eu gdpr compliance criteria (egcc)

EU GPDR Compliance Criteria - Cybersecurity For Privacy (C4P) OverviewPr

ivac

yKi

ck O

ffCy

bers

ecur

ityD

ata

Life

cycl

es

START

Pick The Best Framework For Your Needs: - ISO 27002 - NIST 800-53 - NIST Cybersecurity Framework - Other

DEFINECYBERSECURITY

FRAMEWORK

DEFINEPRIVACY

FRAMEWORK

Pick The Best Framework For Your Needs: - ISO 29100 - US Privacy Shield - Generally Accepted Privacy Principles (GAPP) - Service Organization Control (SOC 2) - Asia-Pacific Economic Cooperation (APEC) - Organization for Economic Co-Operation & Development (OECD) - Other

OPERATIONALIZE FRAMEWORKS THROUGH STANDARDIZED

OPERATING PROCEDURES (SOP) & DOCUMENTED SDLC PROCESSES

Key Articles To Consider For CYBERSECURITY Framework Alignment: Article 5 – Principles relating to personal data Article 25 – Data protection by design and by default Article 28 – Processor Article 30 – Processing activities Article 32 – Security of processing Article 33 – Notification of a personal data breach Article 35 – Data Protection Impact Assessment (DPIA) Article 45 – Transfers on the basis of adequacy decision

Key Articles To Consider For PRIVACY Framework Alignment: Article 5 – Principles relating to personal data Article 6 – Lawfulness of processing Article 9 – Processing of special categories of personal data Article 17 – Right to erasure (right to be forgotten) Article 20 – Right to data portability Article 25 – Data protection by design and by default Article 30 – Processing activities Article 35 – Data Protection Impact Assessment (DPIA)

Operational Expectations: Publish & manage policies, standards & procedures that cover applicable cybersecurity & privacy requirements. Implement ongoing risk management practices (e.g., Data Protection Impact Assessment (DPIA) or other risk

assessments) Formalize a Secure Development Lifecycle (SDLC) program that helps ensure both cybersecurity & privacy principles

are designed and implemented by design and default. Perform Control Validation Testing (CVT) to validate the existence and effectiveness of cybersecurity & privacy

controls. CVT should be done prior to “go live” or after significant changes. Maintain a mature Incident Response (IR) capability.

AS N

ECES

SARY

– A

DJU

ST T

O C

HA

NG

ES T

O C

YBER

SECU

RITY

& P

RIVA

CY F

RAM

EWO

RKS

EU GDPR Compliance Criteria (EGCC) 4/24/2018

SCF Domain SCF Control SCF #Secure Controls Framework (SCF)

Control DescriptionMethods To Comply With SCF Controls

TargetAudience

AICPASOC 2(2017)

GAPPISO

27002v2013

ISO29100v2011

NIST800-53

rev4

NIST800-160

NIST 800-171

rev 1

NISTCSF

USPrivacy Shield

EMEAEU

GDPR

Art1

Art2

Art3

Art4

Art5

Art6

Art7

Art8

Art9

Art10

Art11

Art12

Art13

Art14

Art15

Art16

Art17

Art18

Art19

Art20

Art21

Art22

Art23

Art24

Art25

Art26

Art27

Art28

Art29

Art30

Art31

Art32

Art33

Art34

Art35

Art36

Art37

Art38

Art39

Art40

Art41

Art42

Art43

Art44

Art45

Art46

Art47

Art48

Art49

Art50

Security & Privacy Governance

Security & Privacy Governance Program

GOV-01

Mechanisms exist to facilitate the implementation of cybersecurity and privacy governance controls.

- Steering committee- Digital Security Program (DSP)- Written Information Security Program (WISP)

Management 8.2.1 5.1.1 5.1

5.105.11

PM-1

Art 32.1Art 32.2Art 32.3Art 32.4

x


Publishing Security Policies GOV-02

Mechanisms exist to establish, maintain and disseminate cybersecurity and privacy policies, standards and procedures.

- Steering committee- Digital Security Program (DSP)- Written Information Security Program (WISP)- Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Archer, RSAM, Metric stream, etc.)- Wiki- SharePoint

Management 8.2.1 5.1.1 PM-1 ID.GV-1

Art 32.1Art 32.2Art 32.3Art 32.4

x


Periodic Review & Update of Security Documentation

GOV-03

Mechanisms exist to review cybersecurity and privacy policies, standards and procedures at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

- Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Archer, RSAM, Metric stream, etc.)- Steering committee Management CC7.2 8.2.1 5.1.2 PM-1

Art 32.1Art 32.2Art 32.3Art 32.4

x


Contacts With Authorities GOV-06

Mechanisms exist to identify and document appropriate contacts within relevant law enforcement and regulatory bodies.

- Threat intelligence personnel- Integrated Security Incident Response Team (ISIRT)

Management 6.1.3 IR-6

Art 31Art 36.1Art 36.2Art 36.3Art 37.7Art 40.1Art 41.1Art 42.2Art 50

x x x x x x x


Contacts With Groups & Associations

GOV-07

Mechanisms exist to establish contact with selected groups and associations within the cybersecurity & privacy communities to: ▪ Facilitate ongoing cybersecurity and privacy education and training for organizational personnel; ▪ Maintain currency with recommended cybersecurity and privacy practices, techniques and technologies; and ▪ Share current security-related information including threats, vulnerabilities and incidents.

