Information and systems are protected against unauthorized access; unauthorized disclosure of information; and damage to systems that could compromise the availability; integrity; confidentiality; and privacy of information or systems and affect the entity's ability to meet its objectives.

• Logical Access - SC.1

  The entity implements logical access security software, infrastructure, and procedures to provide security over the entity's systems and information.

• Security Awareness - SC.2

  The entity implements and monitors its security awareness program to ensure that personnel understand their security responsibilities.

• System Monitoring - SC.3

  The entity monitors system components and activity to identify security events.

• Change Management - SC.4

  The entity implements a change management process to authorize; test; approve; and implement changes to the entity's infrastructure; data; software; and procedures.

• Risk Assessment - SC.5

  The entity performs periodic risk assessments to identify and analyze threats and vulnerabilities that could affect the security of the entity's systems and information.

• Vulnerability Management - SC.6

  The entity implements procedures to identify and address security vulnerabilities in a timely manner.

• Incident Response - SC.7

  The entity develops and maintains an incident response plan to manage and recover from security incidents.

• Physical Security - SC.8

  The entity implements physical security controls to protect the entity's facilities and information assets from unauthorized physical access; theft; and damage.

• Data Security and Encryption - SC.9

  The entity implements controls to protect data at rest and in transit through methods such as encryption and data loss prevention techniques.

• Network Security - SC.10

  The entity implements network security controls to protect its network infrastructure from unauthorized access and malicious activity.

Information and systems are available for operation and use to meet the entity's objectives.

• Infrastructure Availability - AV.1

  The entity maintains infrastructure resources to meet its availability objectives.

• Backup and Recovery - AV.2

  The entity backs up information and tests its recoverability to meet its availability objectives.

• Disaster Recovery - AV.3

  The entity develops and maintains a disaster recovery plan to ensure the entity's ability to recover from events that could significantly disrupt business operations.

• System Performance Monitoring - AV.4

  The entity monitors system performance and capacity to ensure systems are available to meet processing demands.

• Redundancy and Failover - AV.5

  The entity implements redundant systems and failover capabilities for critical infrastructure components.

• Business Continuity Planning - AV.6

  The entity develops and maintains a comprehensive business continuity plan to address a wide range of potential disruptions.

System processing is complete; accurate; timely; and authorized to meet the entity's objectives.

• Data Input Controls - PI.1

  The entity implements data input controls to ensure that information processed by the system is accurate; complete; and valid.

• System Processing - PI.2

  The entity implements processing controls to ensure that transactions are processed completely; accurately; and in a timely manner.

• Data Output - PI.3

  The entity implements data output controls to ensure that reports and other outputs are accurate; complete; and distributed to authorized personnel.

• Error Handling - PI.4

  The entity implements procedures to identify; log; and resolve processing errors.

• Data Retention and Disposal - PI.5

  The entity implements policies and procedures for the retention and disposal of data to meet regulatory and business requirements.

• Data Validation at Input - PI.6

  The entity implements automated and manual data validation procedures at the point of data entry.

• Reconciliation Procedures - PI.7

  The entity performs regular reconciliations of data and system outputs to ensure accuracy and completeness.

• Authorization Controls - PI.8

  The entity implements authorization controls to ensure that only authorized personnel can initiate and process transactions.

• Transaction Logging and Monitoring - PI.9

  The entity logs and monitors transactions to provide an audit trail for detecting and investigating processing errors or unauthorized activities.

• Data Backup for Processing Integrity - PI.10

  The entity maintains backups of data necessary to ensure the completeness and accuracy of processing in the event of a system failure or data loss.

Information designated as confidential is protected to meet the entity's objectives.

• Identification of Confidential Information - CO.1

  The entity identifies and classifies confidential information.

• Protection of Confidential Information - CO.2

  The entity protects confidential information using appropriate controls.

• Data Disposal - CO.3

  The entity securely disposes of confidential information when it is no longer needed.

• Access to Confidential Information - CO.4

  The entity restricts access to confidential information to authorized personnel based on the principle of least privilege.

• Confidentiality Agreements - CO.5

  The entity uses confidentiality or non-disclosure agreements with personnel and third parties who have access to confidential information.

Personal information collected; used; retained; and disclosed is protected to meet the entity's objectives.

• Notice - PR.1

  The entity provides notice to data subjects about the collection; use; retention; and disclosure of their personal information.

• Choice and Consent - PR.2

  The entity provides data subjects with choices and obtains their consent regarding the collection; use; and disclosure of their personal information; where applicable.

• Collection Limitation - PR.3

  The entity limits the collection of personal information to that which is relevant and necessary to accomplish the purposes identified in the notice.

• Use; Retention; and Disposal - PR.4

  The entity limits the use of personal information to the purposes identified in the notice and retains it only for as long as necessary to fulfill those purposes.

• Access - PR.5

  The entity provides data subjects with access to their personal information for review and update.

• Disclosure to Third Parties - PR.6

  The entity controls the disclosure of personal information to third parties.

• Security - PR.7

  The entity implements security safeguards to protect personal information against unauthorized access; use; and disclosure.

• Quality - PR.8

  The entity maintains accurate and complete personal information.

• Monitoring and Enforcement - PR.9

  The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related inquiries and complaints.

• Accountability - PR.10

  The entity assigns responsibility and establishes procedures for addressing inquiries; complaints; and disputes related to its privacy practices.

• Awareness and Training - PR.11

  The entity provides personnel with training on its privacy policies and procedures.

• Data Integrity - PR.12

  The entity maintains the integrity of personal information and takes reasonable steps to ensure it is accurate; complete; and current.

• Enforcement and Redress - PR.13

  The entity has procedures for enforcing its privacy policies and addressing violations.

• Security of Processing - PR.14

  The entity implements security measures to protect the confidentiality; integrity; and availability of personal information throughout processing.