Protect the confidentiality integrity and availability of collected data.

• DS.1 - Data Encryption at Rest

  Encrypt collected data when stored on systems and devices.

• DS.2 - Data Encryption in Transit

  Encrypt collected data when transmitted over networks.

• DS.3 - Secure Data Storage

  Store collected data in secure environments with appropriate physical and logical controls.

• DS.4 - Data Backup and Recovery

  Implement regular data backup processes and have a recovery plan in place.

• DS.5 - Data Sanitization for Disposal

  Implement procedures for securely sanitizing or destroying data storage media before disposal or reuse.

Ensure compliance with privacy regulations and obtain proper consent.

• PC.1 - Privacy Policy

  Develop and maintain a clear and comprehensive privacy policy for data collection.

• PC.2 - Consent Mechanisms

  Implement mechanisms to obtain explicit consent for data collection and processing where required.

• PC.3 - Data Minimization

  Collect only the data that is necessary for the specified purpose.

• PC.4 - Data Subject Rights

  Establish processes to address data subject rights requests (e.g. access rectification erasure).

Secure the infrastructure and systems used for electronic data collection.

• SS.1 - Secure Configuration

  Configure all systems and devices used for data collection securely.

• SS.2 - Vulnerability Management

  Implement a process for identifying assessing and remediating security vulnerabilities in EDC systems.

• SS.3 - Network Security

  Implement network security measures to protect the data collection infrastructure.

• SS.4 - Malware Protection

  Deploy and maintain anti-malware solutions on all systems involved in data collection.

• SS.5 - Security Baselines

  Establish and maintain security baselines for all EDC systems and components.

Maintain the accuracy and reliability of the collected data.

• DQI.1 - Data Validation

  Implement data validation checks at the point of collection to ensure accuracy.

• DQI.2 - Data Integrity Controls

  Implement controls to prevent unauthorized modification or deletion of collected data.

• DQI.3 - Data Reconciliation

  Implement processes for reconciling collected data with source systems or records.

Manage who can access the data collection systems and the collected data.

• ACA.1 - Role-Based Access Control

  Implement role-based access control to limit access based on job responsibilities.

• ACA.2 - Strong Authentication

  Enforce strong authentication mechanisms for accessing data collection systems.

• ACA.3 - Principle of Least Privilege

  Grant users only the minimum level of access necessary to perform their job functions.

Establish policies for how long data is kept and how it is securely disposed of.

• DRD.1 - Data Retention Policy

  Define data retention periods based on legal regulatory and business requirements.

• DRD.2 - Secure Disposal Procedures

  Implement secure methods for disposing of data when it is no longer needed.

Track activities and changes within the data collection systems.

• AL.1 - Audit Logging

  Enable comprehensive audit logging for all relevant activities within the EDC systems.

• AL.2 - Log Monitoring and Analysis

  Regularly monitor and analyze audit logs for suspicious activity or policy violations.

• AL.3 - Time Synchronization

  Ensure accurate time synchronization across all EDC systems.

Have a plan to address any security or privacy incidents related to data collection.

• IR.1 - Incident Response Plan

  Develop and maintain a written incident response plan for data collection incidents.

• IR.2 - Incident Reporting Procedures

  Establish procedures for reporting security and privacy incidents related to data collection.

• IR.3 - Data Breach Notification

  Establish procedures for notifying affected individuals and regulatory authorities in the event of a data breach.

Educate users on secure data collection practices.

• UTA.1 - Security Awareness Training

  Conduct regular security awareness training for all users involved in data collection.

• UTA.2 - Role-Specific Training

  Provide role-specific training on data collection procedures and security requirements.

• UTA.3 - Phishing Awareness Training

  Provide specific training on identifying and avoiding phishing attacks.

Ensure the security and compliance of third-party vendors involved in EDC.

• VM.1 - Vendor Due Diligence

  Conduct due diligence on vendors before engaging them for EDC activities.

• VM.2 - Vendor Agreements

  Include security and privacy requirements in contracts with EDC vendors.

• VM.3 - Vendor Monitoring

  Implement ongoing monitoring of vendor security and compliance.

Protect the physical infrastructure used for electronic data collection.

• PS.1 - Physical Access Controls

  Implement physical access controls to restrict unauthorized entry to facilities housing EDC systems.

• PS.2 - Environmental Controls

  Maintain appropriate environmental controls (temperature humidity) in facilities housing EDC systems.