opsAI LLC Compliance Program
Policy, Procedure, and Audit Status
opsAI LLC - Compliance Documentation
Policy, Procedure, and Audit Status
opsAI LLC - Compliance Documentation
This site consolidates all documents related to the opsAI LLC Compliance Program
Control Tracking
Satisfied Controls
159
Total Controls
278
Narratives provide an overview of the organization and the compliance environment.
| Name | Acronym | |
|---|---|---|
| Control Environment Narrative | CEN | opsAI-CEN.pdf |
| Organizational Narrative | ON | opsAI-ON.pdf |
| Products and Services Narrative | PSN | opsAI-PSN.pdf |
| Security Architecture Narrative | SEN | opsAI-SEN.pdf |
| System Architecture Narrative | SAN | opsAI-SAN.pdf |
Policies govern the behavior of opsAI LLC employees and contractors.
| Name | Acronym | |
|---|---|---|
| Access Onboarding and Termination Policy | AOTP | opsAI-AOTP.pdf |
| Application Security Policy | ASP | opsAI-ASP.pdf |
| Availability Policy | AP | opsAI-AP.pdf |
| System Change Policy | SCP | opsAI-SCP.pdf |
| Data Classification Policy | DCP | opsAI-DCP.pdf |
| Code of Conduct Policy | COCP | opsAI-COCP.pdf |
| Confidentiality Policy | CP | opsAI-CP.pdf |
| Business Continuity Policy | BCP | opsAI-BCP.pdf |
| Cyber Risk Assessment Policy | CRP | opsAI-CRP.pdf |
| Datacenter Policy | DP | opsAI-DP.pdf |
| Software Development Lifecycle Policy | SDLCP | opsAI-SDLCP.pdf |
| Disaster Recovery Policy | DRP | opsAI-DRP.pdf |
| Encryption Policy | EP | opsAI-EP.pdf |
| Security Incident Response Policy | SIRP | opsAI-SIRP.pdf |
| Information Security Policy | ISP | opsAI-ISP.pdf |
| Log Management Policy | LMP | opsAI-LMP.pdf |
| Removable Media and Cloud Storage Policy | MCP | opsAI-MCP.pdf |
| Office Security Policy | OSP | opsAI-OSP.pdf |
| Password Policy | PWP | opsAI-PWP.pdf |
| Policy Training Policy | PTP | opsAI-PTP.pdf |
| Privacy Management Policy | PMP | opsAI-PMP.pdf |
| Processing Integrity Policy | PIP | opsAI-PIP.pdf |
| Remote Access Policy | REAP | opsAI-REAP.pdf |
| Data Retention Policy | RP | opsAI-RP.pdf |
| Risk Assessment Policy | RIAP | opsAI-RIAP.pdf |
| Vendor Management Policy | VMP | opsAI-VMP.pdf |
| Workstation Policy | WP | opsAI-WP.pdf |
Procedures prescribe specific steps that are taken in response to key events.
| Name | ID | Schedule (cron format) | GitHub Issue |
|---|---|---|---|
| Offboard User | offboard | On demand | No ticket |
| Onboard New User | onboard | On demand |
|
| Apply OS patches | patch | 0 0 0 15 * * | No ticket |
| Collect Workstation Details | workstation | 0 0 0 15 4 * | No ticket |
Standards specify the controls satisfied by the compliance program.
| Control Key | Name | Satisfied? | Satisfied By |
|---|---|---|---|
| 01.a |
Access Control Policy
Access control policies and procedures shall be established, documented, and reviewed based on a risk assessment
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-AOTP.pdf opsAI-REAP.pdf |
| 01.b |
Access Control Review
Access rights shall be reviewed at regular intervals to ensure appropriateness
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-AOTP.pdf opsAI-REAP.pdf |
| 01.c |
User Access Management
Formal user registration and de-registration procedures shall be implemented to enable assignment of access rights
|
Yes | opsAI-PWP.pdf |
| 01.d |
User Identification and Authentication
All users shall be provided with a unique identifier (user ID) for their personal use only
|
Yes | opsAI-DCP.pdf opsAI-CP.pdf |
| 01.e |
Password Management System
A password management system shall be implemented that enforces strong passwords
|
No | |
| 01.f |
Privilege Management
Allocation and use of privileges shall be restricted and controlled
|
No | |
| 01.g |
Unsuccessful Login Attempts
Access to information systems shall be controlled by a secure log-on procedure
|
No | |
| 01.h |
Access Control to Application Systems
Access to application systems and functions shall be restricted in accordance with the access control policy
|
No | |
| 02.a |
Mobile Device Policy
A mobile device policy shall be established and implemented
|
No | |
| 02.b |
Mobile Device Controls
Mobile devices shall be managed in accordance with the mobile device policy
|
No | |
| 03.a |
Network Security Policy
Network security policies and procedures shall be established and implemented
|
Yes | opsAI-VMP.pdf |
| 03.b |
Network Controls
Networks shall be managed and controlled to protect information in systems and applications
|
Yes | opsAI-CEN.pdf opsAI-ON.pdf opsAI-CRP.pdf opsAI-ISP.pdf opsAI-RIAP.pdf |
| 03.c |
Network Segregation
Networks shall be segregated where appropriate
|
No | |
| 04.a |
Malware Protection Policy
Malware protection policies and procedures shall be established and implemented
|
No | |
| 04.b |
Malware Protection Controls
Detection, prevention, and recovery controls to protect against malware shall be implemented
|
No | |
| 05.a |
Information Backup Policy
Backup policies and procedures shall be established and implemented
|
Yes | opsAI-PSN.pdf opsAI-SAN.pdf |
| 05.b |
Information Backup
Backup copies of information and software shall be taken and tested regularly in accordance with the backup policy
|
Yes | opsAI-PSN.pdf opsAI-SAN.pdf |
| 06.a |
Event Logging Policy
Event logging policies and procedures shall be established and implemented
|
Yes | opsAI-PSN.pdf opsAI-SAN.pdf |
| 06.b |
Event Logging
Event logs recording user activities, exceptions, faults, and information security events shall be produced, kept, and regularly reviewed
|
Yes | opsAI-PSN.pdf opsAI-SAN.pdf |
| 06.c |
Clock Synchronization
The clocks of all relevant information processing systems within an organization or security domain shall be synchronized
|
No | |
| 07.a |
Vulnerability Management Policy
