Information and systems are protected against unauthorized access; unauthorized disclosure of information; and damage to systems that could compromise the availability; integrity; confidentiality; and privacy of information or systems and affect the entity’s ability to meet its objectives.

• Logical Access - SC.1

  Protection of information assets from unauthorized physical and logical access.

• Security Awareness - SC.2

  Cultivating a security-conscious culture through training and awareness programs.

• System Operations - SC.3

  Managing and monitoring IT infrastructure to ensure its security and availability.

• Data Security - SC.4

  Implementing measures to protect data throughout its lifecycle.

• Physical Security - SC.5

  Protecting the physical environment and access to IT assets.

• Risk Assessment - SC.6

  Identifying and analyzing potential security risks to the organization's information assets.

• Monitoring Activities - SC.7

  Ongoing monitoring of systems and logs to detect security incidents and anomalies.

• Incident Response - SC.8

  Establishing and maintaining an incident response plan to effectively manage security incidents.

• Vulnerability Management - SC.9

  Implementing procedures to identify; assess; and remediate security vulnerabilities in a timely manner.

• Network Security - SC.10

  Protecting the network infrastructure from unauthorized access and malicious activity.

Information and systems are available for operation and use to meet the entity’s objectives.

• Infrastructure Availability - AV.1

  Ensuring the reliability and uptime of the underlying IT infrastructure.

• Backup and Recovery - AV.2

  Maintaining backups of critical data and having the ability to restore systems in case of an outage.

• Disaster Recovery - AV.3

  Having a plan in place to recover IT systems and business operations after a significant disruption.

• Performance Monitoring - AV.4

  Continuously monitoring system performance and capacity to ensure optimal availability.

• Failover and Redundancy - AV.5

  Implementing redundant systems and automated failover capabilities for critical components.

• Business Continuity Planning - AV.6

  Developing and maintaining a comprehensive business continuity plan to address various potential disruptions.

System processing is complete; accurate; timely; and authorized to meet the entity’s objectives.

• Data Input Controls - PI.1

  Ensuring the accuracy and completeness of data entered into the system.

• Processing Controls - PI.2

  Ensuring that data is processed correctly and as intended.

• Output Controls - PI.3

  Ensuring the accuracy and completeness of information produced by the system.

• Error Handling - PI.4

  Implementing procedures to identify; log; and resolve processing errors.

• Data Retention and Disposal - PI.5

  Establishing and enforcing policies for the retention and secure disposal of data.

• Data Validation - PI.6

  Implementing automated and manual data validation procedures to ensure data accuracy.

• Reconciliation - PI.7

  Performing regular reconciliations of data and system outputs to ensure accuracy and completeness.

Information designated as confidential is protected to meet the entity’s objectives.

• Identification of Confidential Information - CO.1

  Defining and classifying information that requires confidentiality protection.

• Protection of Confidential Information - CO.2

  Implementing controls to safeguard confidential information throughout its lifecycle.

• Access Control to Confidential Information - CO.3

  Restricting access to confidential information to authorized personnel based on the principle of least privilege.

• Confidentiality Agreements - CO.4

  Using confidentiality or non-disclosure agreements with personnel and third parties who have access to confidential information.

Personal information collected; used; retained; and disclosed is protected to meet the entity’s objectives.

• Notice - PR.1

  Providing data subjects with notice about the collection; use; retention; and disclosure of their personal information.

• Choice and Consent - PR.2

  Providing data subjects with choices and obtaining their consent regarding the collection; use; and disclosure of their personal information; where applicable.

• Collection Limitation - PR.3

  Limiting the collection of personal information to that which is relevant and necessary to accomplish the purposes identified in the notice.

• Use; Retention; and Disposal - PR.4

  Limiting the use of personal information to the purposes identified in the notice and retaining it only for as long as necessary to fulfill those purposes.

• Access - PR.5

  Providing data subjects with access to their personal information for review and update.

• Disclosure to Third Parties - PR.6

  Controlling the disclosure of personal information to third parties.

• Security - PR.7

  Implementing security safeguards to protect personal information against unauthorized access; use; and disclosure.

• Quality - PR.8

  Maintaining accurate and complete personal information.

• Monitoring and Enforcement - PR.9

  Monitoring compliance with its privacy policies and procedures and having procedures to address privacy-related inquiries and complaints.

• Accountability - PR.10

  Assigning responsibility and establishing procedures for addressing inquiries; complaints; and disputes related to its privacy practices.

• Awareness and Training - PR.11

  Providing personnel with training on its privacy policies and procedures.

• Data Integrity - PR.12

  Maintaining the integrity of personal information and taking reasonable steps to ensure it is accurate; complete; and current.