plan.
Establish and maintain a security test program.
Implement and comply with the security test program.
Establish and maintain a vulnerability assessment program.
Perform vulnerability scans, as necessary.
the performance
system for unvalidated
Compare Test
system
metrics to input.
organizational standards and industry
benchmarks.
Monitor systems for errors and faults.
Establish and maintain a compliance monitoring policy.
Establish and maintain an approach for compliance monitoring.
Establish and maintain an Information Security metrics program.
Establish and maintain a log management program.
Limit access to logs to a need to know basis.
Protect logs from unauthorized activity.
Protect against misusing automated audit tools.
Technical security
Establish
maintain
classification
scheme.
Includeand
limiting
accessan
toaccess
confidential
data or restricted
information to a need to know basis
in the access classification scheme.
Include business security requirements in the access classification scheme.
Review security classifications periodically.
Establish and maintain an access control program.
Establish and maintain access control policies.
Review the Access Control policies, as necessary.
Establish and maintain an access rights management plan.
Control access rights.
Add all devices requiring access control to the Access Control List.
Employ unique user identifiers.
Establish
access
rights based
on to
least
privilege.
Separate
processing
domains
segregate
user privileges and enhance
information
flow
control.
Establish lockout procedures or lockout mechanisms to be triggered after a
predetermined
number ofprior
consecutive
logon
attempts.
Perform
a risk assessment
to activating
third
party access to the organization's
critical systems.
Activate
third
partyand
maintenance
and user
identifiers,
necessary.
Display
a logon
banner
appropriateaccounts
logon message
before
grantingas
access
to the
system.

00596
00651
00653
06757
07066
00788
11826
00516
00658
06843
00660
01922
00663
06200
00665
00654
11870
11636
11637
01318
00667
04544
00671
01653
01665
00673
01342
01345
04547
00508
00509
00510
00002
00007
11702
00512
06416
00513
00004
06264
01273
01411
06767
01412
06455
04262
06770

Display previous logon information in the logon banner.

Control user privileges.
Review all user privileges at least annually.
Establish
Access Management
procedures
forcredentials,
all systems.or
Controland
themaintain
addition User
and modification
of user identifiers,
user
other object identifiers.
Distribute user IDs and passwords using secure communication protocols.
Remove
inactive
user accounts
least
every 90procedures
days.
Distribute
the password
policiesatand
password
to all users who
have access to restricted data or restricted information.
Include identification procedures in the Access Control program.
Include Access Control procedures in the Access Control program.
Identify and control all network access controls.
Establish
maintain a
network
configuration
standard.list in the network
Includeand
a protocols,
ports,
applications,
and services
configuration standard.
Establish and maintain a network security policy.
Establish
and servers
maintainthat
a Boundary
Defense program.
Segregate
contain restricted
data or restricted information from direct
public access.
Establish
maintain a network
access
control
standard.
Includeand
Configuration
Management
and
rulesets
in the network access control
standard.
Place firewalls between wireless networks and applications or databases
that network
contain restricted
data
or restricted
Configure
access and
control
points toinformation.
protect restricted data or restricted
information.
Establish and maintain information flow control policies inside the system and between
interconnected systems.
Establish and maintain information flow procedures.
Establish
exchange procedures.
Establish and
and maintain
maintain information
third party connection
agreements in support of information
flow control.
Enable
encryption of a protected distribution system if sending restricted data or
restricted information.
Control all methods of remote access and teleworking.
Establish and maintain a remote access and teleworking program.
Control remote access through a network access control.
Manage the use of encryption controls and cryptographic controls.
Establish and maintain an encryption management and cryptographic controls policy.
Establish
and
maintaindata
cryptographic
key management
procedures. cryptographic
Recover
encrypted
for lost cryptographic
keys, compromised
keys, or damaged cryptographic keys.
Distribute cryptographic keys securely.
Store cryptographic keys securely.
Change cryptographic keys, as necessary.
Destroy
cryptographic
keys promptly
after the retention
period.keys, or revoked
Manage outdated
cryptographic
keys, compromised
cryptographic
cryptographic keys.
Revoke
oldencryption
cryptographic
keys orrestricted
invalid cryptographic
keys information
immediately.over
Use strong
data
to transmit
data or restricted
public
networks.
Authorize
transactions of data transmitted over public networks or shared data
networks.
Implement
non-repudiation
for transactions.
Establish trusted
paths to transmit
restricted data or restricted information over
public networks or wireless networks.
Establish and maintain a malicious code protection program.
Install security and protection software on all systems.
Configure security and protection software to check for up-to-date signature files.
Configure security and protection software to check e-mail attachments.
Establish and maintain a malicious code outbreak recovery plan.

01415
11665
06784
00514
00515
06791
00517
00518
11841
00528
00529
00530
00537
06440
00544
00533
00546
11845
01293
01284
01410
04542
11782
06756
01749
00559
04545
01421
00570
04546
00571
01301
01300
01298
01302
01303
06852
01307
00564
00566
00567
00568
00574
00575
00576
11860
01310

Physical and environmental protection

Establish and maintain a physical security program.
Establish and maintain a facility physical security program.
Identify and document physical access controls for all physical entry points.
Control
accessaccess
to (andrequirements
within) the facility.
Meetphysical
the physical
of disabled individuals, if reasonably
possible.
authorized entry to (and within) facilities that contain restricted data or
restricted information.
Establish and maintain identification procedures.
Manage access to loading docks, unloading docks, and mail rooms.
Establish and maintain a guideline for working in a secure area.
Monitor entry through all physical entry points.
Establish
and maintain
a visitor
log.controls for distributed Information
Establish
and maintain
physical
security
Technology assets.
Restrict physical access to distributed Information Technology assets.
Protect electronic storage media with physical access controls.
Protect distributed Information Technology assets against theft.
Establish
and
maintain
Information
Technology
assetpoints
removal
procedures.
Control the
delivery
of assets
through
physical entry
and
physical exit
points.
Control the removal of assets through physical entry points and physical exit
points.
Establish and maintain off-site physical controls for all distributed Information
Technology assets.
Establish and maintain end user computing device security guidelines.
Establish and maintain a locking screen saver policy.
Establish and maintain mobile device security guidelines.
Encrypt
information
stored
mobilerestricted
devices. data from those that do not by
Separate
systems
that store
oron
process
deploying
physical
access
controls.
Position computer monitors in such a way that unauthorized personnel are
prevented from viewing them.
Establish and maintain asset return procedures.
Require the return of all assets upon notification an individual is terminated.
Establish and maintain a physical clean desk policy.
Install and protect network cabling.
Establish and maintain an environmental control program.
Protect power equipment and power cabling from damage or destruction.
Establish and maintain a Heating Ventilation and Air Conditioning system.
Establish
facilityTechnology
maintenance
procedures.
Designand
themaintain
Information
facility
with a low profile and consideration
given to natural disasters and man-made disasters.
Install
maintain
emergency
lighting
for the
usephysical
in a power
failure.
House and
system
components
in areas
where
damage
potential is
minimized.
Systems continuity
Establish and maintain a system continuity framework.
Establish and maintain a system continuity plan philosophy.
Define the executive vision of the continuity planning process.
Establish and maintain system continuity plan strategies for all in scope systems.
Define and prioritize critical business functions.
Include the protection of personnel in the continuity plan.
Establish and maintain a critical personnel list.
Establish and maintain a critical Information Technology resource list.
Include technical preparation considerations for backup operations in the continuity plan.