Vulnerability management policies and procedures shall be established and implemented
|
No | |
| 07.b |
Vulnerability Management
Technical vulnerability management shall be implemented in an effective, systematic, and repeatable way
|
No | |
| 08.a |
Cryptographic Controls Policy
Cryptographic controls policies and procedures shall be established and implemented
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-DP.pdf opsAI-OSP.pdf |
| 08.b |
Cryptographic Key Management
Cryptographic keys shall be managed through their whole lifecycle
|
No | |
| 08.c |
Encryption
Encryption shall be used to protect the confidentiality of sensitive information
|
No | |
| 09.a |
Secure Disposal or Re-use of Equipment
Equipment containing storage media shall be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use
|
Yes | opsAI-SEN.pdf opsAI-MCP.pdf |
| 09.b |
Removal of Assets
Equipment, information, or software shall not be taken off-site without prior authorization
|
Yes | opsAI-WP.pdf |
| 10.a |
Information Exchange Policies and Procedures
Policies and procedures shall be established and implemented for the exchange of information
|
Yes | opsAI-PSN.pdf opsAI-PIP.pdf |
| 10.b |
Electronic Messaging
Information involved in electronic messaging shall be appropriately protected
|
No | |
| 10.c |
Business Information Systems
Policies and procedures shall be developed and implemented for the protection of information involved in business information systems
|
Yes | opsAI-SCP.pdf |
| 11.a |
Secure Development Policy
Secure development policies and procedures shall be established and implemented
|
Yes | opsAI-CEN.pdf opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-SIRP.pdf |
| 11.b |
Secure System Engineering Principles
Secure system engineering principles shall be applied to the development of information systems
|
No | |
| 11.c |
Secure Development Environment
Secure development environments shall be established and appropriately protected
|
No | |
| 11.d |
System Security Testing
System security testing shall be carried out during development
|
No | |
| 12.a |
Supplier Relationships Policy
Policies and procedures shall be established and implemented to manage supplier relationships
|
Yes | opsAI-AP.pdf opsAI-BCP.pdf opsAI-DRP.pdf |
| 12.b |
Supplier Service Delivery Management
Agreements with suppliers shall include requirements to address the information security risks associated with supplier service delivery
|
Yes | opsAI-DRP.pdf |
| 12.c |
Monitoring and Review of Supplier Services
Supplier services, systems, and products shall be regularly monitored and reviewed
|
No | |
| 13.a |
Information Security Incident Management Policy
Information security incident management policies and procedures shall be established and implemented
|
No | |
| 13.b |
Reporting Information Security Events
Information security events shall be reported through appropriate management channels as quickly as possible
|
No | |
| 13.c |
Response to Information Security Incidents
Information security incidents shall be responded to in accordance with documented procedures
|
No | |
| 14.a |
Business Continuity Management Policy
Business continuity management policies and procedures shall be established and implemented
|
No | |
| 14.b |
Business Continuity and Risk Assessment
Business continuity plans shall be developed and implemented to maintain or restore operations
|
No | |
| 14.c |
Business Continuity Planning
Business continuity plans shall be tested and updated regularly
|
No | |
| 15.a |
Compliance with Legal and Contractual Requirements
All relevant legislative, statutory, regulatory, and contractual requirements shall be identified and documented
|
No | |
| 15.b |
Intellectual Property Rights
Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory, and contractual requirements related to intellectual property rights
|
No | |
| 15.c |
Protection of Records
Records shall be protected from loss, destruction, falsification, unauthorized access, and unauthorized release
|
No | |
| 15.d |
Privacy and Protection of Personally Identifiable Information
Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation, regulation, and contractual clauses
|
No | |
| 15.e |
Regulation of Cryptographic Controls
Cryptographic controls shall be used in compliance with all relevant agreements, legislation, and regulations
|
No | |
| 16.a |
Information Security Policy
Information security policies shall be established, published, and reviewed at planned intervals
|
No | |
| 16.b |
Review of Information Security Policy
The information security policy shall be reviewed at planned intervals or if significant changes occur
|
No | |
| 164.308.a.1 |
Security Management Process
Implement policies and procedures to prevent, detect, contain, and correct security violations
|
No | |
| 164.308.a.2 |
Assigned Security Responsibility
Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity
|
No | |
| 164.308.a.3 |
Workforce Security
Implement policies and procedures to ensure that all members of the workforce have appropriate access to electronic protected health information (ePHI), as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to ePHI
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-AOTP.pdf |
| 164.308.a.4 |
Information Access Management
Implement policies and procedures for authorizing access to ePHI that are consistent with the applicable requirements of subpart E of this part
|
No | |
| 164.308.a.5 |
Security Awareness and Training
Implement a security awareness and training program for all members of the workforce (including management)
|
No | |
| 164.308.a.6 |
Security Incident Procedures
Implement policies and procedures to address security incidents
|
No | |
| 164.308.a.7 |
