eu gdpr compliance criteria (egcc)
TRANSCRIPT
EU GPDR Compliance Criteria - Cybersecurity For Privacy (C4P) OverviewPr
ivac
yKi
ck O
ffCy
bers
ecur
ityD
ata
Life
cycl
es
START
Pick The Best Framework For Your Needs: - ISO 27002 - NIST 800-53 - NIST Cybersecurity Framework - Other
DEFINECYBERSECURITY
FRAMEWORK
DEFINEPRIVACY
FRAMEWORK
Pick The Best Framework For Your Needs: - ISO 29100 - US Privacy Shield - Generally Accepted Privacy Principles (GAPP) - Service Organization Control (SOC 2) - Asia-Pacific Economic Cooperation (APEC) - Organization for Economic Co-Operation & Development (OECD) - Other
OPERATIONALIZE FRAMEWORKS THROUGH STANDARDIZED
OPERATING PROCEDURES (SOP) & DOCUMENTED SDLC PROCESSES
Key Articles To Consider For CYBERSECURITY Framework Alignment: Article 5 – Principles relating to personal data Article 25 – Data protection by design and by default Article 28 – Processor Article 30 – Processing activities Article 32 – Security of processing Article 33 – Notification of a personal data breach Article 35 – Data Protection Impact Assessment (DPIA) Article 45 – Transfers on the basis of adequacy decision
Key Articles To Consider For PRIVACY Framework Alignment: Article 5 – Principles relating to personal data Article 6 – Lawfulness of processing Article 9 – Processing of special categories of personal data Article 17 – Right to erasure (right to be forgotten) Article 20 – Right to data portability Article 25 – Data protection by design and by default Article 30 – Processing activities Article 35 – Data Protection Impact Assessment (DPIA)
Operational Expectations: Publish & manage policies, standards & procedures that cover applicable cybersecurity & privacy requirements. Implement ongoing risk management practices (e.g., Data Protection Impact Assessment (DPIA) or other risk
assessments) Formalize a Secure Development Lifecycle (SDLC) program that helps ensure both cybersecurity & privacy principles
are designed and implemented by design and default. Perform Control Validation Testing (CVT) to validate the existence and effectiveness of cybersecurity & privacy
controls. CVT should be done prior to “go live” or after significant changes. Maintain a mature Incident Response (IR) capability.
AS N
ECES
SARY
– A
DJU
ST T
O C
HA
NG
ES T
O C
YBER
SECU
RITY
& P
RIVA
CY F
RAM
EWO
RKS
EU GDPR Compliance Criteria (EGCC) 4/24/2018
SCF Domain SCF Control SCF #Secure Controls Framework (SCF)
Control DescriptionMethods To Comply With SCF Controls
TargetAudience
AICPASOC 2(2017)
GAPPISO
27002v2013
ISO29100v2011
NIST800-53
rev4
NIST800-160
NIST 800-171
rev 1
NISTCSF
USPrivacy Shield
EMEAEU
GDPR
Art1
Art2
Art3
Art4
Art5
Art6
Art7
Art8
Art9
Art10
Art11
Art12
Art13
Art14
Art15
Art16
Art17
Art18
Art19
Art20
Art21
Art22
Art23
Art24
Art25
Art26
Art27
Art28
Art29
Art30
Art31
Art32
Art33
Art34
Art35
Art36
Art37
Art38
Art39
Art40
Art41
Art42
Art43
Art44
Art45
Art46
Art47
Art48
Art49
Art50
Security & Privacy Governance
Security & Privacy Governance Program
GOV-01
Mechanisms exist to facilitate the implementation of cybersecurity and privacy governance controls.
- Steering committee- Digital Security Program (DSP)- Written Information Security Program (WISP)
Management 8.2.1 5.1.1 5.1
5.105.11
PM-1
Art 32.1Art 32.2Art 32.3Art 32.4
x
Security & Privacy Governance
Publishing Security Policies GOV-02
Mechanisms exist to establish, maintain and disseminate cybersecurity and privacy policies, standards and procedures.
- Steering committee- Digital Security Program (DSP)- Written Information Security Program (WISP)- Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Archer, RSAM, Metric stream, etc.)- Wiki- SharePoint
Management 8.2.1 5.1.1 PM-1 ID.GV-1
Art 32.1Art 32.2Art 32.3Art 32.4
x
Security & Privacy Governance
Periodic Review & Update of Security Documentation
GOV-03
Mechanisms exist to review cybersecurity and privacy policies, standards and procedures at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.
- Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Archer, RSAM, Metric stream, etc.)- Steering committee Management CC7.2 8.2.1 5.1.2 PM-1
Art 32.1Art 32.2Art 32.3Art 32.4
x
Security & Privacy Governance
Contacts With Authorities GOV-06
Mechanisms exist to identify and document appropriate contacts within relevant law enforcement and regulatory bodies.
- Threat intelligence personnel- Integrated Security Incident Response Team (ISIRT)
Management 6.1.3 IR-6
Art 31Art 36.1Art 36.2Art 36.3Art 37.7Art 40.1Art 41.1Art 42.2Art 50
x x x x x x x
Security & Privacy Governance
Contacts With Groups & Associations
GOV-07
Mechanisms exist to establish contact with selected groups and associations within the cybersecurity & privacy communities to: ▪ Facilitate ongoing cybersecurity and privacy education and training for organizational personnel; ▪ Maintain currency with recommended cybersecurity and privacy practices, techniques and technologies; and ▪ Share current security-related information including threats, vulnerabilities and incidents.
- SANS- CISO Executive Network- ISACA chapters- IAPP chapters- ISAA chapters
Management 6.1.4 AT-5
PM-15
Art 40.2Art 41.1Art 42.2Art 42.3Art 43.2
x x x x
Asset Management Asset Governance AST-01Mechanisms exist to facilitate the implementation of asset management controls.
- Generally Accepted Accounting Principles (GAAP)- ITIL - Configuration Management Database (CMDB) Management PM-5
Art 32.1Art 32.2
x
Asset ManagementNetwork Diagrams & Data Flow Diagrams (DFDs)
AST-04
Mechanisms exist to maintain network architecture diagrams that: ▪ Contain sufficient detail to assess the security of the network's architecture; ▪ Reflect the current state of the network environment; and ▪ Document all sensitive data flows.