00709
11757
00711
01637
01329
00419
01436
00713
02210
04538
01638
00715
00718
11865
00720
06799
04540
01441
11681
04539
00719
06717
04723
01422
00722
01437
04537
06679
06534
08624
00724
01438
00727
00710
00712
01440
01623
00731
00732
00734
01243
00735
00736
06378
00739
00740
01250

Establish
and the
maintain
backup
procedures
forfrequency
in scope systems.
Document
backup
method
and backup
on a case-by-case basis in
the backup procedures.
Establish
andthe
maintain
off-site
electronic
media
storage
facilities.
Separate
off-site
electronic
media
storage
facilities
from the primary
facility through geographic separation.
Store backup media at an off-site electronic media storage facility.
Perform backup procedures for in scope systems.
Test backup media for media integrity and information integrity, as necessary.
Test each restored system for media integrity and information integrity.
Includeand
purchasing
in the continuity
plan.
Establish
maintain insurance
a system continuity
plan and
associated system continuity
procedures.
Document the uninterrupted power requirements for all in scope systems.
Installthe
an continuity
Uninterruptible
Supplyassessment
sized to support
critical systems.
Activate
plan ifPower
the damage
reportallindicates
the activation
criterion has been met.
Include restoration procedures in the continuity plan.
Establish and maintain organizational facility continuity plans.
Install and maintain redundant telecommunication feeds for critical assets.
Install
and and
maintain
redundant
power supplies
for the shutdown
Informationdevices
Technology
facility.
Install
maintain
Emergency
Power Supply
or Emergency
Power Supply shutdown switches.
Review and update the continuity plan.
Test the continuity plan, as necessary.
Test the continuity plan under conditions that simulate a disaster or disruption.
Human Resources management
Establish
and maintain
high
level operational
roles and
responsibilities.
management
roles and
responsibilities,
including
signing
off on key policies and
procedures.
Defineand
andmaintain
assign the
technologyTechnology
security leader's
roles and
responsibilities.
Establish
the Information
staff structure
in line
with the Strategic
Information Technology Plan.
Identify and define all key Information Technology roles.
Assign the role of asset physical security to applicable controls.
Assign the role of data custodian to applicable controls.
Assign the role of data controller to applicable controls.
Document and communicate role descriptions to all applicable personnel.
Assign and staff all roles appropriately.
Implement segregation of duties in roles and responsibilities.
Establish job categorization criteria, job recruitment criteria, and promotion criteria.
Establish and maintain a personnel security program.
Establish
and maintain
Technology
staff
security clearance
level criteria.
Employ individuals
whoInformation
have the appropriate
staff
qualifications,
staff clearances,
and
staff competencies.
Establish and maintain security clearance procedures.
Perform security clearance procedures, as necessary.
Train all personnel and third parties, as necessary.
Retrain all personnel annually or as appropriate.
Document all training in a training record.
Establish
and maintain
a security
awareness
program.
Communicate
security
awareness
and the
internal control framework to all
interested
parties.
Train allpersonnel
personneland
andaffected
third parties
on how to recognize and report security
incidents.
Communicate organizational security policies and security procedures as a
part of security awareness.
Establish and maintain a personnel health and safety policy.

01258
01384
00957
01390
01332
11692
01401
01920
00762
00752
06707
00725
01373
01169
02224
00726
06355
01439
00754
00755
00757
00763
00806
00807
01897
00764
00777
00770
04789
00354
00776
00784
00774
00781
10628
00780
00782
00783
06644
00785
01362
01423
11746
00823
01211
06670
00716

Establish and maintain a Code of Conduct as a part of the Terms and Conditions of
employment.
Implement a sanctions process for personnel who fail to comply to the organizational
compliance program.
Include the legal intellectual property responsibilities in the Code of Conduct.
Establish and maintain personnel status change and termination procedures.
Operational management
Establish and maintain a Governance, Risk, and Compliance framework.
Establish and maintain a positive information control environment.
Establish
maintain
Assignand
ownership
ofan
theinternal
internalcontrol
controlframework.
framework to the appropriate
organizational
role. for continuous quality improvement in the internal control
Include
procedures
framework.
Include threat assessment, vulnerability management, and risk assessment in the
internal control framework.
Include
in the internal
controlin
framework.
Include personnel
continuoussecurity
securityprocedures
warning monitoring
procedures
the internal control
framework.
Include security information sharing procedures in the internal control framework.
Share relevant security information with Special Interest Groups, as necessary.
Include
incident
responsemanagement
procedures procedures
in the internal
framework.
Include security
continuous
user account
in control
the internal
control
framework.
Review the internal control framework, as necessary.
Measure policy compliance when reviewing the internal control framework.
Establish and maintain an information security program.
Assign ownership of the information security program to the appropriate role.
Assign resources to implement the internal control framework.
Establish and maintain operational control procedures.
Include startup processes in operational control procedures.
Establish
and
a Standard
Operating
Procedures
Manual. Operating
Adhere
to maintain
operating
procedures
as defined
in the Standard
Procedures Manual.
Establish and maintain a job scheduling methodology.
Establish and maintain an Acceptable Use Policy.
Include asset tags in the Acceptable Use Policy.
Include the consequences of non-compliance in the Acceptable Use Policy.
Include a software installation policy in the Acceptable Use Policy.
Establish and maintain an Intellectual Property Right program.
Establish
andand
maintain
an e-mail
policy.
Disseminate
communicate
the
Governance, Risk, and Compliance framework
to all interested
personnel
and affected
parties.
Review
and update
the Governance,
Risk,
and Compliance framework, as
necessary.
Establish and maintain nondisclosure agreements.
Implement and comply with the Governance, Risk, and Compliance framework.
Establish and maintain an Asset Management program.
Establish and maintain an asset inventory database.
Record the owner for applicable assets in the asset inventory.
Establish
and
maintain
a system
or disposal
program.or the system is
Wipe all
data
on systems
priorredeployment
to when the system
is redeployed
disposed.
Establish and maintain a system preventive maintenance program.
Perform periodic maintenance regularly.
Control remote maintenance according to the system's asset classification.
Conduct maintenance with authorized personnel.
Review each system's operational readiness.

04897
01442
04898
06549
00805
01406
00813
00820
06437
00819
01347
01349
01358
06489
11732
01359
01360
01348
06442
00812
00814
00816
00831
00833
00826
06328
00834
01350
01354
00296
06749
00821
06439
00815
00817
04536
00818
06630
06631
06640
06276
06401
00885
11787
01433
01434
06275

Establish and maintain a customer service program.

Investigate and take action regarding help desk queries.
Establish and maintain an Incident Response program.
Include
incident
responseresponse
team structures
in the Incident
Response
program.
Include
the incident
team member's
roles
and responsibilities
in the
Incident
Response
program.
Include the incident response point of contact's roles and responsibilities in the
Incident
Response
program.
Include
personnel
contact
information in the event of an incident in the Incident
Response program.
Prepare for incident response notifications.
Include intrusion detection procedures in the Incident Management program.
Monitor
for aand
react
to event
when when
suspicious
activities are
detected.
Report
data
loss
non-truncated
payment
card numbers are
outputted.
Report a data loss event after a security incident is detected and there are
indications
that
theevent
unauthorized
personincident
has control
of electronic
information.
Report a data
loss
after a security
is detected
and there
are
indications
that
the
unauthorized
person
has
control
of
paper
records.
indications that the unauthorized person has accessed information in either
paper or electronic
indications
that the form.
information has been or will likely be used in an
unauthorized
manner.
indications that the information has been or will likely be used in an
unauthorized manner that could cause substantial economic impact.
Assess all security incidents to determine what information was accessed.
Share incident information with interested personnel and affected parties.
Report
data loss event
information
to breach
notification organizations.
organization
will send
data loss
event notifications
to interested personnel
and affected parties.
Include
data
loss event
notifications
in the Incident
Response
program.
Notify
interested
personnel
and affected
parties of
the privacy
breach that
affects
their
personally
identifiable
information.
Notify interested personnel and affected parties of privacy breaches in a
timely
manner.
Determine
whether or not incident response notifications are necessary
duringsending
the privacy
breach
investigation.
Delay
incident
response
notifications under predetermined
conditions.
Include
information
byagencies'
law in incident
response
notifications.
Include
the creditrequired
reporting
contact
information
in incident
response
notifications.
Include the date (or estimated date) the privacy breach was detected in
incident
response
notifications.
Include whether
the
notification was delayed due to a law enforcement
investigation
in incident
response
Include
a general
description
of thenotifications.
data loss event in incident response
notifications.
Include the type of information that was lost in incident response
notifications.
Include the type of information the organization maintains about the
affected
in incident has
response
notifications.
Include
whatparties
the organization
done to
enhance data protection
controls
in
incident
response
notifications.
Include what the organization is offering or has already done to assist
affectedhow
parties
incident
response
notifications.
Include
the in
affected
parties
can protect
themselves from identity
theft
in
incident
response
notifications.
Include contact information for the organization in incident response
notifications.
Include contact information for breach notification organizations in
incident response notifications.
Publish the incident response notification in a general circulation periodical.
Send electronic
paper incident
response
notifications
to affected
parties,
as necessary.
Send
incident
response
notifications
to affected
parties,
as
necessary.
Telephone
incident
response
notifications
affected parties,
as necessary.
Determine if
a substitute
incident
responsetonotification
is permitted
if
notifying
affected
parties.
and affected parties of the privacy breach that affects their personally
identifiable
information.
Send electronic
substitute incident response notifications to affected
parties,
as necessary.
Post
substitute
incident response notifications to the organization's
website,
as necessary.
Send substitute
incident response notifications to breach notification
organizations,
as
necessary.
Publish the substitute
incident response notification in a general
circulation periodical, as necessary.