- SANS- CISO Executive Network- ISACA chapters- IAPP chapters- ISAA chapters

Management 6.1.4 AT-5

PM-15

Art 40.2Art 41.1Art 42.2Art 42.3Art 43.2

x x x x

Asset Management Asset Governance AST-01Mechanisms exist to facilitate the implementation of asset management controls.

- Generally Accepted Accounting Principles (GAAP)- ITIL - Configuration Management Database (CMDB) Management PM-5

Art 32.1Art 32.2

x

Asset ManagementNetwork Diagrams & Data Flow Diagrams (DFDs)

AST-04

Mechanisms exist to maintain network architecture diagrams that: ▪ Contain sufficient detail to assess the security of the network's architecture; ▪ Reflect the current state of the network environment; and ▪ Document all sensitive data flows.

- High-Level Diagram (HLD)- Low-Level Diagram (LLD)- Data Flow Diagram (DFD)- SolarWinds- Paessler- PRTG

Technical

PL-2SA-5(1)SA-5(2)SA-5(3)SA-5(4)

ID.AM-3


x

Business Continuity & Disaster Recovery

Contingency Plan BCD-01

Mechanisms exist to facilitate the implementation of contingency planning controls.

- Business Continuity Plan (BCP)- Disaster Recovery Plan (DRP)- Continuity of Operations Plan (COOP)- Business Impact Analysis (BIA)- Criticality assessments

Management A1.3 17.1.2

CP-1CP-2

IR-4(3)PM-8

RC.RP-1Art 32.1Art 32.2

x

Capacity & Performance Planning

Capacity & Performance Management

CAP-01

Mechanisms exist to facilitate the implementation of capacity management controls to ensure optimal system performance for future capacity requirements.

- Splunk- Resource monitoring

Management A1.1 12.1.3 SC-5

SC-5(3)PR.DS-4

Art 32.1Art 32.2

x

Change Management Change Management Program CHG-01

Mechanisms exist to facilitate the implementation of change management controls.

- VisibleOps methodology - ITIL infrastructure library- NNT Change Tracker- ServiceNow- Remedy- Tripwire- Chef- Puppet

All Users CC7.3 12.1.2 CM-33.4.103.4.13

Art 32.1Art 32.2

x

Cloud Security Cloud Services CLD-01

Mechanisms exist to facilitate the implementation of cloud management controls to ensure cloud instances are secure and in-line with industry practices.

- Data Protection Impact Assessment (DPIA)

TechnicalArt 32.1Art 32.2

x

www.securecontrolsframework.com 1 of 10




TargetAudience

AICPASOC 2(2017)

GAPPISO

27002v2013

ISO29100v2011

NIST800-53

rev4

NIST800-160

NIST 800-171

rev 1

NISTCSF

USPrivacy Shield

EMEAEU

GDPR

Art1

Art2

Art3

Art4

Art5

Art6

Art7

Art8

Art9

Art10

Art11

Art12

Art13

Art14

Art15

Art16

Art17

Art18

Art19

Art20

Art21

Art22

Art23

Art24

Art25

Art26

Art27

Art28

Art29

Art30

Art31

Art32

Art33

Art34

Art35

Art36

Art37

Art38

Art39

Art40

Art41

Art42

Art43

Art44

Art45

Art46

Art47

Art48

Art49

Art50

ComplianceStatutory, Regulatory & Contractual Compliance

CPL-01

Mechanisms exist to facilitate the implementation of relevant legislative statutory, regulatory and contractual controls.

- Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Archer, RSAM, Metric stream, etc.)- Steering committee

All Users 18.1.1 5.1 PM-8

3.33.3.33.3.43.4

3.4.13.4.23.4.3

ID.GV-3PR.IP-5

Art 1.2Art 2.1Art 2.2Art 3.1Art 3.2Art 3.3Art 6.1

Art 17.3Art 20.3Art 23.1Art 23.2Art 24.1Art 24.2Art 24.3Art 25.1Art 25.2Art 25.3Art 27.1Art 27.2Art 27.3Art 27.4Art 27.5Art 32.1Art 32.2Art 32.3Art 32.4Art 40.1Art 40.2Art 42.2Art 43Art 50

x x x x x x x x x x x x x x x

Compliance Security Controls Oversight CPL-02

Mechanisms exist to provide a security controls oversight function.

- Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Archer, RSAM, Metric stream, etc.)- Steering committee- Formalized SDLC program- Formalized DevOps program- Control Validation Testing (CVT)- Security Test & Evaluation (STE)

Management 8.2.75.105.115.12

CA-7CA-7(1)PM-14

3.3.8

3.12.13.12.23.12.33.12.4NFO

DE.DP-5PR.IP-7

Art 5.2 x

Compliance Security Assessments CPL-03

Mechanisms exist to ensure managers regularly review the processes and documented procedures within their area of responsibility to adhere to appropriate security policies, standards and other applicable requirements.

- Control Validation Testing (CVT)- Security Test & Evaluation (STE)- Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Archer, RSAM, Metric stream, etc.)

Technical P8.1 10.2.4 18.2.2 5.12 CA-2 3.4.9Art 5.2

Art 32.3x x

Compliance Independent Assessors CPL-03.1

Mechanisms exist to utilize independent assessors at planned intervals or when the system, service or project undergoes significant changes.

- Control Validation Testing (CVT)- Security Test & Evaluation (STE)

Technical 18.2.1 3.4.9

Art 40.2Art 42.1Art 42.2Art 42.3Art 42.4Art 42.6Art 42.7Art 43.2

x x x

Configuration Management

Configuration Management Program

CFG-01

Mechanisms exist to facilitate the implementation of configuration management controls.

