InformatIon SecurIty PolIcy DeveloPment for comPlIance
L.2 Target systems are scanned for vulnerabilities and identi-
ed vulnerabilities are remediated.
P.1 An inventory of all target privacy data, dened by data sub-
ject category, its ownership, and its ow, is maintained and
updated annually with all required information in the privacy
inventory/ow. It has been approved and reviewed within the
last 12 months and contains a revision history.
third parties have been developed, are maintained, include the
privacy principles developed by the OECD or the generally
accepted privacy principles developed by the AICPA/CICA,
have been approved and reviewed within the last 12 months,
and contain a revision history.
P.3 An individual has been assigned as accountable for the pri-
vacy program at service providers and third parties. Account-
ability includes creation, review, enforcement, and a change
responsibility is documented as part of the organization chart
and roles and responsibilities for the privacy program. Key pro-
cedures have been written for due diligence, review and compli-
ance, enforcement and monitoring, and change management.
P.4 Privacy agreements detail privacy and protection require-
ments between the service provider and its third parties that
have access to target privacy data.
P.5 A record is maintained of all required notications, registra-
tions, permits, approvals, adequacy mechanisms, and reviews/
approvals from any mandated entities (such as employee-related
P.6 Privacy procedures, which include the key relevant domains
of privacy, are enforced and maintained.
P.7 Privacy awareness training occurs at least annually and dur-
ing on-boarding of new employees, addressing a broad set of
privacy topics with comprehension testing included. Atten-
dance reports for service provider employees and third-party