00846
06324
00579
01237
01652
01877
06385
00584
00588
00586
04741
04727
04728
04740
04729
04742
01226
01212
01210
04731
00364
00365
00369
00801
00804
00802
04744
04745
04746
04734
04735
04776
04736
04737
04738
04739
11790
04651
00366
00367
04650
00803
00368
04747
04748
04750
04769

Analyze
security
violations
Suspicious
Activity
Reports.
Record
actions
taken to in
contain
and limit
a data
loss event in the incident
response report.
Update the incident response procedures using the lessons learned.
Retain
collected
evidence
for potential
future legalfor
actions.
Maintain
contact
with breach
notification
organizations
notification purposes in the
event a privacy breach has occurred.
Establish and maintain a digital forensic evidence framework.
Collect evidence from the incident scene.
Include incident monitoring procedures in the Incident Management program.
Establish and maintain a performance management standard.
Utilize resource availability management controls.
Establish and maintain rate limiting filters.
Establish and maintain system capacity monitoring procedures.
Establish and maintain a capacity management standard.
Establish and maintain future system capacity forecasting methods.
Establish and maintain a change control program.
Manage change requests.
Implement changes according to the change control program.
Perform risk assessments prior to approving change requests.
Approve change requests prior to implementing approved changes.
Establish and maintain a patch management program.
Perform a patch test prior to deploying a patch.
Establish and maintain approved change acceptance testing procedures.
Test
the system's
after
implementing
Perform
and pass operational
acceptancefunctionality
testing before
moving
a system approved
back into changes.
operation
after an approved change has occurred.
Update associated documentation after the system configuration has been changed.
System
hardening
through configuration
management
Establish
and maintain
configuration
control and Configuration Status Accounting for
each system.
Establish and maintain appropriate system labeling.
Identify and document the system's Configurable Items.
Establish and maintain a system hardening standard and system hardening procedures.
UseInstall
the latest
version ofcritical
all software.
all available
security updates and important security updates in a
timely way.
Change
vendor-supplied
default configurations
as Operating
appropriate.
Establish
and maintain procedures
to standardize
System software
installation.
Establish idle session termination and logout capabilities.
Configure
custom
Browser security
options
according tomobile
organizational
standards.
Configure
the Internet
.NET Framework
to prevent
unauthorized
code from
executing.
Disable all unnecessary services unless otherwise noted in a policy exception.
Disable all unnecessary applications unless otherwise noted in a policy exception.
Remove all unnecessary functionality.
Establish and maintain the interactive logon settings.
Configure the system logon banner contents.
Configure the "Prompt for password on resume from hibernate/suspend" setting.
Apply the appropriate warning messages to the systems.
Create a warning message for standard logon services.
Enable logon authentication management techniques.
Configure the system to log all access attempts to all systems.

00591
01755
01233
01235
01213
08652
02236
01207
01615
00940
06883
01619
11751
01617
00886
00887
11776
00888
00889
00896
00898
06391
06294
04541
00891
00860
00863
01900
02133
00876
00897
01696
00877
00869
01418
02166
04531
00880
04827
00882
01739
01742
04356
01596
01597
00553
00554

Configure the system to lock out User IDs after not more than a predefined number
of access attempts.
Establish and maintain password standards and password procedures.
Configure passwords so that users will change their passwords on a regular basis.
Configure the maximum password age.
Configure
the least
allowable.
Configure the
the Password
Password length
historyto
setting
so that
users cannot submit a new
password that is the same as the previous few used.
Disable store passwords using reversible encryption.
Configure
the system
to use
asterisks
masksystem
passwords.
Configure
the system
security
parameters
to to
prevent
misuse or information
misappropriation.
Configure the default locking Screen saver timeout to a predetermined time period.
Enable and configure auditing operations and logging operations, as necessary.
Configure the security parameters for all logs.
Configure the log so that it cannot be disabled.
Configure the data elements to be captured for all logs.
Configure the log to contain a timestamp.
Configure the log to capture the user's identification.
Configure
all logs
capture
auditable
events
or actionable
events. and logout
Configure
the to
log
to capture
logons,
logouts,
logon attempts,
attempts.
Configure the log to capture actions taken by individuals with root privileges or
administrative
loggingthe
option
to the root
file parameter
system.
Establish
and maintainprivileges
proceduresand
for add
configuring
appropriate
network
modifications.
Configure
amount of
idle time
required
before
disconnecting
an idle
session.
Enable thethe
disconnect
clients
setting
(server)
or force
logoff setting
(client)
if the
account's allotted logon period expire.
Records management
Establish and maintain records management policies used to manage organizational records.
Establish and maintain a record classification scheme.
Establish and maintain Records Management procedures.
Establish and maintain data input and data access authorization tracking.
Control error handling during data input.
Establish
and and
maintain
data processing
controls. validation checks and
Establish
maintain
Automatedintegrity
Data Processing
editing
checks.
Establish and maintain Automated Data Processing error handling
procedures.
Establish and maintain document security requirements for the output of records.
Establish and maintain document handling procedures for paper documents.
Establish and maintain output review and error handling checks with end users.
Define each system's preservation requirements for records and logs.
Establish and maintain a data retention program.
Determine how long to keep records and logs before disposing them.
Retain records in accordance with applicable regulations.
Establish
and
and destruction
Sanitize
all maintain
electronicstorage
storagemedia
mediadisposition
before disposing
a systemprocedures.
or redeploying a
system.
Destroy electronic storage media following the storage media disposition and
destruction procedures.
Define each system's disposition requirements for records and logs.
Establish and maintain records disposition procedures.
Maintain
disposal
records
or redeployment
Establish and
maintain
records
management
procedures records.
used to manage organizational
records.
Include record integrity techniques in the Records Management procedures.
Establish and maintain electronic storage media management procedures.

00555
01702
00520
01704
01705
01707
01708
02037
00881
01570
01522
01712
00595
06331
00594
01334
06332
01915
00645
01517
01763
01765
00902
00903
00914
00919
00920
00922
00923
00924
00925
11656
00926
00929
00904
00906
11661
00968
11657
01643
00970
11651
00971
01644
11619
06418
00931

Establish and maintain storage media and record security label procedures.
Label
storage
media appropriately.
Label restricted
printed output
for specific
record categories as directed by the
organization's information classification standard.
Establish and maintain a records lifecycle management program.
Establish
preservation
procedures.
Implementand
andmaintain
maintaininformation
backups and
duplicate copies
of organizational
records.
Establish
and and
maintain
onlinesecurity
storage controls
controls. appropriate to the record types and
Establish
maintain
electronic storage media in use.
Implement electronic storage media integrity controls.
Establish and maintain removable storage media controls.
Establish
and
maintainand
storage
media
access control
procedures.
Control the
transiting
internal
distribution
or external
distribution of
restricted storage media.
Systems design, build, and implementation
Initiate
the System
Development
Life Cycle
planning
phase.
Establish
and maintain
systems
design
principles,
systems design guidelines, and
System Development Life Cycle documentation.
Define and assign the system development project team roles and responsibilities.
Restrict
system
fromteam
beingfrom
assigned
as Administrators.
Restrict
the architects
development
having
access to the production
environment.
Include identified risks and legal requirements in the security controls definition
document.
Establish and maintain a system design project management framework.
Establish and maintain project management standards.
Separate
the design
and development
environmentphase
from or
theSystem
production
environment.
Initiate the System
Development
Life Cycle development
Development
Life
Cycle
build
phase.
Develop systems in accordance with the system design specifications and system design
standards.
Establish and maintain outsourced development procedures.
Supervise and monitor outsourced development projects.
Develop new products based on Best Practices.
Implement security controls when developing systems.
Establish and maintain a system design specification.
Include security requirements in the system design specification.
Protect system libraries.
Follow the system development process when upgrading a system.
Establish and maintain system security documentation.
Establish and maintain access rights to source code based upon least privilege.
Perform Quality Management on all newly developed or modified systems.
Establish and maintain system testing procedures.
Restrict production data from being used in the test environment.
Perform
Quality
Management
all newly
developed
or modified
software.
Establish
and
maintain a on
system
testing
program
for all system
development
projects.
Initiate the System Development Life Cycle implementation phase.
Perform a final acceptance test prior to implementing a new system.
Establish and maintain system acceptance criteria.
Manage
the system
implementation
process.
Evaluate
and determine
whether
or not the newly developed system meets security
requirements.
Establish and maintain end user support communications.
Acquisition or sale of facilities, technology, and services
Plan for acquiring facilities, technology, or services.