- NNT Change Tracker- Change Management Database (CMDB)- Baseline hardening standards- Formalized DevOps program- Control Validation Testing (CVT)- Security Test & Evaluation (STE)

ManagementCM-1CM-9

3.3.53.4.73.4.8

NFOArt 32.1Art 32.2

x

Monitoring Continuous Monitoring MON-01

Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.

- Splunk

Technical 12.4.1 AU-1SI-4

NFO

DE.CM-1DE.DP-1DE.DP-2PR.PT-1

Art 32.1Art 32.2

x

Cryptographic Protections

Use of Cryptographic Controls CRY-01

Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.

- Key and certificate management solutions- BitLocker and EFS- dm- crypt, LUKS

All Users 10.1.1

SC-8(2)SC-13

SC-13(1)SI-7(6)

3.13.11Art 5.1

Art 32.1Art 32.2

x x


Transmission Confidentiality CRY-03

Cryptographic mechanisms are utilized to protect the confidentiality of data being transmitted.

- SSL / TLS protocols- IPSEC Tunnels- Native MPLS encrypted tunnel configurations- Custom encrypted payloads

Technical C1.3 8.2.5 13.2.3 SC-8SC-9

PR.DS-2 Art 5.1 x


Transmission Integrity CRY-04Cryptographic mechanisms are utilized to protect the integrity of data being transmitted. Technical 14.1.3

SC-8SC-16(1)SC-28(1)

3.8.63.13.8

3.13.16PR.DS-8 Art 5.1 x


Encrypting Data At Rest CRY-05Cryptographic mechanisms are utilized on systems to prevent unauthorized disclosure of information at rest. All Users 10.1.1

SC-13SC-28(2)

PR.DS-1 Art 5.1 x

Data Classification & Handling

Data Protection DCH-01Mechanisms exist to facilitate the implementation of data protection controls. All Users C1.1

8.28.3.3

MP-1 3.3.6 NFOArt 5.1

Art 32.1Art 32.2

x x


Destruction of Personally Identifiable Information (PII)

DCH-09.3Mechanisms exist to facilitate the destruction of Personal Information (PI).

- De-identifying PIIManagement MP-6(9) Art 5.1 x


Media & Data Retention DCH-18Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.

- Data Protection Impact Assessment (DPIA)All Users

PI1.4 PI1.5PI1.6

8.318.1.3

MP-7SI-12

Art 5.1 x





TargetAudience

AICPASOC 2(2017)

GAPPISO

27002v2013

ISO29100v2011

NIST800-53

rev4

NIST800-160

NIST 800-171

rev 1

NISTCSF

USPrivacy Shield

EMEAEU

GDPR

Art1

Art2

Art3

Art4

Art5

Art6

Art7

Art8

Art9

Art10

Art11

Art12

Art13

Art14

Art15

Art16

Art17

Art18

Art19

Art20

Art21

Art22

Art23

Art24

Art25

Art26

Art27

Art28

Art29

Art30

Art31

Art32

Art33

Art34

Art35

Art36

Art37

Art38

Art39

Art40

Art41

Art42

Art43

Art44

Art45

Art46

Art47

Art48

Art49

Art50


Limit Personally Identifiable Information (PII) Elements In Testing, Training & Research

DCH-18.1

Mechanisms exist to limit Personal Information (PI) being processed in the information lifecycle to elements identified in the Data Protection Impact Assessment (DPIA).


Management

Art 35.1Art 35.2Art 35.3Art 35.6Art 35.8Art 35.9

Art 35.11

x


Minimize Personally Identifiable Information (PII)

DCH-18.2

Mechanisms exist to minimize the use of Personal Information (PI) for research, testing, or training, in accordance with the Data Protection Impact Assessment (DPIA).


Management 5.5


Art 35.11

x x


Information Location DCH-24

Mechanisms exist to identify and document the location of information and the specific system components on which the information resides.

- Data Flow Diagram (DFD)

Technical

Art 6.1Art 26.1Art 26.2Art 27.3Art 28.1Art 28.2Art 28.3Art 28.4Art 28.5Art 28.6Art 28.9

Art 28.10Art 29Art 44

Art 45.1Art 45.2Art 46.1Art 46.2Art 46.3Art 47.1Art 47.2Art 48

Art 49.1Art 49.2Art 49.6

x x x x x x x x x x x


Transfer of Personal Information

DCH-25

Mechanisms exist to restrict and govern the transfer of data to third-countries or international organizations.

- Model contracts- Privacy Shield- Binding Corporate Rules (BCR)

Management

Art 44Art 45.1Art 45.2Art 46.1Art 46.2Art 46.3Art 47.1Art 47.2Art 48

Art 49.1Art 49.2Art 49.6

x x x x x x

Embedded Technology Embedded Technology Security Program

EMB-01Mechanisms exist to facilitate the implementation of embedded technology controls. All Users

Art 32.1Art 32.2

x

Endpoint Security Endpoint Security END-01

Mechanisms exist to facilitate the implementation of endpoint security controls.

- Group Policy Objects (GPOs)- Antimalware technologies- Software firewalls- Host-based IDS/IPS technologies- NNT Change Tracker

All Users 11.2.9 MP-2Art 32.1Art 32.2

x

Endpoint Security Authorized Use END-13.1

Mechanisms exist to utilize organization-defined measures so that data or information collected by sensors is only used for authorized purposes.