- High-Level Diagram (HLD)- Low-Level Diagram (LLD)- Data Flow Diagram (DFD)- SolarWinds- Paessler- PRTG
Technical
PL-2SA-5(1)SA-5(2)SA-5(3)SA-5(4)
ID.AM-3
Art 30.1Art 30.2Art 30.3Art 30.4Art 30.5
x
Business Continuity & Disaster Recovery
Contingency Plan BCD-01
Mechanisms exist to facilitate the implementation of contingency planning controls.
- Business Continuity Plan (BCP)- Disaster Recovery Plan (DRP)- Continuity of Operations Plan (COOP)- Business Impact Analysis (BIA)- Criticality assessments
Management A1.3 17.1.2
CP-1CP-2
IR-4(3)PM-8
RC.RP-1Art 32.1Art 32.2
x
Capacity & Performance Planning
Capacity & Performance Management
CAP-01
Mechanisms exist to facilitate the implementation of capacity management controls to ensure optimal system performance for future capacity requirements.
- Splunk- Resource monitoring
Management A1.1 12.1.3 SC-5
SC-5(3)PR.DS-4
Art 32.1Art 32.2
x
Change Management Change Management Program CHG-01
Mechanisms exist to facilitate the implementation of change management controls.
- VisibleOps methodology - ITIL infrastructure library- NNT Change Tracker- ServiceNow- Remedy- Tripwire- Chef- Puppet
All Users CC7.3 12.1.2 CM-33.4.103.4.13
Art 32.1Art 32.2
x
Cloud Security Cloud Services CLD-01
Mechanisms exist to facilitate the implementation of cloud management controls to ensure cloud instances are secure and in-line with industry practices.
- Data Protection Impact Assessment (DPIA)
TechnicalArt 32.1Art 32.2
x
www.securecontrolsframework.com 1 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
SCF Domain SCF Control SCF #Secure Controls Framework (SCF)
Control DescriptionMethods To Comply With SCF Controls
TargetAudience
AICPASOC 2(2017)
GAPPISO
27002v2013
ISO29100v2011
NIST800-53
rev4
NIST800-160
NIST 800-171
rev 1
NISTCSF
USPrivacy Shield
EMEAEU
GDPR
Art1
Art2
Art3
Art4
Art5
Art6
Art7
Art8
Art9
Art10
Art11
Art12
Art13
Art14
Art15
Art16
Art17
Art18
Art19
Art20
Art21
Art22
Art23
Art24
Art25
Art26
Art27
Art28
Art29
Art30
Art31
Art32
Art33
Art34
Art35
Art36
Art37
Art38
Art39
Art40
Art41
Art42
Art43
Art44
Art45
Art46
Art47
Art48
Art49
Art50
ComplianceStatutory, Regulatory & Contractual Compliance
CPL-01
Mechanisms exist to facilitate the implementation of relevant legislative statutory, regulatory and contractual controls.
- Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Archer, RSAM, Metric stream, etc.)- Steering committee
All Users 18.1.1 5.1 PM-8
3.33.3.33.3.43.4
3.4.13.4.23.4.3
ID.GV-3PR.IP-5
Art 1.2Art 2.1Art 2.2Art 3.1Art 3.2Art 3.3Art 6.1
Art 17.3Art 20.3Art 23.1Art 23.2Art 24.1Art 24.2Art 24.3Art 25.1Art 25.2Art 25.3Art 27.1Art 27.2Art 27.3Art 27.4Art 27.5Art 32.1Art 32.2Art 32.3Art 32.4Art 40.1Art 40.2Art 42.2Art 43Art 50
x x x x x x x x x x x x x x x
Compliance Security Controls Oversight CPL-02
Mechanisms exist to provide a security controls oversight function.
- Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Archer, RSAM, Metric stream, etc.)- Steering committee- Formalized SDLC program- Formalized DevOps program- Control Validation Testing (CVT)- Security Test & Evaluation (STE)
Management 8.2.75.105.115.12
CA-7CA-7(1)PM-14
3.3.8
3.12.13.12.23.12.33.12.4NFO
DE.DP-5PR.IP-7
Art 5.2 x
Compliance Security Assessments CPL-03
Mechanisms exist to ensure managers regularly review the processes and documented procedures within their area of responsibility to adhere to appropriate security policies, standards and other applicable requirements.
- Control Validation Testing (CVT)- Security Test & Evaluation (STE)- Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Archer, RSAM, Metric stream, etc.)
Technical P8.1 10.2.4 18.2.2 5.12 CA-2 3.4.9Art 5.2
Art 32.3x x
Compliance Independent Assessors CPL-03.1
Mechanisms exist to utilize independent assessors at planned intervals or when the system, service or project undergoes significant changes.
- Control Validation Testing (CVT)- Security Test & Evaluation (STE)
Technical 18.2.1 3.4.9
Art 40.2Art 42.1Art 42.2Art 42.3Art 42.4Art 42.6Art 42.7Art 43.2
x x x
Configuration Management
Configuration Management Program
CFG-01
Mechanisms exist to facilitate the implementation of configuration management controls.
- NNT Change Tracker- Change Management Database (CMDB)- Baseline hardening standards- Formalized DevOps program- Control Validation Testing (CVT)- Security Test & Evaluation (STE)
ManagementCM-1CM-9
3.3.53.4.73.4.8
NFOArt 32.1Art 32.2
x
Monitoring Continuous Monitoring MON-01
Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.
- Splunk
Technical 12.4.1 AU-1SI-4
NFO
DE.CM-1DE.DP-1DE.DP-2PR.PT-1
Art 32.1Art 32.2
x
Cryptographic Protections
Use of Cryptographic Controls CRY-01
Mechanisms exist to facilitate the implementation of cryptographic protections controls using known public standards and trusted cryptographic technologies.
- Key and certificate management solutions- BitLocker and EFS- dm- crypt, LUKS
All Users 10.1.1
SC-8(2)SC-13
SC-13(1)SI-7(6)
3.13.11Art 5.1
Art 32.1Art 32.2
x x
Cryptographic Protections
Transmission Confidentiality CRY-03
Cryptographic mechanisms are utilized to protect the confidentiality of data being transmitted.