06747
00966
01420
00951
06277
00953
00942
00943
00946
06680
00959
00963
00989
06266
01057
01061
01064
01066
11743
00990
00992
06088
06267
01094
01141
01096
01095
06270
04557
06826
01097
01059
06271
06962
01100
11744
01103
11798
01101
06268
01108
06210
01115
06273
06615
01123
06892

Conduct
an acquisition
feasibility study
priorfrom
to acquiring
Information
Technologyto
assets.
Establish
test environments
separate
the production
environment
support
feasibility testing before product acquisition.
Establish and maintain facilities, assets, and services acceptance procedures.
Privacy protection for information and data
Establish
a privacy
program thatfor
protects
restricted
Defineand
themaintain
confidentiality
requirements
collecting
and data.
processing privacy-related
data
and
privacy-related
information.
Establish and maintain transparency and openness while protecting the privacy of
personal data.
Specify the time frame that notice will be given.
Establish and maintain adequate openness procedures.
Document
privacy policies
in clearly
written
and easily
understood
language.
Publish a description
of activities
about
processing
personal
data in
an official
register.
Register with public bodies and notify the Data Commissioner before
processing personal data.
Define what is included in registration notices.
Include a purpose specification description in the registration notice.
Include
data subject
category
being processed
the
registration
notice.
Include the
procedures
for when
the registration
noticeinfor
processing
personal
data
is insufficient
in the
registration
notice. and mechanisms to support
Provide
adequate
structures,
policies,
procedures,
direct
access
by
the
data
subject
to
personal
data
that
is provided
request.
Provide the data subject with the name, title,
and
address
of theupon
individual
accountable
for the
organizational
policies.
Provide the data
subject
with the name,
title, and address to whom complaints
are forwarded.
Provide
the data subject with the means of gaining access to personal data held
by
the organization.
Provide
the data subject with a description of the type of information held by the
organization
and subject
a general
account
use.
Provide the data
with
a copyofofits
any
brochures or other information that
explain
policies,
standards,
or
codes.
Provide the data subject with what personal data is made available to related
organizations
or information
subsidiaries.
Include what
was disclosed and to whom in the disclosure
accounting record.
Post the privacy policy in an easily seen location.
Define what is included in the privacy policy.
Require data controllers to be accountable for their actions.
Define and assign the data controller's roles and responsibilities.
Notify the supervisory authority.
Assign the role of data controller to additional personnel, as necessary.
Establish and maintain personal data collection limitation boundaries.
Obtain the data subject's consent and acknowledgment before collecting data.
Document each individual's personal data collection consent preferences.
Provide explicit consent that is clear and unambiguous.
Notify the data subject of the source of collected personal data.
Establish and maintain a personal data definition.
Include
an individual's
name
in the
personal
data
definition.
Include
an individual's
name
combined
with
other
Personally Identifiable
Information
in
the
personal
data
definition.
Include a parent's legal surname prior to marriage in the personal data
definition.
Include an individual's signature in the personal data definition.
Include
anindividual's
individual's
date ofcharacteristics
birth in the personal
data definition.
Include an
physical
or description
in the personal data
definition.
Include an individual's biometric data in the personal data definition.
Include an individual's fingerprints in the personal data definition.
Include an individual's address in the personal data definition.
Include an individual's telephone number in the personal data definition.
Include an individual's financial account number in the personal data definition.

01129
01130
01144
00008
11850
06487
00375
00385
00377
00376
00379
00383
00386
00388
00389
00392
00393
00394
00395
00396
00397
00398
00399
04680
00401
00404
00470
00471
00472
00473
00507
00012
06945
00181
00083
00028
04710
04709
04686
04711
04770
04712
04698
04689
04687
04688
04692

Include stock numbers, bond numbers, and other security certificate numbers
in
the personal
data definition.
Include
an individual's
electronic identification name or number in the personal
data
definition.
Include an individual's Alien Registration Number in the personal data
definition.
Include an
an individual's
individual's driver's
passportlicense
number
in the personal
data definition.
Include
number
or an individual's
state
identification
card
number
in
the
personal
data
definition.
Include an individual's Social Security Number or Personal Identification
Number in the personal data definition.
Include electronic signatures in the personal data definition.
Include
an individual's
payment
in individual's
the personaldebit
datacard
definition.
Include
an individual's
credit card
card information
number or an
number an
in the
personalpayment
data definition.
Include
individual's
card expiration date in the personal data
definition.
Include an individual's Individually Identifiable Health Information in the
personal data definition.
Include an individual's medical history in the personal data definition.
Include an individual's medical treatment in the personal data definition.
Include an
an individual's
individual's mental
medicalcondition
diagnosisorinan
the
personal data
definition.
Include
individual's
physical
condition
in
the
personal
data
definition.
Include an individual's health insurance information in the personal data
definition.
Include an individual's health insurance policy number in the personal data
definition.
Include an individual's health insurance application and health insurance
claims history (including appeals) in the personal data definition.
Include
an individual's
employment
information inNumber
the personal
definition.
Include
an employer's
Taxpayer Identification
in the data
personal
data
definition.
Include an individual's Taxpayer Identification Number in the personal data
definition.
Include
of employment
in the
personal
data
definition.
Include an
an individual's
individual's place
Employee
Identification
Number
in the
personal
data
definition.
Define
specially
restricted
Protect
an individual's
civildata.
rights during personal data collection and personal data
processing.
Refrain from compiling data that is likely to give rise to unlawful
discrimination
or arbitrary
discrimination.
process that produces
legal
effects based on the evaluation of certain
characteristics.
Manage personal identification numbers and PIN verification code numbers.
Collect
personal
identification
numbers
with
the individual's
consent.
Collect
personal
identification
numbers
absent
consent when
the law
mandates.
Manage
health
data collection.
Collect
Individually
Identifiable Health Information to provide health care
services.
Collect Individually Identifiable Health Information when the law dictates.
Collect Individually Identifiable Health Information for research.
Remove Personally Identifiable Information before disclosing health data.
Give special attention to collecting children's data.
Obtain
parental
consent
before
collecting
information
from children.
Waive
verifiable
parental
consent
for collecting
information
from children in
order to respond to a request for law enforcement purposes.
Establish and maintain a personal data collection policy.
Collect and record personal data for specific, explicit, and legitimate purposes.
Use personal data for specified purposes.
Collect personal data when an individual gives consent.
Collect
personal
data
required
law. the nonprofit organization's
individuals
who are
inwhen
regular
contactbyduring
activities.
Collect
personal
data
in aabsent
properconsent
information
framework.
Collect
personal
data
for specific
and well-documented
circumstances.
Collect personal data absent consent when the data collection is in the data
subject's interests and consent cannot be obtained in a timely manner.