Management SC-42(2) Art 5.2 x

Endpoint Security Notice of Collection END-13.2Mechanisms exist to notify individuals that Personal Information (PI) is collected by sensors.

- Visible or auditory alert- Data Protection Impact Assessment (DPIA) Management SC-42(4) Art 5.1 x

Endpoint Security Collection Minimization END-13.3Mechanisms exist to utilize sensors that are configured to minimize the collection of information about individuals.

Management 5.5 SC-42(5) Art 5.1 x

Human Resources Security

Human Resources Security Management

HRS-01Mechanisms exist to facilitate the implementation of personnel security controls. All Users PS-1 3.2.4 NFO PR.IP-11

Art 32.1Art 32.2Art 32.4

x

Human Resources Security

Personnel Screening HRS-04Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.

- Criminal, education and employment background checksAll Users 7.1.1 PS-3

3.9.13.9.2

Art 32.1Art 32.2Art 32.4

x

Identification & Authentication

Identity & Access Management (IAM)

IAC-01Mechanisms exist to facilitate the implementation of identification and access management controls. All Users CC5.1 8.2.2 9.1.1

AC-1IA-1SI-9

NFOArt 32.1Art 32.2

x

Identification & Authentication

Pairwise Pseudonymous Identifiers

IAC-09.6

Mechanisms exist to generate pairwise pseudonymous identifiers with no identifying information about a subscriber to discourage activity tracking and profiling of the subscriber.

Technical Art 11.1 x

Incident ResponseManagement of Security Incidents

IRO-01Mechanisms exist to facilitate the implementation of incident response controls.

Management 1.2.7 16.1.1 IR-1 NFO PR.IP-9Art 32.1Art 32.2

x





TargetAudience

AICPASOC 2(2017)

GAPPISO

27002v2013

ISO29100v2011

NIST800-53

rev4

NIST800-160

NIST 800-171

rev 1

NISTCSF

USPrivacy Shield

EMEAEU

GDPR

Art1

Art2

Art3

Art4

Art5

Art6

Art7

Art8

Art9

Art10

Art11

Art12

Art13

Art14

Art15

Art16

Art17

Art18

Art19

Art20

Art21

Art22

Art23

Art24

Art25

Art26

Art27

Art28

Art29

Art30

Art31

Art32

Art33

Art34

Art35

Art36

Art37

Art38

Art39

Art40

Art41

Art42

Art43

Art44

Art45

Art46

Art47

Art48

Art49

Art50

Incident ResponsePersonally Identifiable Information (PII) Processes

IRO-04.1

Incident response mechanisms include processes involving Personal Information (PI).

Management1.2.77.2.4

SE-2


x

Incident ResponseIntegrated Security Incident Response Team (ISIRT)

IRO-07

Mechanisms exist to establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity and privacy incident response operations.

- Full-time employees only

Technical 16.1.4 IR-10

RC.CO-1RC.CO-2RC.CO-3RS.CO-1RS.CO-4

Art 34.1Art 34.2Art 34.3Art 34.4

x

Incident Response Incident Reporting IRO-10

Mechanisms exist to report incidents: ▪ Internally to organizational incident response personnel within organization-defined time-periods; and ▪ Externally to regulatory authorities and affected parties, as necessary. All Users CC2.5 1.2.7

16.1.216.1.3

IR-63.6.13.6.2

RS.CO-2RS.CO-3RS.CO-5

Art 33.1Art 33.2Art 33.3Art 33.4Art 33.5Art 34.1Art 34.2Art 34.3Art 34.4

x x

Incident ResponseCoordination With External Providers

IRO-11.2

Mechanisms exist to establish a direct, cooperative relationship between the organization's incident response capability and external service providers.

Technical IR-7(2)

Art 34.1Art 34.2Art 34.3Art 34.4

x

Incident ResponseRegulatory & Law Enforcement Contacts

IRO-14Mechanisms exist to maintain incident response contacts with applicable regulatory and law enforcement agencies.

Technical 6.1.3 IR-6 Art 31 x

Information Assurance Information Assurance (IA) Operations

IAO-01Mechanisms exist to facilitate the implementation of cybersecurity and privacy assessment and authorization controls.

- Information Assurance (IA) program- VisibleOps security management All Users

CA-1PM-10

NFOArt 32.1Art 32.2Art 32.3

x

Maintenance Maintenance Operations MNT-01

Mechanisms exist to develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise.

All Users 11.2.4 MA-1 3.4.13 NFOArt 32.1Art 32.2

x

Network SecurityNetwork Security Management

NET-01Mechanisms exist to develop, govern & update procedures to facilitate the implementation of network security controls.

All Users13.1.113.1.2

SC-1 NFO PR.PT-4Art 32.1Art 32.2

x

Physical & Environmental Security

Physical & Environmental Protections

PES-01Mechanisms exist to facilitate the operation of physical and environmental protection controls. All Users A1.2

8.2.38.2.4

PE-1 NFOArt 32.1Art 32.2

x

Privacy Privacy Program PRI-01

Mechanisms exist to facilitate the implementation and operation of privacy controls.

All Users5.1

5.10

Art 32.1Art 32.2Art 32.3Art 32.4

x

Privacy Chief Privacy Officer (CPO) PRI-01.1

Mechanisms exist to appoints a Chief Privacy Officer (CPO) or similar role, with the authority, mission, accountability and resources to coordinate, develop and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.