- SSL / TLS protocols- IPSEC Tunnels- Native MPLS encrypted tunnel configurations- Custom encrypted payloads
Technical C1.3 8.2.5 13.2.3 SC-8SC-9
PR.DS-2 Art 5.1 x
Cryptographic Protections
Transmission Integrity CRY-04Cryptographic mechanisms are utilized to protect the integrity of data being transmitted. Technical 14.1.3
SC-8SC-16(1)SC-28(1)
3.8.63.13.8
3.13.16PR.DS-8 Art 5.1 x
Cryptographic Protections
Encrypting Data At Rest CRY-05Cryptographic mechanisms are utilized on systems to prevent unauthorized disclosure of information at rest. All Users 10.1.1
SC-13SC-28(2)
PR.DS-1 Art 5.1 x
Data Classification & Handling
Data Protection DCH-01Mechanisms exist to facilitate the implementation of data protection controls. All Users C1.1
8.28.3.3
MP-1 3.3.6 NFOArt 5.1
Art 32.1Art 32.2
x x
Data Classification & Handling
Destruction of Personally Identifiable Information (PII)
DCH-09.3Mechanisms exist to facilitate the destruction of Personal Information (PI).
- De-identifying PIIManagement MP-6(9) Art 5.1 x
Data Classification & Handling
Media & Data Retention DCH-18Mechanisms exist to retain media and data in accordance with applicable statutory, regulatory and contractual obligations.
- Data Protection Impact Assessment (DPIA)All Users
PI1.4 PI1.5PI1.6
8.318.1.3
MP-7SI-12
Art 5.1 x
www.securecontrolsframework.com 2 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
SCF Domain SCF Control SCF #Secure Controls Framework (SCF)
Control DescriptionMethods To Comply With SCF Controls
TargetAudience
AICPASOC 2(2017)
GAPPISO
27002v2013
ISO29100v2011
NIST800-53
rev4
NIST800-160
NIST 800-171
rev 1
NISTCSF
USPrivacy Shield
EMEAEU
GDPR
Art1
Art2
Art3
Art4
Art5
Art6
Art7
Art8
Art9
Art10
Art11
Art12
Art13
Art14
Art15
Art16
Art17
Art18
Art19
Art20
Art21
Art22
Art23
Art24
Art25
Art26
Art27
Art28
Art29
Art30
Art31
Art32
Art33
Art34
Art35
Art36
Art37
Art38
Art39
Art40
Art41
Art42
Art43
Art44
Art45
Art46
Art47
Art48
Art49
Art50
Data Classification & Handling
Limit Personally Identifiable Information (PII) Elements In Testing, Training & Research
DCH-18.1
Mechanisms exist to limit Personal Information (PI) being processed in the information lifecycle to elements identified in the Data Protection Impact Assessment (DPIA).
- Data Protection Impact Assessment (DPIA)
Management
Art 35.1Art 35.2Art 35.3Art 35.6Art 35.8Art 35.9
Art 35.11
x
Data Classification & Handling
Minimize Personally Identifiable Information (PII)
DCH-18.2
Mechanisms exist to minimize the use of Personal Information (PI) for research, testing, or training, in accordance with the Data Protection Impact Assessment (DPIA).
- Data Protection Impact Assessment (DPIA)
Management 5.5
Art 5.1Art 35.1Art 35.2Art 35.3Art 35.6Art 35.8Art 35.9
Art 35.11
x x
Data Classification & Handling
Information Location DCH-24
Mechanisms exist to identify and document the location of information and the specific system components on which the information resides.
- Data Flow Diagram (DFD)
Technical
Art 6.1Art 26.1Art 26.2Art 27.3Art 28.1Art 28.2Art 28.3Art 28.4Art 28.5Art 28.6Art 28.9
Art 28.10Art 29Art 44
Art 45.1Art 45.2Art 46.1Art 46.2Art 46.3Art 47.1Art 47.2Art 48
Art 49.1Art 49.2Art 49.6
x x x x x x x x x x x
Data Classification & Handling
Transfer of Personal Information
DCH-25
Mechanisms exist to restrict and govern the transfer of data to third-countries or international organizations.
- Model contracts- Privacy Shield- Binding Corporate Rules (BCR)
Management
Art 44Art 45.1Art 45.2Art 46.1Art 46.2Art 46.3Art 47.1Art 47.2Art 48
Art 49.1Art 49.2Art 49.6
x x x x x x
Embedded Technology Embedded Technology Security Program
EMB-01Mechanisms exist to facilitate the implementation of embedded technology controls. All Users
Art 32.1Art 32.2
x
Endpoint Security Endpoint Security END-01
Mechanisms exist to facilitate the implementation of endpoint security controls.
- Group Policy Objects (GPOs)- Antimalware technologies- Software firewalls- Host-based IDS/IPS technologies- NNT Change Tracker
All Users 11.2.9 MP-2Art 32.1Art 32.2
x
Endpoint Security Authorized Use END-13.1
Mechanisms exist to utilize organization-defined measures so that data or information collected by sensors is only used for authorized purposes.
Management SC-42(2) Art 5.2 x
Endpoint Security Notice of Collection END-13.2Mechanisms exist to notify individuals that Personal Information (PI) is collected by sensors.
- Visible or auditory alert- Data Protection Impact Assessment (DPIA) Management SC-42(4) Art 5.1 x
Endpoint Security Collection Minimization END-13.3Mechanisms exist to utilize sensors that are configured to minimize the collection of information about individuals.
Management 5.5 SC-42(5) Art 5.1 x
Human Resources Security
Human Resources Security Management
HRS-01Mechanisms exist to facilitate the implementation of personnel security controls. All Users PS-1 3.2.4 NFO PR.IP-11
Art 32.1Art 32.2Art 32.4
x
Human Resources Security
Personnel Screening HRS-04Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.