Contingency Plan
Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI
|
No | |
| 164.308.a.8 |
Evaluation
Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart
|
No | |
| 164.308.b.1 |
Business Associate Contracts and Other Arrangements
A covered entity, in accordance with § 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information
|
Yes | opsAI-VMP.pdf |
| 164.310.a.1 |
Facility Access Controls
Implement policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-DP.pdf opsAI-OSP.pdf |
| 164.310.a.2 |
Workstation Use
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-DP.pdf opsAI-OSP.pdf |
| 164.310.a.3 |
Workstation Security
Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users
|
No | |
| 164.310.a.4 |
Device and Media Controls
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility
|
No | |
| 164.310.b |
Media Controls
Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored
|
No | |
| 164.310.c |
Accountability
Maintain a record of the movements of hardware and electronic media and any person responsible therefore
|
Yes | opsAI-WP.pdf |
| 164.310.d |
Data Backup and Storage
Create a retrievable, exact copy of ePHI, when needed, before movement of equipment
|
No | |
| 164.312.a.1 |
Access Control
Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4)
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-AOTP.pdf |
| 164.312.a.2 |
Unique User Identification
Assign a unique name and/or number for identifying and tracking user identity
|
No | |
| 164.312.a.3 |
Emergency Access Procedure
Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency
|
No | |
| 164.312.a.4 |
Automatic Logoff
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity
|
No | |
| 164.312.a.5 |
Encryption and Decryption
Implement a mechanism to encrypt and decrypt ePHI
|
No | |
| 164.312.b |
Audit Controls
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-LMP.pdf |
| 164.312.c.1 |
Integrity
Implement policies and procedures to protect ePHI from improper alteration or destruction
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-CP.pdf |
| 164.312.c.2 |
Mechanism to Authenticate ePHI
Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner
|
No | |
| 164.312.d |
Person or Entity Authentication
Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed
|
No | |
| 164.312.e.1 |
Transmission Security
Implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network
|
No | |
| 164.312.e.2 |
Integrity Controls
Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of
|
No | |
| 164.312.e.3 |
Encryption
Implement a mechanism to encrypt ePHI whenever deemed appropriate
|
No | |
| 17.a |
Organization of Information Security
A management framework shall be established to initiate and control the implementation and operation of information security
|
No | |
| 17.b |
Segregation of Duties
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets
|
No | |
| 17.c |
Contact with Authorities
Appropriate contacts with relevant authorities shall be maintained
|
No | |
| 17.d |
Contact with Special Interest Groups
Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained
|
No | |
| 1798.100.a |
Right to know what personal information is collected
A business that collects a consumer's personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used
|
Yes | opsAI-PSN.pdf opsAI-PMP.pdf |
| 1798.100.b |
Right to know what personal information is sold or disclosed
A business that collects a consumer's personal information shall inform consumers as to whether the information is sold or disclosed for a business purpose
|
Yes | opsAI-PMP.pdf |
| 1798.105.a |
Right to deletion
A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer
|
Yes | opsAI-PSN.pdf opsAI-PMP.pdf opsAI-RP.pdf |
| 1798.110.a |
Right to know specific pieces of personal information collected
A consumer shall have the right to request that a business disclose to the consumer the specific pieces of personal information the business has collected
|
Yes | opsAI-PSN.pdf opsAI-PMP.pdf |
| 1798.115.a |
Right to know categories of personal information sold or disclosed
A consumer shall have the right to request that a business disclose to the consumer the categories of personal information that the business collected about the consumer, the categories of sources from which the personal information is collected, and the business or commercial purpose for collecting or selling personal information
|
Yes | opsAI-PSN.pdf opsAI-PMP.pdf |
| 1798.120.a |
Right to opt-out of sale of personal information
A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information
|
Yes | opsAI-PMP.pdf |
| 1798.125.a |
Right to non-discrimination
A business shall not discriminate against a consumer because the consumer exercised any of the consumer's rights under this title
|
Yes | opsAI-PMP.pdf |
| 1798.130.a |
Methods for submitting requests
A business shall, in a form that is reasonably accessible to consumers, provide two or more designated methods for submitting requests for information required to be disclosed
|
Yes | opsAI-PSN.pdf opsAI-PMP.pdf |
| 1798.135.a |
Opt-out link or button
A business that sells consumers' personal information to third parties shall provide a clear and conspicuous link on the business's Internet homepage, titled "Do Not Sell My Personal Information"
|
No | |
| 1798.140.c |
Definition of personal information
Personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household
|
Yes | opsAI-PMP.pdf |
| 1798.140.o |
Definition of sale
Sale means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration
|
Yes | opsAI-PMP.pdf |
| 1798.150.a |
Private right of action for data breaches
Any consumer whose nonencrypted and nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices
|
Yes | opsAI-SIRP.pdf |
| 1798.155.a |