All Users

1.1.01.1.21.2.11.2.21.2.81.2.92.1.04.2.38.2.1

18.1.4 5.10 AR-1

Art 37.1Art 38.1Art 39.1Art 39.2

x x x

Privacy Data Protection Officer (DPO) PRI-01.4

Mechanisms exist to appoint a Data Protection Officer (DPO): ▪ Based on the basis of professional qualities; and ▪ To be involved in all issues related to the protection of personal data.

Management 5.10

Art 35.2Art 37.1Art 37.2Art 37.3Art 37.4Art 37.5Art 37.6Art 37.7Art 38.1Art 38.2Art 38.3Art 38.4Art 38.5Art 38.6Art 39.1Art 39.2

x x x x





TargetAudience

AICPASOC 2(2017)

GAPPISO

27002v2013

ISO29100v2011

NIST800-53

rev4

NIST800-160

NIST 800-171

rev 1

NISTCSF

USPrivacy Shield

EMEAEU

GDPR

Art1

Art2

Art3

Art4

Art5

Art6

Art7

Art8

Art9

Art10

Art11

Art12

Art13

Art14

Art15

Art16

Art17

Art18

Art19

Art20

Art21

Art22

Art23

Art24

Art25

Art26

Art27

Art28

Art29

Art30

Art31

Art32

Art33

Art34

Art35

Art36

Art37

Art38

Art39

Art40

Art41

Art42

Art43

Art44

Art45

Art46

Art47

Art48

Art49

Art50

Privacy Notice PRI-02

Mechanisms exist to: ▪ Make privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary. ▪ Ensure that privacy notices are clear and easy-to-understand, expressing information about Personal Information (PI) processing in plain language.

All Users P1.1

2.1.12.2.12.2.22.2.33.1.03.1.13.1.24.1.04.1.14.2.45.1.05.1.16.1.07.1.07.1.18.1.08.1.19.1.09.1.1

10.1.010.1.1

5.25.8

TR-1Principle 1Principle 3

Art 11.2Art 12.1Art 13.1Art 13.2Art 13.3Art 14.1Art 14.2Art 14.3Art 26.1Art 26.2

x x x x x

Privacy Purpose Specification PRI-02.1

Mechanisms exist to identify and document the purpose(s) for which Personal Information (PI) is collected, used, maintained and shared in its privacy notices.

Management P2.1 4.2.1 5.3 AP-2Art 13.1Art 14.1Art 14.2

x x

Privacy Automation PRI-02.2

Automated mechanisms exist to support records management of authorizing policies and procedures for Personal Information (PI). Technical


x x

Privacy Choice & Consent PRI-03

Mechanisms exist to authorize the processing of their Personal Information (PI) prior to its collection that: ▪ Uses plain language and provide examples to illustrate the potential privacy risks of the authorization; and ▪ Provides a means for users to decline the authorization.

- "opt in" vs "opt out" user selections

All Users P3.2

3.2.13.2.23.2.33.2.4

5.2 IP-1 Principle 2


Art 12.6Art 14.3

x x x x x

Privacy Attribute Management PRI-03.1

Mechanisms exist to allow data subjects to tailor use permissions to selected attributes.

Technical

Art 7.1Art 7.2Art 7.3Art 7.4


x x x

Privacy Just-In-Time Notice & Consent PRI-03.2

Mechanisms exist to present authorizations to process Personal Information (PI) in conjunction with the data action, when:▪ The original circumstances under which an individual gave consent have changed; or▪ A significant amount of time has passed since an individual gave consent. Technical Principle 2



x x x x x x

Privacy Collection PRI-04Mechanisms exist to collect Personal Information (PI) only for the purposes identified in the privacy notice. All Users P3.1

4.1.29.2.2

5.4 AP-1 Art 5.1 x

Privacy Authority To Collect PRI-04.1

Mechanisms exist to determine and document the legal authority that permits the collection, use, maintenance and sharing of Personal Information (PI), either generally or in support of a specific program or system need.

Management1.2.5

1.2.114.2.2

5.4 AP-1 Art 5.1 x

Privacy Use, Retention & Disposal PRI-05

Mechanisms exist to: ▪ Retain Personal Information (PI), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law; ▪ Disposes of, destroys, erases, and/or anonymizes the PI, regardless of the method of storage; and ▪ Uses organization-defined techniques or methods to ensure secure deletion or destruction of PI (including originals, copies and archived records).

All Users4.1.25.2.25.2.3

5.6 DM-2 3.4.14 Principle 5


x x x





TargetAudience

AICPASOC 2(2017)

GAPPISO

27002v2013

ISO29100v2011

NIST800-53

rev4

NIST800-160

NIST 800-171

rev 1

NISTCSF

USPrivacy Shield

EMEAEU

GDPR

Art1

Art2

Art3

Art4

Art5

Art6

Art7

Art8

Art9

Art10

Art11

Art12

Art13

Art14

Art15

Art16

Art17

Art18

Art19

Art20

Art21

Art22

Art23

Art24

Art25

Art26

Art27

Art28

Art29

Art30

Art31

Art32

Art33

Art34

Art35

Art36

Art37

Art38

Art39

Art40

Art41

Art42

Art43

Art44

Art45

Art46

Art47

Art48

Art49

Art50

Privacy Internal Use PRI-05.1

Mechanisms exist to address the use of Personal Information (PI) for internal testing, training and research that: ▪ Takes measures to limit or minimize the amount of PI used for internal testing, training and research purposes; and ▪ Authorizes the use of PI when such information is required for internal testing, training and research.