04768
04694
04743
04713
04691
04690
04697
04751
04693
04755
04700
04701
04702
04703
04704
04705
04706
04707
04715
04767
04763
04765
04766
00037
00079
00075
00080
00058
00059
00061
00050
00052
00053
00054
00055
00038
00041
00049
00029
00027
11831
00030
00031
00034
00009
00013
00014

Collect personal data absent consent when consent compromises data

accuracy.
Collect
purposes.
Collect personal
personal data
data absent
absent consent
consent for
for reasonable
journalistic investigative
purposes, artistic
purposes,
or literary
Collect personal
datapurposes.
absent consent for statistical purposes or research
purposes and the data subject is not identified.
Collect personal data absent consent from publicly available information.
Collect
personal
data absent
needed
by law.
data subject
is impossible
or consent
the data when
collection
involves
a disproportionate
effort.
Collect personal data in a fair and lawful manner.
Collect
data with
directly
from the about
data subject.
Provide
thepersonal
data subject
information
the data controller during the
collection process.
Provide the data subject with the data collector's name and contact information.
Establish and maintain a personal data use policy.
Collect the minimum amount of personal data necessary.
Post the collection purpose.
Establish and maintain a personal data use purpose specification.
Display or print the least amount of personal data necessary.
Notify
subject of
the collected
collectionfor
purpose.
Do the
not data
use personal
data
research and statistics for other
purposes.
Document the law that requires personal data to be collected.
Notify the data subject of changes to personal data use.
Establish
personal
data usepersonal
change of
purpose
procedures.
Documentand
the maintain
use of publicly
accessible
data
as an acceptable
secondary
purpose.
the data subject is not charged to request to opt out of direct marketing
communications.
the data subject has not requested to opt out of direct marketing
communications.
the organization displays contact information in each written direct marketing
communication.
Document the use of personal data as an acceptable secondary purpose when
the
subject
consent. Identifiable Health Information used for
the data
personal
datagives
is Individually
research.
the personal data is used for statistical research, scholarly research, or
scientific
research believes
and the data
subject
is anonymous.
the data controller
the use
is necessary
to prevent a life-threatening
emergency.
Document the use of personal data as an acceptable secondary purpose when
required
by law.
the personal
data is necessary for public emergencies, public health and safety,
or
individual
emergencies.
Document the use of personal data as an acceptable secondary purpose when
the primary purpose is directly related to the secondary purpose.
Obtain the data subject's consent when the personal data use changes.
Dispose of media and personal data in a timely manner.
Establish and maintain personal data use limitation procedures.
Follow legal obligations while processing personal data.
Start personal data processing only after the needed notifications are submitted.
Notify the data subject before personal data is collected, used, or disclosed.
Definepersonal
security data
breach
notification
exceptions.
Disclose
when
the data requirement
subject has given
unambiguous and implicit
consent.
Define what personal data is not required to be disclosed absent consent.
Define the exceptions to disclosure absent consent.
Define how a data subject may give consent.
Disclose personal
personal data
data when
absenta consent
the lawexists
doesbetween
not require
Disclose
relevant when
connection
theconsent.
data
subject
and
the
data
controller's
operations.
legitimate interest or third party's legitimate interest and it prevails over
individual rights.
Disclose personal data absent consent in order to perform a contract.

00015
11801
00017
00018
00019
00020
00022
00010
00011
00023
00024
00076
00078
00101
00093
04643
00095
00096
00103
00105
00106
00108
00111
00112
00114
00115
00116
00117
00118
00119
00121
00123
11832
00125
00128
04794
04791
00132
04797
00157
00134
00135
00160
00136
00137
00138
00139

Disclose personal data absent consent in order to process the personal data for
public
interests.
Disclose
personal data for public interests absent consent in order to
provide
social
assistanceisservices.
is assured
andwork
the disclosure
for statistical research, scientific research,
or
scholarly
research.
Disclose personal data for public interests absent consent in order to protect
historical records or archival records.
Disclose
consent
for public
interests.
Disclose personal
personal data
data absent
for public
interests
absenteconomic
consent for
National
Security reasons.
Disclose personal data absent consent for journalistic purposes.
Disclose
personal
data
absent
consent
when
it isitpublicly
accessible.
Disclose
personal
data
absent
consent
when
is related
to publicly available
information.
Disclose publicly accessible personal data absent consent when the data
subject
has already
it.
Disclose
personal
data published
absent consent
in order to protect the data subject's
vital
interests.
Disclose personal data absent consent in order to protect the data subject's
vital interests
is consent
a life-threatening
Disclose
personalwhen
data there
absent
when it isemergency.
for judicial decisions,
lawsuits, and investigations.
Disclose personal
personal data
data absent
absent consent
consent when
when it
it is
is being
needed
by law. to the data
Disclose
disclosed
subject.
Disclose personal data absent consent in order to collect a debt owed by the
data subject.
Establish and maintain personal data retention procedures.
Limit the redisclosure and reuse of personal data.
Refrain from redisclosing or reusing personal data.
Document the redisclosing personal data exceptions.
Redisclose
personal
when
the data
subject
Obtain explicit
consent
directlydata
from
the data
subject
priorconsents.
to the use of that
person's sensitive data.
Process personal data for statistical purposes or scientific purposes.
Process personal
personal data
data in
after
the to
data
subject
has granted
explicit
consent.
Process
order
perform
a legal
obligation
or exercise
a
legal
right.
Process personal data in order to prevent personal injury or damage to the
data
subject's
health.
Process
personal
data in order to prevent personal injury or damage to a
third
party's
health.
Process personal data when it is processed during legitimate activities with
safeguards
for thedata
datafor
subject's
legal rights.social insurance, state social
Process personal
health insurance,
benefits, social care, or child protection.
Process
it is marketing
publicly accessible.
Process personal
personal data
data when
for direct
and other personalized mail
programs.
Process personal data for justice administration, lawsuits, judicial decisions,
and investigations.
Process personal data for debt collection or benefit payments.
Process personal data in order to advance the public interest.
Process personal data for surveys, archives, or scientific research.
Process
journalistic
Process personal
personal data
data for
when
it is usedpurposes.
by a public authority for National
Security
policy
or
criminal
policy.
Refrain from processing personal data when it is likely to cause unlawful
discrimination or arbitrary discrimination.
Obtain parental
consent
in order to
or disclose
children's
Process
personal
data pertaining
touse
a patient's
health
in order data.
to treat those
patients.
Document the conditions for the use or disclosure of Individually Identifiable
Health
Information
by a coveredproviding
entity to another
covered
entity.
Information
by an organization
healthcare
services
to
organizations
other
than
business
associates
or
other
covered
entities.
cannot physically or legally provide consent and the disclosing
organization
is a healthcare
appropriate treatment
to the provider.
data subject when the disclosing
organization
is data
a healthcare
contrary
to the
subject'sprovider.
wish prior to becoming unable to provide
consent
and
the
disclosing
organization
is a healthcare
provider.
Disclose Individually Identifiable Health Information
consistent
with the
law
when
the
disclosing
organization
is
a
healthcare
provider.
Disclose Individually Identifiable Health Information in order to carry out
treatment when the disclosing organization is a healthcare provider.

00144
00145
00146
00147
00148
00149
00150
00151
00152
00153
00154
00155
00161
00163
00164
00165
00167
00168
00169
00170
00171
00178
00256
00180
00182
00183
00184
00185
00186
00187
00188
00189
00190
00191
00192
00193
00195
00197
00198
00200
00210
00201
00202
00203
00204
00206
00207

out treatment when the data subject has provided consent and the
disclosing
organization
is disclosing
a healthcare
provider. is a healthcare
provided consent
and the
organization
provider.
Obtain explicit consent from parents or students prior to using or disclosing
educational data.
Disclose educational data, as necessary.
Disclose
data
when
written
consent
hastobeen
received.
Documenteducational
the conditions
when
consent
is not
required
disclose
educational
data.
Disclose educational data absent consent in order to comply with a
judicial order.
Process
personal
data relating
criminal
offenses
whenPersonal
requiredIdentification
by law.
Obtain explicit
consent
prior to to
using
the data
subject's
Number.
Process
Personal
Identification
with consent.
Refrain from
displaying
PersonalNumbers
Identification
Numbers on identification
cards or badges.
Establish and maintain data handling policies.
Establish and maintain data and information confidentiality policies.
Prohibit personal data from being sent by e-mail or instant messaging.
Establish
and
maintain record
structures
to support
information
Include
passwords,
personal
identification
numbers,
andconfidentiality.
card security
codes
in
the
personal
data
definition.
Authentication Value 2, Card Validation Code Value 2, Card Verification Value
2,
Card Identification
Number)
from containing
being stored.
Refrain
from storing data
elements
payment card full magnetic
stripe data.
Implement physical controls to protect personal data.
Limit
data leakage.
Require
third party security requirements to comply with the organizational
security
requirements.
Identify potential
red flags to alert the organization before a data leakage has
occurred.
Establish and maintain data handling procedures.
Define
personal
data identifying
that falls under
breach as
notification
numbers
or other
information
personal rules.
data that falls under the
breach
notification
rules.
Include data elements that contain an individual's legal surname prior to
marriage
personal
data
that falls
under the breach
rules. data
Include
data as
elements
that
contain
an individual's
date ofnotification
birth as personal
that
falls
under
the
breach
notification
rules.
Include data elements that contain an individual's address as personal data that
falls
under
breach notification
Include
datathe
elements
that containrules.
an individual's telephone number as
personaldata
dataelements
that fallsthat
under
the breach
notification
rules.
Include
contain
an individual's
fingerprints
as personal data
that
falls
under
the
breach
notification
rules.
Personal Identification Number as personal data that falls under the breach
notification
individual's rules.
state identification card number as personal data that falls under
the
breach
rules.
Include
datanotification
elements that
contain an individual's passport number as personal
data
that
falls
under
the
breach
notification
rules. Alien Registration Number as
Include data elements that contain
an individual's
personaldata
dataelements
that fallsthat
under
the breach
notification
rules. Identification
Include
contain
an individual's
Taxpayer
Number
as
personal
data
that
falls
under
the
breach
notification
rules.
Include data elements that contain an individual's financial account
number as
personal
data
that
falls
under
the
breach
notification
rules.
with associated password or password hint as personal data that falls under
the breach
notification
Include
data elements
thatrules.
contain an individual's electronic identification name
or number
as
personal
data
that
falls under
the breach
notification
rules.data
Include data elements that
contain
electronic
signatures
as personal
that fallsdata
under
the breach
rules.
Include
elements
that notification
contain an individual's
biometric data as personal
data
that
falls
under
the
breach
notification
rules.
password, or password hint as personal data that falls under the breach
notification
rules. that contain an individual's payment card information as
Include
data elements
personal
data
that
fallscard
under
the breach
notification
rules.
individual's debit
number
as personal
data
that falls under the breach
notification
rules.
Include data elements that contain an individual's payment card expiration
date as personal
data that
under thedata
breach
rules.
password
or password
hintfalls
as personal
thatnotification
falls under the
breach
notification
rules.
Include data elements that contain an individual's Individually Identifiable Health
Information
as personal
falls an
under
the breach
notification
Include data
elementsdata
thatthat
contain
individual's
medical
historyrules.
as
personal data that falls under the breach notification rules.