- Criminal, education and employment background checksAll Users 7.1.1 PS-3
3.9.13.9.2
Art 32.1Art 32.2Art 32.4
x
Identification & Authentication
Identity & Access Management (IAM)
IAC-01Mechanisms exist to facilitate the implementation of identification and access management controls. All Users CC5.1 8.2.2 9.1.1
AC-1IA-1SI-9
NFOArt 32.1Art 32.2
x
Identification & Authentication
Pairwise Pseudonymous Identifiers
IAC-09.6
Mechanisms exist to generate pairwise pseudonymous identifiers with no identifying information about a subscriber to discourage activity tracking and profiling of the subscriber.
Technical Art 11.1 x
Incident ResponseManagement of Security Incidents
IRO-01Mechanisms exist to facilitate the implementation of incident response controls.
Management 1.2.7 16.1.1 IR-1 NFO PR.IP-9Art 32.1Art 32.2
x
www.securecontrolsframework.com 3 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
SCF Domain SCF Control SCF #Secure Controls Framework (SCF)
Control DescriptionMethods To Comply With SCF Controls
TargetAudience
AICPASOC 2(2017)
GAPPISO
27002v2013
ISO29100v2011
NIST800-53
rev4
NIST800-160
NIST 800-171
rev 1
NISTCSF
USPrivacy Shield
EMEAEU
GDPR
Art1
Art2
Art3
Art4
Art5
Art6
Art7
Art8
Art9
Art10
Art11
Art12
Art13
Art14
Art15
Art16
Art17
Art18
Art19
Art20
Art21
Art22
Art23
Art24
Art25
Art26
Art27
Art28
Art29
Art30
Art31
Art32
Art33
Art34
Art35
Art36
Art37
Art38
Art39
Art40
Art41
Art42
Art43
Art44
Art45
Art46
Art47
Art48
Art49
Art50
Incident ResponsePersonally Identifiable Information (PII) Processes
IRO-04.1
Incident response mechanisms include processes involving Personal Information (PI).
Management1.2.77.2.4
SE-2
Art 33.1Art 33.2Art 33.3Art 33.4Art 33.5
x
Incident ResponseIntegrated Security Incident Response Team (ISIRT)
IRO-07
Mechanisms exist to establish an integrated team of cybersecurity, IT and business function representatives that are capable of addressing cybersecurity and privacy incident response operations.
- Full-time employees only
Technical 16.1.4 IR-10
RC.CO-1RC.CO-2RC.CO-3RS.CO-1RS.CO-4
Art 34.1Art 34.2Art 34.3Art 34.4
x
Incident Response Incident Reporting IRO-10
Mechanisms exist to report incidents: ▪ Internally to organizational incident response personnel within organization-defined time-periods; and ▪ Externally to regulatory authorities and affected parties, as necessary. All Users CC2.5 1.2.7
16.1.216.1.3
IR-63.6.13.6.2
RS.CO-2RS.CO-3RS.CO-5
Art 33.1Art 33.2Art 33.3Art 33.4Art 33.5Art 34.1Art 34.2Art 34.3Art 34.4
x x
Incident ResponseCoordination With External Providers
IRO-11.2
Mechanisms exist to establish a direct, cooperative relationship between the organization's incident response capability and external service providers.
Technical IR-7(2)
Art 34.1Art 34.2Art 34.3Art 34.4
x
Incident ResponseRegulatory & Law Enforcement Contacts
IRO-14Mechanisms exist to maintain incident response contacts with applicable regulatory and law enforcement agencies.
Technical 6.1.3 IR-6 Art 31 x
Information Assurance Information Assurance (IA) Operations
IAO-01Mechanisms exist to facilitate the implementation of cybersecurity and privacy assessment and authorization controls.
- Information Assurance (IA) program- VisibleOps security management All Users
CA-1PM-10
NFOArt 32.1Art 32.2Art 32.3
x
Maintenance Maintenance Operations MNT-01
Mechanisms exist to develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise.
All Users 11.2.4 MA-1 3.4.13 NFOArt 32.1Art 32.2
x
Network SecurityNetwork Security Management
NET-01Mechanisms exist to develop, govern & update procedures to facilitate the implementation of network security controls.
All Users13.1.113.1.2
SC-1 NFO PR.PT-4Art 32.1Art 32.2
x
Physical & Environmental Security
Physical & Environmental Protections
PES-01Mechanisms exist to facilitate the operation of physical and environmental protection controls. All Users A1.2
8.2.38.2.4
PE-1 NFOArt 32.1Art 32.2
x
Privacy Privacy Program PRI-01
Mechanisms exist to facilitate the implementation and operation of privacy controls.
All Users5.1
5.10
Art 32.1Art 32.2Art 32.3Art 32.4
x
Privacy Chief Privacy Officer (CPO) PRI-01.1
Mechanisms exist to appoints a Chief Privacy Officer (CPO) or similar role, with the authority, mission, accountability and resources to coordinate, develop and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.
All Users
1.1.01.1.21.2.11.2.21.2.81.2.92.1.04.2.38.2.1
18.1.4 5.10 AR-1
Art 37.1Art 38.1Art 39.1Art 39.2
x x x
Privacy Data Protection Officer (DPO) PRI-01.4
Mechanisms exist to appoint a Data Protection Officer (DPO): ▪ Based on the basis of professional qualities; and ▪ To be involved in all issues related to the protection of personal data.
Management 5.10
Art 35.2Art 37.1Art 37.2Art 37.3Art 37.4Art 37.5Art 37.6Art 37.7Art 38.1Art 38.2Art 38.3Art 38.4Art 38.5Art 38.6Art 39.1Art 39.2
x x x x
www.securecontrolsframework.com 4 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
SCF Domain SCF Control SCF #Secure Controls Framework (SCF)
Control DescriptionMethods To Comply With SCF Controls
TargetAudience
AICPASOC 2(2017)
GAPPISO
27002v2013
ISO29100v2011
NIST800-53
rev4
NIST800-160
NIST 800-171
rev 1
NISTCSF
USPrivacy Shield
EMEAEU
GDPR
Art1
Art2
Art3
Art4
Art5
Art6
Art7
Art8
Art9
Art10
Art11
Art12
Art13
Art14
Art15
Art16
Art17
Art18
Art19
Art20
Art21
Art22
Art23
Art24
Art25
Art26
Art27
Art28
Art29
Art30
Art31
Art32
Art33
Art34
Art35
Art36
Art37
Art38
Art39
Art40
Art41
Art42
Art43
Art44
Art45
Art46
Art47
Art48
Art49
Art50
Privacy Notice PRI-02
Mechanisms exist to: ▪ Make privacy notice(s) available to individuals upon first interacting with an organization and subsequently as necessary. ▪ Ensure that privacy notices are clear and easy-to-understand, expressing information about Personal Information (PI) processing in plain language.
