141
InformatIon SecurIty PolIcy DeveloPment for comPlIance
L.2 Target systems are scanned for vulnerabilities and identi-
ed vulnerabilities are remediated.
P.
Man
agement
 of Pr
ivac y
 Pr
ogram
P.1 An inventory of all target privacy data, dened by data sub-
ject category, its ownership, and its ow, is maintained and
updated annually with all required information in the privacy
inventory/ow. It has been approved and reviewed within the
last 12 months and contains a revision history.
P.2 Privacy policy and privacy notices of service provider and
third parties have been developed, are maintained, include the
privacy principles developed by the OECD or the generally
accepted privacy principles developed by the AICPA/CICA,
have been approved and reviewed within the last 12 months,
and contain a revision history.
P.3 An individual has been assigned as accountable for the pri-
vacy program at service providers and third parties. Account-
ability includes creation, review, enforcement, and a change
management process for the privacy policy and program. is
responsibility is documented as part of the organization chart
and roles and responsibilities for the privacy program. Key pro-
cedures have been written for due diligence, review and compli-
ance, enforcement and monitoring, and change management.
P.4 Privacy agreements detail privacy and protection require-
ments between the service provider and its third parties that
have access to target privacy data.
P.5 A record is maintained of all required notications, registra-
tions, permits, approvals, adequacy mechanisms, and reviews/
approvals from any mandated entities (such as employee-related
bodies, councils, or unions) of the privacy policy.
P.6 Privacy procedures, which include the key relevant domains
of privacy, are enforced and maintained.
P.7 Privacy awareness training occurs at least annually and dur-
ing on-boarding of new employees, addressing a broad set of
privacy topics with comprehension testing included. Atten-
dance reports for service provider employees and third-party
employees aremaintained.
R116
R099 R517
R520
R455
R469

Get Information Security Policy Development for Compliance now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.