Has your organization established a formal process to track and manage legal and regulatory requirements for protecting personal information?
Explanation
Tracking legal obligations for personal data is the focus here: reviewers want a formal process to identify, monitor, and comply with the privacy laws and regulations that apply to your operations. Examples include HIPAA for healthcare data, GDPR for EU residents' data, CCPA for California consumers, and industry-specific requirements that govern how personal information must be protected.
Evidence could include a documented compliance management process, a regulatory tracking matrix showing applicable laws and their requirements, meeting minutes from compliance reviews, or reports from a governance/compliance tool that monitors regulatory changes and tracks implementation status of required controls.
Implementation Example
Determine a process to track and manage legal and regulatory requirements regarding protection of individuals' information (e.g., Health Insurance Portability and Accountability Act, California Consumer Privacy Act, General Data Protection Regulation)
ID: GV.OC-03.004
Context
- Function
- GV: GOVERN
- Category
- GV.OC: Organizational Context
- Sub-Category
- Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed
Related questions
- Has the organization formally documented and shared its mission statement to provide a basis for identifying risks that may impede that mission?
- Has your organization identified and documented all internal stakeholders and their specific cybersecurity expectations?
- Has your organization formally identified and documented all external stakeholders and their cybersecurity expectations?
- Has your organization implemented a formal process to track and manage cybersecurity requirements in contracts with suppliers, customers, and partners?
- Has your organization documented how its cybersecurity strategy addresses applicable legal, regulatory, and contractual requirements?
- Has your organization established and documented criteria for determining the criticality of capabilities and services from both internal and external stakeholder perspectives?