00208
00209
00220
00223
00224
00225
00233
00237
00238
00239
00255
00353
00361
00565
00360
04699
04758
04757
00355
00356
00359
04654
11756
00800
04662
04669
04771
04671
04672
04670
04656
04657
04774
04775
04764
04658
04660
04663
04666
04667
04668
04752
04659
04756
04661
04673
04674

Include data elements that contain an individual's medical treatment as

personal
dataelements
that fallsthat
under
the breach
notification
rules.diagnosis as
Include data
contain
an individual's
medical
personal
data
that
falls
under
the
breach
notification
rules.
physical condition as personal data that falls under the
breach notification
rules.
Include data elements that contain an individual's health insurance information
as personal
dataelements
that fallsthat
under
the breach
notification
rules.
Include data
contain
an individual's
health
insurance policy
number
as
personal
data
that
falls
under
the
breach
notification
rules.
application and health insurance claims history (including appeals)
as
personal
data
that
falls
under
the
breach
notification
rules.
Include data elements that contain an individual's employment information as
personal
data
that
falls under
breach
Include
data
elements
that the
contain
an notification
individual's rules.
Employee Identification
Number
as
personal
data
that
falls
under
the
breach
notification
rules. as
Include data elements that contain an individual's place
of employment
personal data that falls under the breach notification rules.
Define
an out
of scopedata
privacy
Include
personal
thatbreach.
is publicly available information as an out of scope
privacy
breach.
Include personal data that is encrypted or redacted as an out of scope privacy
breach.
Include cryptographic keys not being accessed during a privacy breach as
an out ofkeys
scope
privacy
breach. and the portable computing device was
encryption
were
not accessed,
recovered as an out of scope privacy breach.
Conduct internal data processing audits.
Establish
maintainwith
personal
data access
Provideand
individuals
information
aboutprocedures.
the processing purpose of their
personal data.
Provide
information
about disclosure
ofpersonal
their personal
data. the
Allowindividuals
guardians with
and legal
representatives
access to
data about
individual
for whom
they are
guardians
or in
legal
representatives.
Require
personal
data access
requests
to be
writing,
unless the requester is
unable.
Respond
data
access
requests
in a timely
Notify to
thepersonal
individual
when
a cost
is imposed
which manner.
must be paid in advance to
gain access.
Establish
maintain for
a personal
datapersonal
transfer program.
Includeand
procedures
transferring
data from one data controller to
another data controller in the personal data transfer program.
Notify
data subjects
when their personal
Include
procedures
for transferring
personaldata
dataistotransferred.
third parties in the personal
data
transfer
program.
Provide an adequate data protection level by the transferee prior to transferring
personal data to another country.
Prohibit the transfer of personal data when security is inadequate.
Meet the use of limitation exceptions in order to transfer personal data.
Allow the data subject the right to object to the personal data transfer.
Follow
the personal
instructions
the dataexceptions
transferrer.for transferring personal data to
Define the
dataoftransfer
another
country
when
adequate
protection
standards
met. data
for transferring personal data to anotherlevel
country
outsideare
an not
adequate
protection
transferringlevel.
personal data to another country outside an adequate data
protectiondata
level.
personal
transfer exception for transferring personal data to another
country
outside
an for
adequate
data protection
level.
transfer exception
transferring
personal data
to another country outside
an
adequate
data
protection
level.
transferring personal data to another country outside an adequate data
protection
level.
exception for
transferring personal data to another country outside an
adequate
data
protection
data transfer exception
forlevel.
transferring personal data to another country
outside
an adequate
data protection
as
a personal
data transfer
exceptionlevel.
for transferring personal data to
another
country
outside
an
adequate
data
level. country outside
transfer exception for transferring personalprotection
data to another
an
adequate
protection
level.
data
transfer data
exception
for transferring
personal data to another country
outside
an
adequate
data
protection
level.
Define the personal data transfer exceptions
for transferring personal data to another
organization
whenexception
adequate for
protection
level standards
data transfer
transferring
personal are
datanot
tomet.
a third party outside
adequate data
levels.
purposes
as a protection
personal data
transfer exception for transferring personal
data
a thirdexception
party outside
adequate data
protection
levels.
data to
transfer
for transferring
personal
data to
a third party outside
adequate
data
protection
levels.
transferring personal data to a third party outside adequate data protection
levels.

04675
04676
04682
04681
04683
04684
04772
04773
04788
04677
04678
04679
04761
04762
00374
00414
00416
00417
00418
00420
00421
00423
00307
00351
00352
00333
00314
00345
00346
00349
00334
00315
00316
00317
00319
00320
00321
00322
00323
00324
00325
00326
00336
00337
00338
00339
00340

exception for transferring personal data to a third party outside adequate

data
protection
levels. exception for transferring personal data to a third
personal
data transfer
party
outside
adequate
protection levels.
data transfer exception data
for transferring
personal data to a third party outside
adequate data protection levels.
Establish and maintain personal data disclosure procedures.
Establish
and
maintain
personal
request
denial
express
promise
of privacy
ordata
implied
promise
of procedures.
privacy as a reason for denial
in
the
personal
data
request
denial
procedures.
Include disclosing personal data that would compromise National Security as a
reason
denial in the
databy
request
denial procedures.
Include for
information
thatpersonal
is protected
attorney-client
privilege as a reason for
denial
in
the
personal
data
request
denial
procedures.
information, or harmful financial information as a reason for denial in the
personal data
request
procedures.
individual's
security
asdenial
a reason
for denial in the personal data request denial
procedures.
another individual's privacy as a reason for denial in the personal data request
denial
Includeprocedures.
information that was generated from a formal dispute as a reason for
denial
in the
personal
data request
denial
procedures.
research,
statistical
research,
library
purposes,
museum purposes, or archival
purposes
as
a
reason
for
denial
in
the
personal
data request
procedures.
Include personal data that is for the state's economic
interestdenial
as a reason
for
denial inpersonal
the personal
request
denial procedures.
Include
data data
that is
for protecting
the civil rights or other's freedoms
as
a reason
for denial
in the data
personal
data requesta denial
procedures.
Include
disclosing
personal
that constitutes
state secret
as a reason for
denial
in
the
personal
data
request
denial
procedures.
operation of public functions as a reason for denial in the personal data request
denial
procedures.
surveillance
or other legal purposes as a reason for denial in the personal data
request
denial
Include when aprocedures.
country's laws prevent disclosure as a reason for denial in the
personal
request
procedures.
Notify
thedata
individual
ofdenial
the reasons
the personal data access request was
refused.
Communicate personal data to the individual that it relates to.
Provide personal data in a reasonable time frame.
Provide personal data at a cost that is not excessive.
Provide personal data in a reasonable manner.
Provide personal data in a form that is readily intelligible.
Notify individuals of their right to challenge personal data.
Notify individuals of their right to object to personal data for legitimate reasons.
Notify individuals of their ability to object to personal data processing, absent cost.
Investigate the disputed accuracy of personal data.
Change
destroy
any personal
data that
is to
incorrect.
Notifyorthe
data subject
of changes
made
personal data as the result of a
dispute.
Escalate the appeal process to change personal data when the data controller
failsthe
to data
makesubject
changes
the disputed
data.
Notify
of to
which
and why disputed
changes were not made to
personal
data.
Notify entities to whom personal data was transferred that the personal data is
wrong, along with the corrections.
Give individuals the ability to change the uses of their personal data.
Develop
and sanctions
for privacy
policy
violations.
Orderremedies
the cessation
of data processing
when
a violation
of the privacy policy is
detected.
Implement procedures to file privacy rights violation complaints.
File privacy rights violation complaints in writing.
Provide
assistance
to data subjects
for inside
filing privacy
rights stipulated
violation complaints.
File privacy
rights violation
complaints
the mandate
from the
refusal.
Investigate
privacy rights
violation
complaints.
Notify respondents
after
a privacy
rights violation complaint investigation
begins.
Make appropriate inquiries and obtain appropriate information regarding
privacy
rights rights
violation
complaints.
Refer
privacy
violation
complaints to the Privacy Commissioner under
certain
conditions.
Determine not to investigate privacy rights violation complaints under certain
conditions.
Refrain from investigating a privacy rights violation complaint when the
complaint is frivolous, vexatious, misconceived, or lacking in substance.