Regulations
The Attorney General may adopt regulations to further the purposes of this title
|
No | |
| 1798.185.a |
Implementation and regulations
On or before July 1, 2020, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title
|
No | |
| 18.a |
Identification of Risks Related to External Parties
The risks to the organization's information and information systems from business processes involving external parties shall be identified and appropriate controls implemented
|
No | |
| 18.b |
Addressing Security When Dealing with Customers
All identified security requirements shall be addressed before giving customers access to the organization's information or assets
|
No | |
| 18.c |
Addressing Security in Third Party Agreements
Agreements with third parties shall address security requirements
|
No | |
| 19.a |
Human Resources Security Policy
Human resources security policies and procedures shall be established and implemented
|
No | |
| 19.b |
Screening
Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations, and ethics
|
No | |
| 19.c |
Terms and Conditions of Employment
Terms and conditions of employment shall reflect the organization's information security policy
|
No | |
| 19.d |
Management Responsibilities
Management shall require employees, contractors, and third-party users to apply information security in accordance with the established policies and procedures
|
No | |
| 19.e |
Information Security Awareness, Education, and Training
All employees of the organization and, where relevant, contractors and third-party users shall receive appropriate awareness education and training
|
No | |
| 19.f |
Disciplinary Process
A formal disciplinary process shall be established for employees who have committed a security breach
|
No | |
| A.5.1.1 |
Policies for information security
A set of policies for information security shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel, and reviewed at planned intervals or if significant changes occur
|
Yes | opsAI-CEN.pdf opsAI-ON.pdf opsAI-COCP.pdf opsAI-ISP.pdf opsAI-PTP.pdf |
| A.5.1.2 |
Review of the policies for information security
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness
|
Yes | opsAI-CEN.pdf opsAI-ISP.pdf |
| A.5.10.1 |
Acceptable use of information and other associated assets
Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented
|
Yes | opsAI-RP.pdf |
| A.5.11.1 |
Return of assets
Personnel and other interested parties shall return all of the organization's assets in their possession upon change or termination of their employment, contract or agreement
|
No | |
| A.5.12.1 |
Classification of information
Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and any other relevant requirements
|
Yes | opsAI-DCP.pdf opsAI-CP.pdf |
| A.5.13.1 |
Labelling of information
An appropriate set of procedures for labelling information shall be developed and implemented in accordance with the information classification scheme adopted by the organization
|
Yes | opsAI-DCP.pdf opsAI-CP.pdf |
| A.5.14.1 |
Information transfer
Information transfer rules, procedures, or agreements shall be established for all types of transfer facilities within the organization and between the organization and external parties
|
No | |
| A.5.15.1 |
Access control
Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-AOTP.pdf opsAI-REAP.pdf |
| A.5.16.1 |
Identity management
The full life cycle of identities shall be managed
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-AOTP.pdf opsAI-REAP.pdf |
| A.5.17.1 |
Authentication information
Authentication information shall be issued, managed, verified, revoked and audited in a secure manner
|
Yes | opsAI-AOTP.pdf opsAI-PWP.pdf opsAI-REAP.pdf |
| A.5.18.1 |
Access rights
Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on access control
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-AOTP.pdf |
| A.5.19.1 |
Information security in supplier relationships
Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier's products and services
|
Yes | opsAI-VMP.pdf |
| A.5.2.1 |
Information security roles and responsibilities
Information security roles and responsibilities shall be defined and allocated
|
Yes | opsAI-ON.pdf |
| A.5.20.1 |
Addressing information security within supplier agreements
Relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for the organization's information
|
Yes | opsAI-VMP.pdf |
| A.5.21.1 |
Managing information security in the ICT supply chain
Processes and procedures shall be defined and implemented to manage information security risks associated with the ICT products and services supply chain
|
Yes | opsAI-VMP.pdf |
| A.5.22.1 |
Monitoring, review and change management of supplier services
The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery
|
Yes | opsAI-VMP.pdf |
| A.5.23.1 |
Information security for use of cloud services
Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization's information security risk management approach
|
No | |
| A.5.24.1 |
Information security event management
Information security events shall be identified and communicated
|
Yes | opsAI-SIRP.pdf |
| A.5.25.1 |
Assessment and decision on information security events
Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents
|
Yes | opsAI-SIRP.pdf |
| A.5.26.1 |
Response to information security incidents
Information security incidents shall be responded to in accordance with the documented procedures
|
Yes | opsAI-SIRP.pdf |
| A.5.27.1 |
Learning from information security incidents
Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents
|
No | |
| A.5.28.1 |
Collection of evidence
The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of information that can serve as evidence
|
No | |
| A.5.29.1 |
Information security during disruption