All Users P1.1
2.1.12.2.12.2.22.2.33.1.03.1.13.1.24.1.04.1.14.2.45.1.05.1.16.1.07.1.07.1.18.1.08.1.19.1.09.1.1
10.1.010.1.1
5.25.8
TR-1Principle 1Principle 3
Art 11.2Art 12.1Art 13.1Art 13.2Art 13.3Art 14.1Art 14.2Art 14.3Art 26.1Art 26.2
x x x x x
Privacy Purpose Specification PRI-02.1
Mechanisms exist to identify and document the purpose(s) for which Personal Information (PI) is collected, used, maintained and shared in its privacy notices.
Management P2.1 4.2.1 5.3 AP-2Art 13.1Art 14.1Art 14.2
x x
Privacy Automation PRI-02.2
Automated mechanisms exist to support records management of authorizing policies and procedures for Personal Information (PI). Technical
Art 14.2Art 22.1Art 22.2Art 22.3Art 22.4
x x
Privacy Choice & Consent PRI-03
Mechanisms exist to authorize the processing of their Personal Information (PI) prior to its collection that: ▪ Uses plain language and provide examples to illustrate the potential privacy risks of the authorization; and ▪ Provides a means for users to decline the authorization.
- "opt in" vs "opt out" user selections
All Users P3.2
3.2.13.2.23.2.33.2.4
5.2 IP-1 Principle 2
Art 6.1Art 7.1Art 7.2Art 7.3Art 7.4Art 8.1Art 8.2
Art 12.6Art 14.3
x x x x x
Privacy Attribute Management PRI-03.1
Mechanisms exist to allow data subjects to tailor use permissions to selected attributes.
Technical
Art 7.1Art 7.2Art 7.3Art 7.4
Art 12.2Art 12.3Art 12.4Art 22.1Art 22.2Art 22.3Art 22.4
x x x
Privacy Just-In-Time Notice & Consent PRI-03.2
Mechanisms exist to present authorizations to process Personal Information (PI) in conjunction with the data action, when:▪ The original circumstances under which an individual gave consent have changed; or▪ A significant amount of time has passed since an individual gave consent. Technical Principle 2
Art 7.1Art 7.2Art 7.3Art 7.4Art 8.1Art 8.2
Art 12.2Art 12.3Art 12.4Art 13.3Art 14.3Art 21.4
x x x x x x
Privacy Collection PRI-04Mechanisms exist to collect Personal Information (PI) only for the purposes identified in the privacy notice. All Users P3.1
4.1.29.2.2
5.4 AP-1 Art 5.1 x
Privacy Authority To Collect PRI-04.1
Mechanisms exist to determine and document the legal authority that permits the collection, use, maintenance and sharing of Personal Information (PI), either generally or in support of a specific program or system need.
Management1.2.5
1.2.114.2.2
5.4 AP-1 Art 5.1 x
Privacy Use, Retention & Disposal PRI-05
Mechanisms exist to: ▪ Retain Personal Information (PI), including metadata, for an organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law; ▪ Disposes of, destroys, erases, and/or anonymizes the PI, regardless of the method of storage; and ▪ Uses organization-defined techniques or methods to ensure secure deletion or destruction of PI (including originals, copies and archived records).
All Users4.1.25.2.25.2.3
5.6 DM-2 3.4.14 Principle 5
Art 5.1Art 18.1Art 18.2Art 21.1Art 21.2Art 21.3
x x x
www.securecontrolsframework.com 5 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
SCF Domain SCF Control SCF #Secure Controls Framework (SCF)
Control DescriptionMethods To Comply With SCF Controls
TargetAudience
AICPASOC 2(2017)
GAPPISO
27002v2013
ISO29100v2011
NIST800-53
rev4
NIST800-160
NIST 800-171
rev 1
NISTCSF
USPrivacy Shield
EMEAEU
GDPR
Art1
Art2
Art3
Art4
Art5
Art6
Art7
Art8
Art9
Art10
Art11
Art12
Art13
Art14
Art15
Art16
Art17
Art18
Art19
Art20
Art21
Art22
Art23
Art24
Art25
Art26
Art27
Art28
Art29
Art30
Art31
Art32
Art33
Art34
Art35
Art36
Art37
Art38
Art39
Art40
Art41
Art42
Art43
Art44
Art45
Art46
Art47
Art48
Art49
Art50
Privacy Internal Use PRI-05.1
Mechanisms exist to address the use of Personal Information (PI) for internal testing, training and research that: ▪ Takes measures to limit or minimize the amount of PI used for internal testing, training and research purposes; and ▪ Authorizes the use of PI when such information is required for internal testing, training and research.
Technical
4.1.27.2.29.2.19.2.2
DM-1DM-3
Art 5.1Art 11.1Art 18.1Art 18.2
x x x
Privacy Data Integrity PRI-05.2
Mechanisms exist to confirm the accuracy and relevance of Personal Information (PI), as data is obtained and used across the information lifecycle.
Technical 9.2.1 5.7 DI-2 Principle 5 Art 5.1 x
Privacy Data Masking PRI-05.3Mechanisms exist to mask sensitive information that is displayed or printed.
Technical Art 5.1 x
PrivacyUsage Restrictions of Personally Identifiable Information (PII)
PRI-05.4
Mechanisms exist to restrict the use of Personal Information (PI) to only the authorized purpose(s) consistent with applicable laws, regulations and in privacy notices. Management 5.2.1 UL-1 Principle 5
Art 5.1Art 9.1Art 9.2Art 10
Art 11.1Art 18.1Art 18.2
x x x x x
Privacy Right of Access PRI-06
Mechanisms exist to provide individuals the ability to access their Personal Information (PI) maintained in organizational systems of records.