00341
00342
00344
00133
00434
00438
00439
00440
00441
00442
00443
00444
00445
00446
00447
00448
00449
00450
00451
00453
00428
00429
00430
00431
00432
00457
00458
00459
00461
00462
00463
00465
00466
00467
00469
00474
00475
00476
00477
00478
00479
00480
00491
00493
00481
00482
00485

law, or territory law, and the complaint was or is being dealt with adequately
under the law.
Defer privacy rights violation complaint investigations under certain conditions.
Create
anto
investigative
report
in regards
to a privacy
rightsrights
violation
complaint.
Respond
an investigative
report
in regards
to a privacy
violation
complaint.
Define the available administrative remedies in regards to a privacy rights violation
complaint.
Order the organization to change to be in compliance with applicable law.
Order the organization to publish a notice with the corrections or actions taken.
Award damages based on applicable law.
Provide
compensation
for detriment
based
law. has been
Destroy
personal
data that breaches
privacy
after on
theapplicable
privacy breach
detected.
Define
thethe
organization's
liability
on the
law.violations based on
Define
sanctions and
finesbased
available
for applicable
privacy rights
applicable law.
Define the appeal process based on the applicable law.
Establish and maintain a Customer Information Management program.
Define and assign the data controller's data quality roles and responsibilities.
Process personal data lawfully and carefully.
Check the data accuracy of new accounts.
Check the accuracy of personal data.
Record personal data correctly.
Check that personal data is complete.
Keep
personal
datadata
up-to-date
and
valid.
Maintain
personal
in a form
that
does not permit the identification of data
subjects for longer than the processing purpose.
Establish
maintain
consumer
credit reportrequirement
policies. exceptions for personal data
Define and
the credit
provider's
nondisclosure
contained
in credit reports
thatorconcern
creditworthiness.
Define information
created
included
in a credit information file as a
nondisclosure exception.
Define
nondisclosure
exception.
Define individual
allowing a consent
businessastoadetermine
whether
or not to accept credit for
customer payments as a nondisclosure exception.
Define disclosures required by law as a nondisclosure exception.
Third Party and supply chain oversight
Establish
and maintain
a supply
chainrelationships
management with
policy.
Formalize
client and
third party
contracts or nondisclosure
agreements, as necessary.
Include
a description
ofaccess,
the datause,
or information
to be
in of
third
party
contracts. in
Include
text about
disclosure,
andcovered
transfer
data
or information
third party contracts.
Include incident
Change Control
clauses
as appropriate
in third reporting
party contracts.
Include
management
procedures
and incident
procedures in
third
party
contracts.
Include third party acknowledgement of their data protection responsibilities in
third
party contracts.
Document
the third parties compliance with the organization's system hardening
framework.
Establish
the third
party's
service continuity.
Maintain
the third
party's
compliance
framework to be equivalent to that of the
organization's compliance requirements.
Select suppliers based on their qualifications.
Establish
agreements
with all third parties.
Establish information
and maintainflow
procedures
for establishing,
maintaining, and terminating third
party
contracts.
Establish and maintain Service Level Agreements with the organization's supply
chain.
Monitor third parties when they deliver services.
2015 - Network Frontiers LLC www.commoncontrolshub.com

00486
00487
00495
00496
00497
00499
00500
00501
00502
00503
00504
00505
00506
00084
00085
00086
04859
00088
00089
00090
00091
00092
00257
00263
00264
00265
00269
00280
08807
08808
00794
06510
11610
06523
01214
01364
04263
00797
06087
00795
04543
00796
00838
00799