Technical

4.1.27.2.29.2.19.2.2

DM-1DM-3

Art 5.1Art 11.1Art 18.1Art 18.2

x x x

Privacy Data Integrity PRI-05.2

Mechanisms exist to confirm the accuracy and relevance of Personal Information (PI), as data is obtained and used across the information lifecycle.

Technical 9.2.1 5.7 DI-2 Principle 5 Art 5.1 x

Privacy Data Masking PRI-05.3Mechanisms exist to mask sensitive information that is displayed or printed.

Technical Art 5.1 x

PrivacyUsage Restrictions of Personally Identifiable Information (PII)

PRI-05.4

Mechanisms exist to restrict the use of Personal Information (PI) to only the authorized purpose(s) consistent with applicable laws, regulations and in privacy notices. Management 5.2.1 UL-1 Principle 5

Art 5.1Art 9.1Art 9.2Art 10

Art 11.1Art 18.1Art 18.2

x x x x x

Privacy Right of Access PRI-06

Mechanisms exist to provide individuals the ability to access their Personal Information (PI) maintained in organizational systems of records.

ManagementP5.1 P6.8

6.2.16.2.26.2.36.2.46.2.56.2.6


Art 12.1Art 12.2Art 13.2Art 14.2Art 15.1Art 15.2Art 15.3Art 15.4Art 16

Art 26.3

x x x x x x

Privacy Redress PRI-06.1

Mechanisms exist to establish and implement a process for: ▪ Individuals to have inaccurate Personal Information (PI) maintained by the organization corrected or amended; and ▪ Disseminating corrections or amendments of PI to other authorized users of the PI.

ManagementP5.2 P8.1

6.2.56.2.6

10.2.110.2.2


Art 12.3Art 14.2Art 16

Art 18.1Art 26.3

x x x x x

PrivacyNotice of Correction of Amendment

PRI-06.2

Mechanisms exist to notify affected individuals if their Personal Information (PI) has been corrected or amended.

Management 5.9


Art 26.3

x x x x

Privacy Appeal PRI-06.3

Mechanisms exist to provide an organization-defined process for individuals to appeal an adverse decision and have incorrect information amended.

Management 5.9 Principle 7

Art 21.1Art 21.2Art 21.3Art 26.3

x x

Privacy User Feedback Management PRI-06.4

Mechanisms exist to implement a process for receiving and responding to complaints, concerns or questions from individuals about the organizational privacy practices.

ManagementP5.2 P8.1

6.2.56.2.67.1.2

10.2.110.2.2


Art 18.1Art 18.2Art 18.3Art 19


Art 26.3

x x x x x

Privacy Right to Erasure PRI-06.5Mechanisms exist to erase personal data of an individual, without delay. Management

Art 17.1Art 17.2Art 17.3

x

Privacy Data Portability PRI-06.6

Mechanisms exist to export Personal Information (PI) in a structured, commonly used and machine-readable format that allows the data subject to transmit the data to another controller without hindrance.

Management

Art 20.1Art 20.2Art 20.3Art 20.4

x

PrivacyInformation Sharing With Third Parties

PRI-07

Mechanisms exist to discloses Personal Information (PI) to third-parties only for the purposes identified in the privacy notice and with the implicit or explicit consent of the individual.

All Users7.2.17.2.27.2.3

UL-2 Principle 3

Art 6.1Art 6.4

Art 15.2Art 20.2Art 26.1Art 26.2Art 26.3Art 44


Art 49.1Art 49.2Art 49.6

x x x x x x x x x x





TargetAudience

AICPASOC 2(2017)

GAPPISO

27002v2013

ISO29100v2011

NIST800-53

rev4

NIST800-160

NIST 800-171

rev 1

NISTCSF

USPrivacy Shield

EMEAEU

GDPR

Art1

Art2

Art3

Art4

Art5

Art6

Art7

Art8

Art9

Art10

Art11

Art12

Art13

Art14

Art15

Art16

Art17

Art18

Art19

Art20

Art21

Art22

Art23

Art24

Art25

Art26

Art27

Art28

Art29

Art30

Art31

Art32

Art33

Art34

Art35

Art36

Art37

Art38

Art39

Art40

Art41

Art42

Art43

Art44

Art45

Art46

Art47

Art48

Art49

Art50

PrivacyPrivacy Requirements for Contractors & Service Providers

PRI-07.1

Mechanisms exist to includes privacy requirements in contracts and other acquisition-related documents that establish privacy roles and responsibilities for contractors and service providers.


AR-3 Principle 3

Art 6.1Art 6.4


Art 28.10Art 29

x x x x

Privacy Testing, Training & Monitoring PRI-08

Mechanisms exist to implement a process for ensuring that organizational plans for conducting security and privacy testing, training and monitoring activities associated with organizational systems are developed and performed.

All UsersP6.5P8.1

1.2.610.2.310.2.410.2.5

18.2.218.2.3

AR-4Art 32.1Art 32.2

x

PrivacySystem of Records Notice (SORN)

PRI-09

Mechanisms exist to utilize a System of Records Notices (SORN), or similar record of processing activities, to maintain a record of processing Personal Information (PI) under the organization's responsibility.

Management


x

Privacy Data Quality Management PRI-10

Mechanisms exist to issue guidelines ensuring and maximizing the quality, utility, objectivity, integrity, impact determination and de-identification of Personal Information (PI) across the information lifecycle.