The organization shall plan how to maintain information security at an appropriate level during disruption
|
No | |
| A.5.3.1 |
Segregation of duties
Conflicting duties and conflicting areas of responsibility shall be segregated
|
No | |
| A.5.30.1 |
ICT readiness for business continuity
ICT readiness shall be established, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements
|
No | |
| A.5.31.1 |
Legal, statutory, regulatory and contractual requirements
Legal, statutory, regulatory and contractual requirements relevant to information security and the organization's approach to meet these requirements shall be identified, documented and kept up to date
|
No | |
| A.5.32.1 |
Intellectual property rights
The organization shall implement appropriate procedures to protect intellectual property rights
|
No | |
| A.5.33.1 |
Protection of records
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legal, statutory, regulatory, contractual and business requirements
|
No | |
| A.5.34.1 |
Privacy and protection of PII
Privacy and protection of personally identifiable information (PII) shall be ensured as required in applicable laws and regulations and contractual requirements
|
No | |
| A.5.35.1 |
Independent review of information security
The organization's approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals or when significant changes occur
|
No | |
| A.5.36.1 |
Compliance with policies, rules and standards for information security
Compliance with the organization's information security policy, topic-specific policies, rules and standards shall be regularly reviewed
|
No | |
| A.5.37.1 |
Documented operating procedures
Operating procedures for information security and secure system configuration shall be documented, maintained and applied to all relevant systems
|
No | |
| A.5.4.1 |
Management responsibilities
Management shall require all personnel to apply information security in accordance with the established information security policy
|
Yes | opsAI-ON.pdf opsAI-COCP.pdf |
| A.5.5.1 |
Contact with authorities
Appropriate contacts with relevant authorities shall be maintained
|
No | |
| A.5.6.1 |
Contact with special interest groups
Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained
|
No | |
| A.5.7.1 |
Threat intelligence
Information relating to information security threats shall be collected and analyzed to produce threat intelligence
|
No | |
| A.5.8.1 |
Information security in project management
Information security shall be integrated into project management
|
No | |
| A.5.9.1 |
Inventory of information and other associated assets
An inventory of information and other associated assets, including owners, shall be established, maintained and disposed of
|
No | |
| A.6.1.1 |
Screening
Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed and the perceived risks
|
Yes | opsAI-ON.pdf opsAI-CRP.pdf opsAI-RIAP.pdf |
| A.6.1.2 |
Terms and conditions of employment
The employment contractual agreements shall state the organization's and the employee's responsibilities for information security
|
Yes | opsAI-ON.pdf opsAI-CRP.pdf opsAI-RIAP.pdf |
| A.6.2.1 |
Information security awareness, education and training
Information security awareness, education and training shall be provided to all personnel in relation to the organization's information security topic-specific policy on an ongoing basis
|
Yes | opsAI-ON.pdf opsAI-CRP.pdf opsAI-RIAP.pdf |
| A.6.2.2 |
Information security awareness, education and training
Personnel in information security roles shall be competent to fulfil their responsibilities
|
Yes | opsAI-CRP.pdf opsAI-RIAP.pdf |
| A.6.3.1 |
Disciplinary process
A formal and communicated disciplinary process shall be established to take action against personnel who have committed an information security breach
|
No | |
| A.7.1.1 |
Physical security perimeters
Physical security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-DP.pdf opsAI-OSP.pdf |
| A.7.1.2 |
Physical entry controls
Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-DP.pdf opsAI-OSP.pdf |
| A.7.1.3 |
Securing offices, rooms and facilities
Offices, rooms and facilities containing sensitive or critical activities shall be physically secured
|
No | |
| A.7.2.1 |
Physical security monitoring
Premises and facilities containing sensitive or critical information and information processing facilities shall be continuously monitored by authorized personnel
|
Yes | opsAI-PTP.pdf |
| A.7.3.1 |
Protecting against physical and environmental threats
Protection against physical and environmental threats to information and information processing facilities shall be designed and applied
|
No | |
| A.7.4.1 |
Physical security monitoring
Information processing facilities shall be located to reduce the risks from physical and environmental threats and hazards, and unauthorized access
|
Yes | opsAI-AP.pdf opsAI-BCP.pdf opsAI-DRP.pdf |
| A.8.1.1 |
User endpoint devices
Information stored on, processed by or accessible via user endpoint devices shall be protected
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-SCP.pdf opsAI-PIP.pdf |
| A.8.10.1 |
Information deletion
Information stored in information systems, devices or in any other storage media shall be deleted when no longer required
|
No | |
| A.8.11.1 |
Data masking
Data masking shall be used in accordance with the organization's topic-specific policy on access control and the business requirements, taking into account the applicable legislation and regulations
|
No | |
| A.8.12.1 |
Data leakage prevention
Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information
|
No | |
| A.8.13.1 |
Information backup
Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the organization's topic-specific policy on backup