ManagementP5.1 P6.8
6.2.16.2.26.2.36.2.46.2.56.2.6
5.9 IP-2 Principle 6
Art 12.1Art 12.2Art 13.2Art 14.2Art 15.1Art 15.2Art 15.3Art 15.4Art 16
Art 26.3
x x x x x x
Privacy Redress PRI-06.1
Mechanisms exist to establish and implement a process for: ▪ Individuals to have inaccurate Personal Information (PI) maintained by the organization corrected or amended; and ▪ Disseminating corrections or amendments of PI to other authorized users of the PI.
ManagementP5.2 P8.1
6.2.56.2.6
10.2.110.2.2
5.9 IP-3 Principle 7
Art 12.3Art 14.2Art 16
Art 18.1Art 26.3
x x x x x
PrivacyNotice of Correction of Amendment
PRI-06.2
Mechanisms exist to notify affected individuals if their Personal Information (PI) has been corrected or amended.
Management 5.9
Art 12.3Art 18.3Art 19
Art 26.3
x x x x
Privacy Appeal PRI-06.3
Mechanisms exist to provide an organization-defined process for individuals to appeal an adverse decision and have incorrect information amended.
Management 5.9 Principle 7
Art 21.1Art 21.2Art 21.3Art 26.3
x x
Privacy User Feedback Management PRI-06.4
Mechanisms exist to implement a process for receiving and responding to complaints, concerns or questions from individuals about the organizational privacy practices.
ManagementP5.2 P8.1
6.2.56.2.67.1.2
10.2.110.2.2
5.9 IP-4 Principle 7
Art 18.1Art 18.2Art 18.3Art 19
Art 21.1Art 21.6Art 22
Art 26.3
x x x x x
Privacy Right to Erasure PRI-06.5Mechanisms exist to erase personal data of an individual, without delay. Management
Art 17.1Art 17.2Art 17.3
x
Privacy Data Portability PRI-06.6
Mechanisms exist to export Personal Information (PI) in a structured, commonly used and machine-readable format that allows the data subject to transmit the data to another controller without hindrance.
Management
Art 20.1Art 20.2Art 20.3Art 20.4
x
PrivacyInformation Sharing With Third Parties
PRI-07
Mechanisms exist to discloses Personal Information (PI) to third-parties only for the purposes identified in the privacy notice and with the implicit or explicit consent of the individual.
All Users7.2.17.2.27.2.3
UL-2 Principle 3
Art 6.1Art 6.4
Art 15.2Art 20.2Art 26.1Art 26.2Art 26.3Art 44
Art 45.1Art 45.2Art 46.1Art 46.2Art 46.3Art 47.1Art 47.2Art 48
Art 49.1Art 49.2Art 49.6
x x x x x x x x x x
www.securecontrolsframework.com 6 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
SCF Domain SCF Control SCF #Secure Controls Framework (SCF)
Control DescriptionMethods To Comply With SCF Controls
TargetAudience
AICPASOC 2(2017)
GAPPISO
27002v2013
ISO29100v2011
NIST800-53
rev4
NIST800-160
NIST 800-171
rev 1
NISTCSF
USPrivacy Shield
EMEAEU
GDPR
Art1
Art2
Art3
Art4
Art5
Art6
Art7
Art8
Art9
Art10
Art11
Art12
Art13
Art14
Art15
Art16
Art17
Art18
Art19
Art20
Art21
Art22
Art23
Art24
Art25
Art26
Art27
Art28
Art29
Art30
Art31
Art32
Art33
Art34
Art35
Art36
Art37
Art38
Art39
Art40
Art41
Art42
Art43
Art44
Art45
Art46
Art47
Art48
Art49
Art50
PrivacyPrivacy Requirements for Contractors & Service Providers
PRI-07.1
Mechanisms exist to includes privacy requirements in contracts and other acquisition-related documents that establish privacy roles and responsibilities for contractors and service providers.
Management4.2.37.2.4
AR-3 Principle 3
Art 6.1Art 6.4
Art 26.1Art 26.2Art 26.3Art 28.1Art 28.2Art 28.3Art 28.4Art 28.5Art 28.6Art 28.9
Art 28.10Art 29
x x x x
Privacy Testing, Training & Monitoring PRI-08
Mechanisms exist to implement a process for ensuring that organizational plans for conducting security and privacy testing, training and monitoring activities associated with organizational systems are developed and performed.
All UsersP6.5P8.1
1.2.610.2.310.2.410.2.5
18.2.218.2.3
AR-4Art 32.1Art 32.2
x
PrivacySystem of Records Notice (SORN)
PRI-09
Mechanisms exist to utilize a System of Records Notices (SORN), or similar record of processing activities, to maintain a record of processing Personal Information (PI) under the organization's responsibility.
Management
Art 30.1Art 30.2Art 30.3Art 30.4Art 30.5
x
Privacy Data Quality Management PRI-10
Mechanisms exist to issue guidelines ensuring and maximizing the quality, utility, objectivity, integrity, impact determination and de-identification of Personal Information (PI) across the information lifecycle.
Management 5.7 Art 5.1 x
Privacy Automation PRI-10.1Automated mechanisms exist to support the evaluation of data quality across the information lifecycle. Management
Art 5.1Art 21.5Art 22
x x x
PrivacyUpdating Personally Identifiable Information (PII)
PRI-12
Mechanisms exist to develop processes to identify and record the method under which Personal Information (PI) is updated and the frequency that such updates occur.
Management 5.7 Art 5.1 x
Privacy Data Management Board PRI-13
Mechanisms exist to establish a written charter for a Data Management Board (DMB) and assigned organization-defined roles to the DMB.
- Data Management Board (DMB)
Management
Art 5.1Art 30.1Art 30.2Art 30.3Art 30.4Art 30.5
x x
Privacy Privacy Reporting PRI-14
Mechanisms exist to develop, disseminate and update reports to internal senior management, as well as external oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates.
Management10.2.310.2.5
AR-6 Art 31 x
Privacy Accounting of Disclosures PRI-14.1
Mechanisms exist to develop and maintain an accounting of disclosures of Personal Information (PI) held by the organization and make the accounting of disclosures available to the person named in the record, upon request.