Management 5.7 Art 5.1 x

Privacy Automation PRI-10.1Automated mechanisms exist to support the evaluation of data quality across the information lifecycle. Management


x x x

PrivacyUpdating Personally Identifiable Information (PII)

PRI-12

Mechanisms exist to develop processes to identify and record the method under which Personal Information (PI) is updated and the frequency that such updates occur.


Privacy Data Management Board PRI-13

Mechanisms exist to establish a written charter for a Data Management Board (DMB) and assigned organization-defined roles to the DMB.

- Data Management Board (DMB)

Management


x x

Privacy Privacy Reporting PRI-14

Mechanisms exist to develop, disseminate and update reports to internal senior management, as well as external oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates.


AR-6 Art 31 x

Privacy Accounting of Disclosures PRI-14.1

Mechanisms exist to develop and maintain an accounting of disclosures of Personal Information (PI) held by the organization and make the accounting of disclosures available to the person named in the record, upon request.


AR-8


x

Privacy Register Database PRI-15Mechanisms exist to register databases containing Personal Information (PI) with the appropriate Data Authority, when necessary.

Management Art 30.4 x

Project & Resource Management

Security Portfolio Management

PRM-01

Mechanisms exist to facilitate the implementation of security and privacy-related resource planning controls.

All Users 6.1.5 PL-1

3.23.2.13.2.23.2.33.2.43.2.53.2.63.3

3.3.13.3.2

NFOArt 32.1Art 32.2

x

Risk Management Risk Management Program RSK-01

Mechanisms exist to facilitate the implementation of risk management controls.

- Risk Management Program (RMP)

All Users 11.1.4 5.105.115.12

PM-9RA-1

3.3.4 NFO

ID.GV-4ID.RM-1ID.RM-2ID.RM-3

Art 32.1Art 32.2

x

Risk Management Risk Assessment RSK-04

Mechanisms exist to conduct an annual assessment of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's systems and data.

- Risk Management Program (RMP)

All Users 1.2.4 11.1.4 5.12 RA-3 3.11.1 ID.RA-5


Art 35.11

x

Risk Management Risk Register RSK-04.1

Mechanisms exist to maintain a risk register that facilitates monitoring and reporting of risks.

- Risk Management Program (RMP)- Risk register- Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Archer, RSAM, Metric stream, etc.)






TargetAudience

AICPASOC 2(2017)

GAPPISO

27002v2013

ISO29100v2011

NIST800-53

rev4

NIST800-160

NIST 800-171

rev 1

NISTCSF

USPrivacy Shield

EMEAEU

GDPR

Art1

Art2

Art3

Art4

Art5

Art6

Art7

Art8

Art9

Art10

Art11

Art12

Art13

Art14

Art15

Art16

Art17

Art18

Art19

Art20

Art21

Art22

Art23

Art24

Art25

Art26

Art27

Art28

Art29

Art30

Art31

Art32

Art33

Art34

Art35

Art36

Art37

Art38

Art39

Art40

Art41

Art42

Art43

Art44

Art45

Art46

Art47

Art48

Art49

Art50

Risk ManagementBusiness Impact Analysis (BIAs)

RSK-08

Mechanisms exist to conduct a Business Impact Analysis (BIAs).

- Risk Management Program (RMP)- Data Protection Impact Assessment (DPIA)- Business Impact Analysis (BIA)

All Users 5.12 ID.RA-4


Art 35.11Art 36.3

x x

Risk Management Supply Chain Risk Assessment RSK-09.1

Mechanisms exist to assess supply chain risks associated with systems, system components and services.

- Risk Management Program (RMP)- Data Protection Impact Assessment (DPIA)

Management 5.12


Art 35.11Art 36.3

x x

Risk ManagementData Protection Impact Assessment (DPIA)

RSK-10

Mechanisms exist to conduct a Data Protection Impact Assessment (DPIA) on systems, applications and services to evaluate privacy implications.

- Risk Management Program (RMP)- Data Protection Impact Assessment (DPIA)- Privacy Impact Assessment (PIA)

All Users1.2.44.2.3

5.12AR-2PL-5


Art 35.11Art 36.1 Art 36.2Art 36.3

x x

Secure Engineering & Architecture

Secure Engineering Principles SEA-01

Mechanisms exist to facilitate the implementation of industry-recognized security and privacy practices in the specification, design, development, implementation and modification of systems and services.

All Users CC3.2

4.2.36.2.27.2.27.2.3

14.2.5 5.105.11

AR-7SA-8

SA-13SC-7(18)

SI-1

2.12.22.32.4

3.13.13.13.2NFO

Principle 4


x x x x x


Centralized Management of Cybersecurity & Privacy Controls

SEA-01.1

Mechanisms exist to centrally-manage the organization-wide management and implementation of cybersecurity and privacy controls and related processes.

Management5.105.11

PL-9

3.43.4.33.4.43.4.53.4.63.4.73.4.83.4.9

3.4.103.4.113.4.123.4.133.4.14


x x x x x


Standardized Terminology SEA-02.1

Mechanisms exist to standardize technology and process terminology to reduce confusion amongst groups and departments.