|
Yes | opsAI-SAN.pdf opsAI-AP.pdf opsAI-BCP.pdf opsAI-DRP.pdf |
| A.8.14.1 |
Redundancy of information processing facilities
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements
|
Yes | opsAI-SAN.pdf |
| A.8.15.1 |
Logging
Event logs recording user activities, exceptions, faults and information security events shall be produced, kept, regularly reviewed and protected
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf |
| A.8.16.1 |
Monitoring activities
Networks, systems and applications shall be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents
|
Yes | opsAI-CEN.pdf opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-LMP.pdf |
| A.8.17.1 |
Clock synchronization
The clocks of all relevant information processing systems shall be synchronized to a single reference time source
|
No | |
| A.8.18.1 |
Use of privileged utility programs
The use of utility programs that may be capable of overriding system and application controls shall be restricted and tightly controlled
|
No | |
| A.8.19.1 |
Installation of software on operational systems
Software installed on operational systems shall be authorized and monitored
|
No | |
| A.8.2.1 |
Privileged access rights
The allocation and use of privileged access rights shall be restricted and managed
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-SCP.pdf opsAI-PIP.pdf opsAI-WP.pdf |
| A.8.20.1 |
Network security
Networks and network devices shall be secured, managed and controlled to protect information in systems and applications
|
Yes | opsAI-SAN.pdf |
| A.8.21.1 |
Security of network services
Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored
|
No | |
| A.8.22.1 |
Segregation of networks
Groups of information services, users and information systems shall be segregated on networks
|
No | |
| A.8.23.1 |
Web filtering
Access to external websites shall be managed to reduce exposure to malicious content
|
No | |
| A.8.24.1 |
Use of cryptography
Cryptographic controls shall be used in accordance with relevant laws, regulations and standards
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-EP.pdf |
| A.8.25.1 |
Secure development life cycle
Rules for the development of software and systems shall be established and applied
|
Yes | opsAI-PSN.pdf opsAI-SAN.pdf opsAI-ASP.pdf opsAI-SDLCP.pdf opsAI-PIP.pdf |
| A.8.26.1 |
Application security requirements
Information security requirements shall be identified, specified and approved when developing or acquiring applications
|
Yes | opsAI-PSN.pdf opsAI-SAN.pdf opsAI-ASP.pdf opsAI-SDLCP.pdf opsAI-PIP.pdf |
| A.8.27.1 |
Secure system architecture and engineering principles
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities
|
Yes | opsAI-CEN.pdf opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf |
| A.8.28.1 |
Secure coding
Secure coding principles shall be applied to software development
|
No | |
| A.8.29.1 |
Security testing in development and acceptance
Security testing shall be performed throughout the development life cycle
|
No | |
| A.8.3.1 |
Information access restriction
Access to information and other associated assets shall be restricted in accordance with the access control topic-specific policy
|
Yes | opsAI-MCP.pdf opsAI-WP.pdf |
| A.8.30.1 |
Outsourced development
The organization shall direct, monitor and review the activities related to outsourced system development
|
No | |
| A.8.31.1 |
Separation of development, test and production environments
Development, test and production environments shall be separated and protected
|
No | |
| A.8.32.1 |
Change management
Changes to information systems, applications, software and system components shall be subject to change management
|
No | |
| A.8.33.1 |
Test information
Test information shall be selected, protected and managed based on security requirements and business needs
|
No | |
| A.8.34.1 |
Protection of information systems during audit testing
Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management
|
No | |
| A.8.4.1 |
Access to source code
Read and write access to source code, development tools and software libraries shall be subject to strict change control and managed in accordance with the organization's topic-specific policy on access control
|
No | |
| A.8.5.1 |
Secure authentication
Secure authentication technologies and password management systems shall be implemented based on information access restrictions
|
No | |
| A.8.6.1 |
Capacity management
The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance to support the organization's objectives
|
No | |
| A.8.7.1 |
Protection against malware
Protection against malware shall be implemented and supported by appropriate user awareness
|
No | |
| A.8.8.1 |
Management of technical vulnerabilities
Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risks
|
No | |
| A.8.9.1 |
Configuration management
Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed
|
No | |
| A1.1 |
Capacity Planning
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives
|
Yes | opsAI-AP.pdf |
| A1.2 |
Backup and Recovery
The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives
|
Yes | opsAI-DRP.pdf |
| A1.3 |
Recovery Testing
The entity tests recovery plan procedures supporting system recovery to meet its objectives
|
Yes | opsAI-DRP.pdf |
| Art.12.1 |
Transparent information
The controller shall take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form
|
Yes | opsAI-PMP.pdf |
| Art.13.1 |
Information to be provided when personal data are collected from the data subject
Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with specified information
|
Yes | opsAI-PMP.pdf |
| Art.14.1 |
Information to be provided where personal data have not been obtained from the data subject