Management7.2.17.2.4
AR-8
Art 30.1Art 30.2Art 30.3Art 30.4Art 30.5
x
Privacy Register Database PRI-15Mechanisms exist to register databases containing Personal Information (PI) with the appropriate Data Authority, when necessary.
Management Art 30.4 x
Project & Resource Management
Security Portfolio Management
PRM-01
Mechanisms exist to facilitate the implementation of security and privacy-related resource planning controls.
All Users 6.1.5 PL-1
3.23.2.13.2.23.2.33.2.43.2.53.2.63.3
3.3.13.3.2
NFOArt 32.1Art 32.2
x
Risk Management Risk Management Program RSK-01
Mechanisms exist to facilitate the implementation of risk management controls.
- Risk Management Program (RMP)
All Users 11.1.4 5.105.115.12
PM-9RA-1
3.3.4 NFO
ID.GV-4ID.RM-1ID.RM-2ID.RM-3
Art 32.1Art 32.2
x
Risk Management Risk Assessment RSK-04
Mechanisms exist to conduct an annual assessment of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's systems and data.
- Risk Management Program (RMP)
All Users 1.2.4 11.1.4 5.12 RA-3 3.11.1 ID.RA-5
Art 35.1Art 35.2Art 35.3Art 35.6Art 35.8Art 35.9
Art 35.11
x
Risk Management Risk Register RSK-04.1
Mechanisms exist to maintain a risk register that facilitates monitoring and reporting of risks.
- Risk Management Program (RMP)- Risk register- Governance, Risk and Compliance Solution (GRC) tool (ZenGRC, Archer, RSAM, Metric stream, etc.)
Management 5.12 Art 35.1 x
www.securecontrolsframework.com 7 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
SCF Domain SCF Control SCF #Secure Controls Framework (SCF)
Control DescriptionMethods To Comply With SCF Controls
TargetAudience
AICPASOC 2(2017)
GAPPISO
27002v2013
ISO29100v2011
NIST800-53
rev4
NIST800-160
NIST 800-171
rev 1
NISTCSF
USPrivacy Shield
EMEAEU
GDPR
Art1
Art2
Art3
Art4
Art5
Art6
Art7
Art8
Art9
Art10
Art11
Art12
Art13
Art14
Art15
Art16
Art17
Art18
Art19
Art20
Art21
Art22
Art23
Art24
Art25
Art26
Art27
Art28
Art29
Art30
Art31
Art32
Art33
Art34
Art35
Art36
Art37
Art38
Art39
Art40
Art41
Art42
Art43
Art44
Art45
Art46
Art47
Art48
Art49
Art50
Risk ManagementBusiness Impact Analysis (BIAs)
RSK-08
Mechanisms exist to conduct a Business Impact Analysis (BIAs).
- Risk Management Program (RMP)- Data Protection Impact Assessment (DPIA)- Business Impact Analysis (BIA)
All Users 5.12 ID.RA-4
Art 35.1Art 35.2Art 35.3Art 35.6Art 35.8Art 35.9
Art 35.11Art 36.3
x x
Risk Management Supply Chain Risk Assessment RSK-09.1
Mechanisms exist to assess supply chain risks associated with systems, system components and services.
- Risk Management Program (RMP)- Data Protection Impact Assessment (DPIA)
Management 5.12
Art 35.1Art 35.2Art 35.3Art 35.6Art 35.8Art 35.9
Art 35.11Art 36.3
x x
Risk ManagementData Protection Impact Assessment (DPIA)
RSK-10
Mechanisms exist to conduct a Data Protection Impact Assessment (DPIA) on systems, applications and services to evaluate privacy implications.
- Risk Management Program (RMP)- Data Protection Impact Assessment (DPIA)- Privacy Impact Assessment (PIA)
All Users1.2.44.2.3
5.12AR-2PL-5
Art 35.1Art 35.2Art 35.3Art 35.6Art 35.8Art 35.9
Art 35.11Art 36.1 Art 36.2Art 36.3
x x
Secure Engineering & Architecture
Secure Engineering Principles SEA-01
Mechanisms exist to facilitate the implementation of industry-recognized security and privacy practices in the specification, design, development, implementation and modification of systems and services.
All Users CC3.2
4.2.36.2.27.2.27.2.3
14.2.5 5.105.11
AR-7SA-8
SA-13SC-7(18)
SI-1
2.12.22.32.4
3.13.13.13.2NFO
Principle 4
Art 5.2Art 24.1Art 24.2Art 24.3Art 25.1Art 25.2Art 25.3Art 32.1Art 32.2Art 40.2
x x x x x
Secure Engineering & Architecture
Centralized Management of Cybersecurity & Privacy Controls
SEA-01.1
Mechanisms exist to centrally-manage the organization-wide management and implementation of cybersecurity and privacy controls and related processes.
Management5.105.11
PL-9
3.43.4.33.4.43.4.53.4.63.4.73.4.83.4.9
3.4.103.4.113.4.123.4.133.4.14
Art 5.2Art 24.1Art 24.2Art 24.3Art 25.1Art 25.2Art 25.3Art 32.1Art 32.2Art 40.2
x x x x x
Secure Engineering & Architecture
Standardized Terminology SEA-02.1
Mechanisms exist to standardize technology and process terminology to reduce confusion amongst groups and departments.
Technical
Art 4.1Art 4.2Art 4.3Art 4.4Art 4.5Art 4.6Art 4.7Art 4.8Art 4.9
Art 4.10Art 4.11Art 4.12Art 4.13Art 4.14Art 4.15Art 4.16Art 4.17Art 4.18Art 4.19Art 4.20Art 4.21Art 4.22Art 4.23Art 4.24Art 4.25Art 4.26
x
www.securecontrolsframework.com 8 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
SCF Domain SCF Control SCF #Secure Controls Framework (SCF)
Control DescriptionMethods To Comply With SCF Controls
TargetAudience
AICPASOC 2(2017)
GAPPISO
27002v2013
ISO29100v2011
NIST800-53
rev4
NIST800-160
NIST 800-171
rev 1
NISTCSF
USPrivacy Shield
EMEAEU
GDPR
Art1
Art2
Art3
Art4
Art5
Art6
Art7
Art8
Art9
Art10
Art11
Art12
Art13
Art14
Art15
Art16
Art17
Art18
Art19
Art20
Art21
Art22
Art23
Art24
Art25
Art26
Art27
Art28
Art29
Art30
Art31
Art32
Art33
Art34
Art35
Art36
Art37
Art38
Art39
Art40
Art41
Art42
Art43
Art44
Art45
Art46
Art47
Art48
Art49
Art50
Secure Engineering & Architecture
Distributed Processing & Storage
SEA-15
Mechanisms exist to distribute processing and storage across multiple physical locations.
