Digital Security Program (DSP)
| Control | Status | |
|---|---|---|
| Statutory, Regulatory & Contractual Compliance | Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls. | |
| Non-Compliance Oversight | Mechanisms exist to document and review instances of non-compliance with statutory, regulatory and/or contractual obligations to develop appropriate risk mitigation actions. | |
| Compliance Scope | Mechanisms exist to document and validate the scope of cybersecurity & data privacy controls that are determined to meet statutory, regulatory and/or contractual compliance obligations. | |
| Ability To Demonstrate Conformity | Mechanisms exist to ensure the organization is able to demonstrate conformity with applicable cybersecurity and data protection laws, regulations and/or contractual obligations. | |
| Cybersecurity & Data Protection Controls Oversight | Mechanisms exist to provide a cybersecurity & data protection controls oversight function that reports to the organization's executive leadership. | |
| Internal Audit Function | Mechanisms exist to implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of the organization's technology and information governance processes. | |
| Periodic Audits | Mechanisms exist to conduct periodic audits of cybersecurity & data protection controls to evaluate conformity with the organization's documented policies, standards and procedures. | |
| Cybersecurity & Data Protection Assessments | Mechanisms exist to regularly review processes and documented procedures to ensure conformity with the organization's cybersecurity & data protection policies, standards and other applicable requirements. | |
| Independent Assessors | Mechanisms exist to utilize independent assessors to evaluate cybersecurity & data protection controls at planned intervals or when the system, service or project undergoes significant changes. | |
| Functional Review Of Cybersecurity & Data Protection Controls | Mechanisms exist to regularly review technology assets for adherence to the organization's cybersecurity & data protection policies and standards. | |
| Audit Activities | Mechanisms exist to thoughtfully plan audits by including input from operational risk and compliance partners to minimize the impact of audit-related activities on business operations. | |
| Legal Assessment of Investigative Inquires | Mechanisms exist to determine whether a government agency has an applicable and valid legal basis to request data from the organization and what further steps need to be taken, if necessary. | |
| Investigation Access Restrictions | Mechanisms exist to support official investigations by provisioning government investigators with "least privileges" and "least functionality" to ensure that government investigators only have access to the data and systems needed to perform the investigation. |