French Republic

Florida

Federal Republic of Germany

District of Columbia

Delaware

Connecticut

Commonwealth of Puerto Rico

Colorado

Canada

California

Arkansas

Arizona

Alaska

1
1

1
1
1

1
1
1
1

1
1

1
1

1
1
1
1
1

1
1
1
1
1

1
1
1
1
1

1
1
1
1

1
1
1
1
1
1

1
1
1

1
1
1
1
1

1
1
1

1
1
1

1
1
1
1
1

1
1
1
1
1
1
1

1
1
1
1
1
1
1

1
1

1
1

1
1

1
1

1
1
1
1
1
1

1
1
1
1
1
1
1
1
1

1
1
1
1
1
1
1

1
1
1
1
1
1

1
1

1
1
1
1

1
1
1
1
1
1
1

1
1
1
1
1

1
1
1

1
1

1
1
1
1
1

1
1

1
1
1

1
1
1
1
1
1
1
1
1

1
1
1

1
1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1
1
1
1
1
1
1

1
1
2
2

1
1

1
1

1
1

1
1
1

1
1
1

1
1
1

1
1

1
1

1
1
1
1
1
1

1
1
1

1
1
1
1
1

1
1
1

1
1
1

1
1
1
1

1
1
1
1
1
1
1

1
1

1
1
1

1
1
1
1

1
1
1

1
1
1
1

1
1
1
1

1
1
1

1
1

1
1
1

1
1

1
1

1
1

1
1
1

1
1

1
1

1
1

1
1
1
1
1
1
1
1
1

1
1

1
1
1
1
1
1
1
1
1

1
1
1

1
1
1
1

1
1
1
1
1

1
1
1

1
1
1
1

1
1
1

1
1
1

1
1

1
1
1

1
1

1
1

1
1
1

1
1
1

1
1

1
1
1

1
1

1
1

1
1

1
1

1
1
1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1
1

1
1

1
1

1
1
1

1
1

1
1

1
1

1
1

1
1
1
1
1
1
1

1
1

1
1
1

2
1

1
1

1
1

1
1
1
1

1
1
1
1
1
1
1
1
1
1

1
1
1
1
1

1
1
1
1

1
1
1
1
1
1
1
1

1
1

1
1

1
1
1
1
1
1
1
1

1
1
1
1
1

1
1

1
1
1
1
1
1

1
1

1
1

1
1

1
1

1
1
1
1
1

1
1

1
1
1

1
1
1
1

1
1
1
1
1

1
1

1
1

1
1
1
1
1
1
1

1
1
1

1
1

1
1
1

1
1

1
1
1

1
1

Kingdom of the Netherlands

Kingdom of Sweden

Kingdom of Belguim

Kentucky

Kansas

Ireland

Iowa

Indiana

Illinois

Idaho

Hawaii

Grand Duchy of Luxembourg

Georgia

1
2
1

1
1
1

1
1
1

1
1
1

1
1
1

2
2
2

1
1

1
1

1
1

1
1
1
1
1
1

1
1
1
1

1
1
1

1
1

1
1
1

1
1
1
1

1
1
1
1
1

1
1

1
1
1
1
1

1
1
1
1

2
2
1
2
2

1
1

1
1

1
1
1
1

1
1
1
1

1
1

1
1
1
1
1
1

1
1

1
1

1
1
1
1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1
1

1
1

1
1

1
1

1
1

1
1

2
2

1
1

1
1

1
1
1

1
1
1
1
1
1

1
1

1
1
1

1
1

1
1
1

1
1

1
1

1
1
1
1
1

1
1

1
1
1

1
1

1
1

1
1

1
1
1
1
1

1
1

1
1
1
1

1
1

1
1

1
1

1
1

1
1

1
1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1
1
1
1
1
1

1
1
1
1
1

1
1
1
1

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

1
1
1
1
1
1
1
1
1
1
1
1
1
1

1
1
1
1
1

1
1

1
1

1
1
1
1

1
1
1

1
1

1
1
1

1
1

1
1
1

1
1
1

1
1

1
1

1
1
1

1
1
1

1
1
1
1

1
1
1

1
1

1
1

1
1

1
1
1
1

1
1

1
1
1

1
1

2
2

1
1

1
1

1
1

1
1

1
1

1
1

2
2

1
1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
2
1

1
1

1
1

1
1
1

1
1

1
1

1
1

1
1

1
1
1

1
1
1

1
1
1

1
1
1
1
1
1
1
1

1
1
1
1
1
1

1
1

1
1
1
1
1
1
1

1
1
1
1
1
1
1

1
1
1
1
1
1
1
1
1

1
1

1
1
1
1

1
1

1
1
1

1
1

1
1
1
1
1
1
1
1

1
1
1
1
1

1
1

1
1

1
1
1

1
1

1
1
1
1
1
1

1
1

1
1

1
1

1
1
1
1

1
1
1
1

1
1

1
1
1
1
1

1
1

1
1

1
1

1
1

1
1
1
1

1
1

1
1
1
1

1
1

1
1

1
1

1
1

1
1
1

1
1

1
1
1
1
1
1
1

1
1
1

1
1

1
1
1
1
1

North Carolina

New York

New Jersey

New Hampshire

Nevada

Nebraska

Montana

Minnesota

Michigan

Massachusetts

Maryland

Maine

Louisiana

1
1
1
1

1
1
1

1
1

1
1
1

1
1
1

1
1

1
1
1
1
1

1
3

1
1
1
1

1
1
1
1
1
1

1
1
1
1
1
1

2
2
2

1
1
1

1
1
1

1
1
1

1
1
1

1
1

1
1
1
1
1

1
1

1
1
1

1
1
1

1
1
1

1
1
1

1
1

1
1

1
1

1
1
1
1

1
1
1
1

1
1

1
1

1
1

1
1

1
1
1
1
1
1
1

1
1
1
1
1
1
1

2
2
2
2
2
2

1
1
1
1
1
1
1

1
1
1
1
1
1
1
1

1
1
1
1
1
1

1
1
1
1
1
1
1

1
1
1
1
1
1

1
1
1
1
1
1
1

1
1
1
1
1
1
1

1
1

1
1

1
1

1
1

2
1
1
1

1
1
1
1
1
1

1
1
1
1

1
2

1
1

1
1

1
1

1
1

1
1

1
1

1
1
1

1
1

1
2
2

1
1

1
1

1
1

1
1

2
2

1
1

1
1
1
1

1
1

2
1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

2
1

2
1
1
1

1
1

1
1

1
1

1
1

1
1

1
1
1
1

1
1

1
1

1
1

1
1

2
2

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1
1

1
1

1
1

1
1

1
1
1
1

1
1
1

1
1

1
1

1
1

1
1
1

1
1

1
1

1
1

1
1

1
2

1
1

1
1
1
1

1
1

1
1
1
1

1
1
1
1
2
2
2
1
1
3
1

1
1
1

1
2

1
1
1
1
1

US Congress

The International Organization for

Standardization

Texas

Tennessee

Swiss Confedeation

South Carolina

Rhode Island

Republic of Poland

Pennsylvania

Oregon

Oklahoma

Ohio

North Dakota

1
1

1
1
1
2
1
1
1
1
1
1
1
3
3
1
2
1
1

1
2
1
3
1
3
1
2
1
1
1
1

1
2
1
2

2
1
1

1
1
1
1
1
1
1
1
1

1
1
1
1

1
1
2
1
1
1
1
2
1
1
1
1
1
1
1
1

1
1
2
1
1
1
1
2
1
1
1
1

1
1
1
1
1

2
1
2
2
2
1
1
1
1
1
1
1
1
1
1
1
2
1
1
1

1
2
1

1
1
1
2
2
1
1

1
1
1
2
1
2
1
1
1
1
1
1
1
2
1
2
1
2
1
1
1
1
1
1
1
1

2
1
1
1
2
1
1
2
1
1
1
1
1
2
1
1

2
1
1
2
2

1
1
1
2

2
1
1
2
1
1
2
1
1
1

1
2
1
1
1
2
1
2
1
1
1
1

2
1
1
1
1
2
1

1
1
2
1
1
1
2
1
3
2
2
1

1
1
1
2
1
1
1
1

1
1
1
1
1
1

1
2

1
1

1
1
1

2
2
2

1
1
1

1
1
1
1
1
1
1
1

1
1
1
1

1
1
1
1
1

1
1
1

1
1
1

1
1
1

1
1

1
1
1
1
1
1
1

1
1

1
1

1
1
1
1

1
1
1
1

1
1

1
1
1
1
1
1
1
1

2
2
2
2
2
2
2

1
1
1
1
1
1

1
1
1
1
1
1

1
1
1
1
1
1
1

1
1
1
1

1
2
1
1
1
1
1
1
1
1
2
1
1
2
1
1
1
1
1
1
1
1
1

1
2
1
1
1
1
1
1
1
1
1
1

1
2
1
1
1
1
1
1
1
1
1
1
1
1
2
1
1

1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

1
1
2
1
1
1
1
1
2

1
1
1
2

2
1
1
1
1
1
1
2
1
1

1
1
1
1

1
1
1
1

1
1
1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1
1

1
1

1
1
1

1
1
1

2
2

1
1

1
1
1
1

1
1

1
1

1
1

1
1

1
1
1
1

1
1
1
1
1

1
1

1
1
1

1
1
1

1
1
1

1
1

1
1

1
1

1
1
1
1

1
1

1
1

1
1
1
1
1

1
1
1
1

1
1

1
1
1
1

1
1

1
1

1
1

1
1

1
1

1
1
1

1
1

1
1
1
1

1
1

1
1
1
1

2
1

1
1

2
2

1
1

1
1

1
1

1
1

1
1
1

1
1

1
1

1
1

1
1
1
1

1
1

1
1

1
1

1
1

1
1
1
1
1
1
1

1
1
1
1

1
1
1
1
1

1
1

1
2

1
1

1
1
1

1
1

1
1

1
1

1
2

1
1
1

1
1

1
1

1
1

1
1
1
1
1

1
1
1
1
1
1
1
1
1

1
1
1
1
1
1
1
1
1
1
1

1
1
1
1
1

1
1
1
1

1
1

1
1

1
1
1
1

1
1
1
1
1
1
1

1
1

1
1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
2

1
1
1

1
1

1
1

2
1
1
1
1
1
2
1
1
1
2

Internal Guidance

Wyoming

Wisconsin

West Virginia

Washington

Virginia

Vermont

Utah

United States Virgin Islands

United Kingdom of Great Britain and

Northern Ireland

1
1

1
1

1
1
1

1
1
1

1
1
1
1
1
1
1

1
1
1

1
1

1
1

1
1
1

1
1

1
1
1
1
1

1
1
1
1
1

1
1
1
1
1
1

1
1
1
1
1
1

1
1
1
1
1
1

1
1
1
1
1
1
1

1
1
1

1
1

1
1
1
1
1

1
1
1

1
1
1
1
1
1
1

1
1
1
1
1
1
1

1
1
1
1
1
1

1
1

1
1
1

1
1
1
1

1
1
1

1
1

1
1
1
1
1
1
1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1
1
1

1
1
1
1
1
1
1

1
1
1
1
1

1
1
1
1
1
1
1
1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1
1
1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1

1
1
1

1
1

1
1
1
1
1
1
1
1

1
1

1
1
1
1
1

1
1

1
1

1
1
1
1
1
1
1

1
1

1
1

1
1
1

1
1
1
1