1. Management: The entity defines, documents, communicates and assigns accountability for its privacy policies and procedures.
1.1 Policies and Communications1.1.0 Privacy Policies
1.1.1 Communication to Internal Personnel
1.1.2 Responsibility and Accountability for Policies
1.2 Procedures and Controls
1.2.1 Review and Approval
1.2.2 Consistency of Privacy Policies and Procedures With Laws and Regulations
1.2.3 Personal Information Identification and Classification
1.2.4 Risk Assessment
1.2.5 Consistency of Commitments With Privacy Policies and Procedures
1.2.6 Infrastructure and Systems Management
1.2.7 Privacy Incident and Breach Management
1.2.8 Supporting Resources
1.2.9 Qualifications of Internal Personnel
1.2.10 Privacy Awareness and Training
1.2.11 Changes in Regulatory and Business Requirements
2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.
2.1 Policies and Communications1.1.0 Privacy Policies
1.1.1 Communication to Individuals
2.2 Procedures and Controls
2.2.1 Provision of Notice
2.2.2 Entities and Activities Covered
2.2.3 Clear and Conspicuous
A link to a detailed table of these criteria along with illustrative controls and procedures (and additional information) is available on our website at www.socauditing.com
End of Part 3
- Mark Gleason
www.socauditing.com
No comments:
Post a Comment