Technical

Art 4.1Art 4.2Art 4.3Art 4.4Art 4.5Art 4.6Art 4.7Art 4.8Art 4.9

Art 4.10Art 4.11Art 4.12Art 4.13Art 4.14Art 4.15Art 4.16Art 4.17Art 4.18Art 4.19Art 4.20Art 4.21Art 4.22Art 4.23Art 4.24Art 4.25Art 4.26

x





TargetAudience

AICPASOC 2(2017)

GAPPISO

27002v2013

ISO29100v2011

NIST800-53

rev4

NIST800-160

NIST 800-171

rev 1

NISTCSF

USPrivacy Shield

EMEAEU

GDPR

Art1

Art2

Art3

Art4

Art5

Art6

Art7

Art8

Art9

Art10

Art11

Art12

Art13

Art14

Art15

Art16

Art17

Art18

Art19

Art20

Art21

Art22

Art23

Art24

Art25

Art26

Art27

Art28

Art29

Art30

Art31

Art32

Art33

Art34

Art35

Art36

Art37

Art38

Art39

Art40

Art41

Art42

Art43

Art44

Art45

Art46

Art47

Art48

Art49

Art50


Distributed Processing & Storage

SEA-15

Mechanisms exist to distribute processing and storage across multiple physical locations.

Technical SC-36

Art 6.1Art 26.1Art 26.2Art 26.3Art 28.1Art 28.2Art 28.3Art 28.4Art 28.5Art 28.6Art 28.9



Art 49.1Art 49.2Art 49.6

x x x x x x x x x x

Security Operations Operations Security OPS-01Mechanisms exist to facilitate the implementation of operational security controls.

- Standardized Operating Procedures (SOP)- ITIL v4 - COBIT 5

Management 12.1.1 SC-38 3.4.12Art 32.1Art 32.2

x

Security Awareness & Training

Security & Privacy-Minded Workforce

SAT-01Mechanisms exist to facilitate the implementation of security workforce development and awareness controls.

All Users 7.2.2 AT-1

PM-13NFO

PR.AT-1PR.AT-3PR.AT-4

Art 32.1Art 32.2Art 32.4

x

Technology Development &

Acquisition

Technology Development & Acquisition

TDA-01

Mechanisms exist to facilitate the implementation of tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs.

All Users3.1

3.1.13.1.2

Art 32.1Art 32.2

x

Third-Party Management

Third-Party Management TPM-01

Mechanisms exist to facilitate the implementation of third-party management controls.

- Procurement program- Contract reviews

All Users C1.5 15.1.1 SA-4 NFO ID.SC-1


Art 28.10Art 32.1Art 32.2

x x


Supply Chain Protection TPM-03

Mechanisms exist to evaluate security risks associated with the services and product supply chain.


All Users 15.1.3 SA-12 ID.SC-4


Art 28.10

x


Third-Party Processing, Storage and Service Locations

TPM-04.4

Mechanisms exist to restrict the location of information processing/storage based on business requirements.

Management SA-9(5)

Art 6.1Art 6.4




Art 49.1Art 49.2Art 49.6

x x x x x x x x x x





TargetAudience

AICPASOC 2(2017)

GAPPISO

27002v2013

ISO29100v2011

NIST800-53

rev4

NIST800-160

NIST 800-171

rev 1

NISTCSF

USPrivacy Shield

EMEAEU

GDPR

Art1

Art2

Art3

Art4

Art5

Art6

Art7

Art8

Art9

Art10

Art11

Art12

Art13

Art14

Art15

Art16

Art17

Art18

Art19

Art20

Art21

Art22

Art23

Art24

Art25

Art26

Art27

Art28

Art29

Art30

Art31

Art32

Art33

Art34

Art35

Art36

Art37

Art38

Art39

Art40

Art41

Art42

Art43

Art44

Art45

Art46

Art47

Art48

Art49

Art50


Third-Party Contract Requirements

TPM-05

Mechanisms exist to identify, regularly review and document third-party confidentiality, Non-Disclosure Agreements (NDAs) and other contracts that reflect the organization’s needs to protect systems and data.

- Non-Disclosure Agreements (NDAs)

All Users C1.413.2.415.1.2

SA-9(3) ID.SC-3


Art 28.10Art 29

x x

Threat Management Threat Awareness Program THR-01Mechanisms exist to implement a threat awareness program that includes a cross-organization information-sharing capability.

Management CC3.1 PM-16 ID.BE-2Art 32.1Art 32.2

x

Vulnerability & Patch Management

Vulnerability & Patch Management Program (VPMP)

VPM-01Mechanisms exist to facilitate the implementation and monitoring of vulnerability management controls.

- Vulnerability & Patch Management Program (ComplianceForge)All Users CC6.1 12.6.1

SI-2SI-3(2)

ID.RA-1PR.IP-12

Art 32.1Art 32.2

x

Vulnerability & Patch Management

Flaw Remediation with Personally Identifiable Information (PII)

VPM-04.2Mechanisms exist to identify and correct flaws related to the collection, usage, processing or dissemination of Personal Information (PI).

Management SI-2(7) Art 5.1 x

Web Security Web Security WEB-01

Mechanisms exist to facilitate the implementation of an enterprise-wide web management policy, as well as associated standards, controls and procedures.

Technical 13.1.3 Art 32.1Art 32.2

x

Web Security Use of Demilitarized Zones (DMZ)

WEB-02

Mechanisms exist to utilize a Demilitarized Zone (DMZ) to restrict inbound traffic to authorized devices on certain services, protocols and ports.

Technical 13.1.3 Art 32.1Art 32.2

x


eu gdpr compliance criteria (egcc)

Documents