Where personal data have not been obtained from the data subject, the controller shall provide the data subject with specified information
|
Yes | opsAI-PMP.pdf |
| Art.15.1 |
Right of access by the data subject
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and access to the personal data
|
Yes | opsAI-PMP.pdf |
| Art.16.1 |
Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her
|
Yes | opsAI-PMP.pdf |
| Art.17.1 |
Right to erasure ('right to be forgotten')
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay
|
Yes | opsAI-PMP.pdf opsAI-RP.pdf |
| Art.18.1 |
Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where specified conditions apply
|
Yes | opsAI-PMP.pdf |
| Art.20.1 |
Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format
|
Yes | opsAI-PMP.pdf |
| Art.21.1 |
Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data
|
Yes | opsAI-PMP.pdf |
| Art.25.1 |
Data protection by design and by default
The controller shall implement appropriate technical and organisational measures designed to implement data-protection principles and to integrate the necessary safeguards into the processing
|
Yes | opsAI-PSN.pdf opsAI-PIP.pdf |
| Art.30.1 |
Records of processing activities
Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-PMP.pdf |
| Art.32.1 |
Security of processing
The controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-PMP.pdf opsAI-PIP.pdf |
| Art.33.1 |
Notification of a personal data breach to the supervisory authority
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority
|
Yes | opsAI-PSN.pdf |
| Art.34.1 |
Communication of a personal data breach to the data subject
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay
|
Yes | opsAI-PSN.pdf |
| Art.35.1 |
Data protection impact assessment
Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations
|
No | |
| Art.37.1 |
Designation of the data protection officer
The controller and the processor shall designate a data protection officer in specified circumstances
|
No | |
| Art.44.1 |
General principle for transfers
Any transfer of personal data to a third country or an international organisation shall take place only if specified conditions are met
|
No | |
| Art.47.1 |
Binding corporate rules
The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63
|
No | |
| Art.5.1.a |
Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
|
Yes | opsAI-PMP.pdf |
| Art.5.1.b |
Purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
|
Yes | opsAI-PMP.pdf opsAI-PIP.pdf |
| Art.5.1.c |
Data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
|
Yes | opsAI-PMP.pdf opsAI-PIP.pdf |
| Art.5.1.d |
Accuracy
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay
|
Yes | opsAI-PMP.pdf opsAI-PIP.pdf |
| Art.5.1.e |
Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
|
Yes | opsAI-PMP.pdf opsAI-RP.pdf |
| Art.5.1.f |
Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
|
Yes | opsAI-PMP.pdf |
| Art.6.1 |
Lawfulness of processing
Processing shall be lawful only if and to the extent that at least one of the lawful bases for processing applies
|
Yes | opsAI-PMP.pdf |
| Art.7.1 |
Conditions for consent
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data
|
Yes | opsAI-PMP.pdf |
| Art.7.2 |
Consent withdrawal
The data subject shall have the right to withdraw his or her consent at any time
|
Yes | opsAI-PMP.pdf |
| Art.77.1 |
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority
|
No | |
| Art.82.1 |
Right to compensation and liability
Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered
|
No | |
| C1.1 |
Confidential Information Identification
The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality
|
Yes | opsAI-CP.pdf |
| C1.2 |
Confidential Information Disposal
The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.
|
Yes | opsAI-CP.pdf |
| CC1.1 |
Integrity and Ethics
The entity demonstrates a commitment to integrity and ethical values
|
Yes | opsAI-COCP.pdf |
| CC1.2 |
Board Independence
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control
|
Yes | opsAI-ON.pdf opsAI-RP.pdf |
| CC1.3 |
Organizational Structure
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
|
Yes | opsAI-ON.pdf |
| CC1.4 |
Hiring, Training and Retention
The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives
|
Yes | opsAI-ON.pdf |
| CC1.5 |
Individual Accountability
The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
|
Yes | opsAI-ON.pdf |
| CC2.1 |
Use of Information Systems
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control
|
Yes | opsAI-CEN.pdf |
| CC2.2 |
Use of Communication Systems, Internal
The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control
|
Yes | opsAI-CEN.pdf |
| CC2.3 |
Use of Communication Systems, External
The entity communicates with external parties regarding matters affecting the functioning of internal control
|
Yes | opsAI-CEN.pdf |
| CC3.1 |
Objectives
The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives
|
Yes | opsAI-ON.pdf |
| CC3.2 |
Risk to Objectives
The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
|
Yes | opsAI-ON.pdf |
| CC3.3 |
Fraud Risk to Objectives
The entity considers the potential for fraud in assessing risks to the achievement of objectives
|
Yes | opsAI-ON.pdf |
| CC3.4 |
Impact of Changes
The entity identifies and assesses changes that could significantly impact the system of internal control
|
Yes | opsAI-SCP.pdf |
| CC4.1 |
Monitoring
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning
|
Yes | opsAI-CEN.pdf |
| CC4.2 |
Remediation
The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate
|
Yes | opsAI-CEN.pdf |
| CC5.1 |
Objective Risk Mitigation
The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
|
Yes | opsAI-CEN.pdf |
| CC5.2 |
Technology Controls