Technical SC-36
Art 6.1Art 26.1Art 26.2Art 26.3Art 28.1Art 28.2Art 28.3Art 28.4Art 28.5Art 28.6Art 28.9
Art 28.10Art 29Art 44
Art 45.1Art 45.2Art 46.1Art 46.2Art 46.3Art 47.1Art 47.2Art 48
Art 49.1Art 49.2Art 49.6
x x x x x x x x x x
Security Operations Operations Security OPS-01Mechanisms exist to facilitate the implementation of operational security controls.
- Standardized Operating Procedures (SOP)- ITIL v4 - COBIT 5
Management 12.1.1 SC-38 3.4.12Art 32.1Art 32.2
x
Security Awareness & Training
Security & Privacy-Minded Workforce
SAT-01Mechanisms exist to facilitate the implementation of security workforce development and awareness controls.
All Users 7.2.2 AT-1
PM-13NFO
PR.AT-1PR.AT-3PR.AT-4
Art 32.1Art 32.2Art 32.4
x
Technology Development &
Acquisition
Technology Development & Acquisition
TDA-01
Mechanisms exist to facilitate the implementation of tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs.
All Users3.1
3.1.13.1.2
Art 32.1Art 32.2
x
Third-Party Management
Third-Party Management TPM-01
Mechanisms exist to facilitate the implementation of third-party management controls.
- Procurement program- Contract reviews
All Users C1.5 15.1.1 SA-4 NFO ID.SC-1
Art 28.1Art 28.2Art 28.3Art 28.4Art 28.5Art 28.6Art 28.9
Art 28.10Art 32.1Art 32.2
x x
Third-Party Management
Supply Chain Protection TPM-03
Mechanisms exist to evaluate security risks associated with the services and product supply chain.
- Data Protection Impact Assessment (DPIA)
All Users 15.1.3 SA-12 ID.SC-4
Art 28.1Art 28.2Art 28.3Art 28.4Art 28.5Art 28.6Art 28.9
Art 28.10
x
Third-Party Management
Third-Party Processing, Storage and Service Locations
TPM-04.4
Mechanisms exist to restrict the location of information processing/storage based on business requirements.
Management SA-9(5)
Art 6.1Art 6.4
Art 26.1Art 26.2Art 26.3Art 28.1Art 28.2Art 28.3Art 28.4Art 28.5Art 28.6Art 28.9
Art 28.10Art 29Art 44
Art 45.1Art 45.2Art 46.1Art 46.2Art 46.3Art 47.1Art 47.2Art 48
Art 49.1Art 49.2Art 49.6
x x x x x x x x x x
www.securecontrolsframework.com 9 of 10
EU GDPR Compliance Criteria (EGCC) 4/24/2018
SCF Domain SCF Control SCF #Secure Controls Framework (SCF)
Control DescriptionMethods To Comply With SCF Controls
TargetAudience
AICPASOC 2(2017)
GAPPISO
27002v2013
ISO29100v2011
NIST800-53
rev4
NIST800-160
NIST 800-171
rev 1
NISTCSF
USPrivacy Shield
EMEAEU
GDPR
Art1
Art2
Art3
Art4
Art5
Art6
Art7
Art8
Art9
Art10
Art11
Art12
Art13
Art14
Art15
Art16
Art17
Art18
Art19
Art20
Art21
Art22
Art23
Art24
Art25
Art26
Art27
Art28
Art29
Art30
Art31
Art32
Art33
Art34
Art35
Art36
Art37
Art38
Art39
Art40
Art41
Art42
Art43
Art44
Art45
Art46
Art47
Art48
Art49
Art50
Third-Party Management
Third-Party Contract Requirements
TPM-05
Mechanisms exist to identify, regularly review and document third-party confidentiality, Non-Disclosure Agreements (NDAs) and other contracts that reflect the organization’s needs to protect systems and data.
- Non-Disclosure Agreements (NDAs)
All Users C1.413.2.415.1.2
SA-9(3) ID.SC-3
Art 28.1Art 28.2Art 28.3Art 28.4Art 28.5Art 28.6Art 28.9
Art 28.10Art 29
x x
Threat Management Threat Awareness Program THR-01Mechanisms exist to implement a threat awareness program that includes a cross-organization information-sharing capability.
Management CC3.1 PM-16 ID.BE-2Art 32.1Art 32.2
x
Vulnerability & Patch Management
Vulnerability & Patch Management Program (VPMP)
VPM-01Mechanisms exist to facilitate the implementation and monitoring of vulnerability management controls.
- Vulnerability & Patch Management Program (ComplianceForge)All Users CC6.1 12.6.1
SI-2SI-3(2)
ID.RA-1PR.IP-12
Art 32.1Art 32.2
x
Vulnerability & Patch Management
Flaw Remediation with Personally Identifiable Information (PII)
VPM-04.2Mechanisms exist to identify and correct flaws related to the collection, usage, processing or dissemination of Personal Information (PI).
Management SI-2(7) Art 5.1 x
Web Security Web Security WEB-01
Mechanisms exist to facilitate the implementation of an enterprise-wide web management policy, as well as associated standards, controls and procedures.
Technical 13.1.3 Art 32.1Art 32.2
x
Web Security Use of Demilitarized Zones (DMZ)
WEB-02
Mechanisms exist to utilize a Demilitarized Zone (DMZ) to restrict inbound traffic to authorized devices on certain services, protocols and ports.
Technical 13.1.3 Art 32.1Art 32.2
x
www.securecontrolsframework.com 10 of 10