Sub-Domain | Req. Name | Req. Description |
Privacy Processes and Procedures | User Notification | Privacy policies and procedures and the purposes for which personal information is collected, used, retained, and disclosed shall be documented |
Privacy Processes and Procedures | Third-Party Usage | Policies and procedures should be in place that include: a. Disclosing personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the employees and customers b. Having procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements c. Taking remedial action in response to misuse of personal information by a third party to whom Client has transferred such information |
Data Identification and Classification | Data Ownership & Inventory | Appropriate ownership to data and establish procedures to classify, monitor, and update data in accordance with its classification policies. Policies and procedures shall be in place to inventory, document, and maintain data flows to ascertain any regulatory, statutory impact, and to address any other business risks associated with the data |
Data Protection and Monitoring | Handling Procedures | Procedures for labeling, handling, and protecting the confidentiality and integrity of personal information, test data, production data, and data involved in online transactions to prevent contract dispute and compromise of data shall be established. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data |
Data Protection and Monitoring | Leakage Mitigation | Areas where potential information leakage can occur shall be identified, and appropriate controls to mitigate it shall be implemented |
Data Protection and Monitoring | DLP System | Data Loss Prevention (DLP) system to monitor user interactions with data, analyze data traffic over its network, and scan and inspect enterprise data repositories to identify sensitive content shall be implemented. The DLP system shall integrate with: a. HTTP/HTTPS proxy server – for HTTP and HTTPS blocking b. DLP SMTP agent (Message Transfer Agent [MTA]) – for blocking an email containing sensitive data c. Security Information and Event Management (SIEM) solution – for real-time security alerting and analysis |
Data Protection and Monitoring | Database Activity Monitoring | Database Activity Monitoring (DAM) tools to monitor and audit all access to sensitive data across heterogeneous database platforms shall be deployed |
Data Protection and Monitoring | File Integrity | File Integrity/Activity Monitoring tools to monitor files of all types and detect changes in those files that can lead to increased risk of data compromise shall be deployed |
Cryptographic Controls | Encryption Policies | Policies and procedures for the use of strong encryption protocols (e.g., AES-256) for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations) and data in transmission (e.g., system interfaces, over public networks, and electronic messaging), as per applicable legal, statutory, and regulatory compliance obligations, shall be established |
Cryptographic Controls | Key Management | Includes: a. Establish policies and procedures for the management of cryptographic keys in the cryptosystem b. Assign ownership to keys c. Prevent storage of keys in the cloud d. Implement segregation of duties for the responsibilities of key management and key usage |
Cryptographic Controls | Key Rotation | Automatic key rotation for customer-managed keys shall be enabled |