The entity also selects and develops general control activities over technology to support the achievement of objectives
|
Yes | opsAI-CEN.pdf |
| CC5.3 |
Established Policies
The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action
|
Yes | opsAI-CEN.pdf |
| CC6.1 |
Logical Access
The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-AOTP.pdf opsAI-REAP.pdf |
| CC6.2 |
User Access
Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-AOTP.pdf opsAI-ASP.pdf opsAI-REAP.pdf |
| CC6.3 |
Role-Based Access
The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-AOTP.pdf |
| CC6.4 |
Physical Access
The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives
|
Yes | opsAI-SAN.pdf opsAI-DP.pdf opsAI-OSP.pdf |
| CC6.5 |
Data Disposal
The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives
|
Yes | opsAI-SAN.pdf opsAI-RP.pdf |
| CC6.6 |
External Threats
The entity implements logical access security measures to protect against threats from sources outside its system boundaries
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf |
| CC6.7 |
Data Custody and Transmission
The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-MCP.pdf opsAI-REAP.pdf |
| CC6.8 |
Malware Detection
The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives
|
Yes | opsAI-SAN.pdf opsAI-WP.pdf |
| CC7.1 |
Vulnerability Detection
To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf |
| CC7.2 |
Anomaly Detection
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-LMP.pdf |
| CC7.3 |
Security Incident Evaluation
The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-SIRP.pdf |
| CC7.4 |
Security Incident Response Plan
The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate
|
Yes | opsAI-PSN.pdf opsAI-SEN.pdf opsAI-SAN.pdf opsAI-SIRP.pdf |
| CC7.5 |
Security Incident Response Execution
The entity identifies, develops, and implements activities to recover from identified security incidents
|
Yes | opsAI-SIRP.pdf |
| CC8.1 |
Change Control
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives
|
Yes | opsAI-SCP.pdf opsAI-SDLCP.pdf |
| CC9.1 |
Disruption Risk Mitigation
The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions
|
Yes | opsAI-AP.pdf opsAI-BCP.pdf opsAI-CRP.pdf opsAI-RIAP.pdf |
| CC9.2 |
Vendor Risk Management
The entity assesses and manages risks associated with vendors and business partners
|
Yes | opsAI-VMP.pdf |
| P1.1 |
Privacy Notification
The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy
|
Yes | opsAI-PSN.pdf opsAI-PMP.pdf |
| P2.1 |
Privacy Consent and Choice
The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented
|
Yes | opsAI-PSN.pdf opsAI-PMP.pdf |
| P3.1 |
Personal Information Collection
Personal information is collected consistent with the entity’s objectives related to privacy
|
Yes | opsAI-PSN.pdf opsAI-PMP.pdf |
| P3.2 |
Explicit Consent
For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entity’s objectives related to privacy
|
Yes | opsAI-PMP.pdf |
| P4.1 |
Proper Use of Personal Information
The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy
|
Yes | opsAI-PSN.pdf opsAI-PMP.pdf |
| P4.2 |
Personal Information Retention
The entity retains personal information consistent with the entity’s objectives related to privacy
|
Yes | opsAI-PMP.pdf opsAI-RP.pdf |
| P4.3 |
Personal Information Disposal
The entity securely disposes of personal information to meet the entity’s objectives related to privacy
|
Yes | opsAI-PMP.pdf |
| P5.1 |
Data Subject Access
The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s objectives related to privacy
|
Yes | opsAI-PSN.pdf opsAI-PMP.pdf |
| P5.2 |
Data Subject Amendment
The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entity’s objectives related to privacy
|
Yes | opsAI-PMP.pdf |
| P6.1 |
Consent for Third Party Disclosure
The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy
|
Yes | opsAI-PSN.pdf opsAI-PMP.pdf |
| P6.2 |
Authorized Disclosures
The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity’s objectives related to privacy
|
Yes | opsAI-PMP.pdf |
| P6.3 |
Unauthorized Disclosures
The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity’s objectives related to privacy
|
Yes | opsAI-PMP.pdf |
| P6.4 |
Appropriate Third Party Disclosure
The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary
|
Yes | opsAI-PMP.pdf |
| P6.5 |
Unauthorized Third Party Disclosure
The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s objectives related to privacy
|
Yes | opsAI-PMP.pdf |
| P6.6 |
Notification of Unauthorized Third Party Disclosure
The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy
|
Yes | opsAI-PMP.pdf |
| P6.7 |
Accounting of Personal Information
The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy
|
Yes | opsAI-PMP.pdf |
| P7.1 |
Accuracy of Personal Information
The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s objectives related to privacy
|
Yes | opsAI-PSN.pdf opsAI-PMP.pdf |
| P8.1 |
Personal Information Dispute Resolution
The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner
|
Yes | opsAI-PSN.pdf opsAI-PMP.pdf |
| PI1.1 |
Processing Integrity Monitoring
The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service speci cations, to support the use of products and services
|
Yes | opsAI-PSN.pdf opsAI-PIP.pdf |
| PI1.2 |
Processing Integrity Accuracy
The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives
|
Yes | opsAI-PSN.pdf opsAI-PIP.pdf |
| PI1.3 |
Processing Integrity Operations
The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives
|
Yes | opsAI-PSN.pdf opsAI-PIP.pdf |
| PI1.4 |
Processing Integrity Outputs
The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives
|
Yes | opsAI-PSN.pdf opsAI-PIP.pdf |
| PI1.5 |
Processing Integrity Backups
The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity’s objectives
|
Yes | opsAI-PSN.pdf opsAI-PIP.pdf |