{"id":130,"date":"2022-04-12T03:06:36","date_gmt":"2022-04-12T03:06:36","guid":{"rendered":"http:\/\/tcm.gov.to\/?page_id=130"},"modified":"2022-04-29T02:01:07","modified_gmt":"2022-04-29T02:01:07","slug":"compliance","status":"publish","type":"page","link":"https:\/\/tcm.gov.to\/?page_id=130","title":{"rendered":"Compliance"},"content":{"rendered":"<div id=\"themify_builder_content-130\" data-postid=\"130\" class=\"themify_builder_content themify_builder_content-130 themify_builder\">\n    \t<!-- module_row -->\n\t<div  class=\"themify_builder_row module_row clearfix module_row_0 themify_builder_130_row module_row_130-0 tb_mo42926\">\n\t    \t    <div class=\"row_inner col_align_top\" >\n\t\t\t<div  class=\"module_column tb-column col3-1 first tb_130_column module_column_0 module_column_130-0-0 tb_457f926\" style=\"width: 19%\">\n\t    \t    \t        <div class=\"tb-column-inner\">\n\t\t    <!-- module text -->\n<div  class=\"module module-text tb_p124457    \">\n            <div  class=\"tb_text_wrap\">\n    <h4 class=\"u-text u-text-body-color u-text-1\"><b>13 Compliance<\/b><\/h4>    <\/div>\n<\/div>\n<!-- \/module text -->\n\t        <\/div>\n\t    \t<\/div>\n\t\t<div  class=\"module_column tb-column col3-1 middle tb_130_column module_column_1 module_column_130-0-1 tb_z3mn926\" style=\"width: 19.6%\">\n\t    \t    \t        <div class=\"tb-column-inner\">\n\t\t    <!-- module text -->\n<div  class=\"module module-text tb_k9j6745    \">\n            <div  class=\"tb_text_wrap\">\n    <h4 class=\"u-text u-text-body-color u-text-2\"><b>13.1 Compliance with legal and contractual requirements<\/b><\/h4>\n<p class=\"u-text u-text-3\">Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.<\/p>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4>\u00a0<\/h4>\n<h4 class=\"u-text u-text-body-color u-text-1\"><b>13.2\u00a0<\/b><b>Compliance with security policies and standards<\/b><\/h4>    <\/div>\n<\/div>\n<!-- \/module text -->\n\t        <\/div>\n\t    \t<\/div>\n\t\t<div  class=\"module_column tb-column col3-1 last tb_130_column module_column_2 module_column_130-0-2 tb_jgmk926\" style=\"width: 55%\">\n\t    \t    \t        <div class=\"tb-column-inner\">\n\t\t    <!-- module text -->\n<div  class=\"module module-text tb_2r3p819    \">\n            <div  class=\"tb_text_wrap\">\n    <section id=\"sec-118b\" class=\"u-clearfix u-section-1\">\n<div class=\"u-clearfix u-sheet u-valign-middle u-sheet-1\">\n<div class=\"u-clearfix u-expanded-width u-gutter-0 u-layout-wrap u-layout-wrap-1\">\n<div class=\"u-layout\">\n<div class=\"u-layout-row\">\n<div class=\"u-container-style u-layout-cell u-right-cell u-size-38 u-layout-cell-3\">\n<div class=\"u-container-layout u-container-layout-3\">\n<h4 class=\"u-text u-text-black u-text-4\"><b>13.1.1 Identification of applicable legislation and contractual requirements<\/b><\/h4>\n<p><strong><em><span class=\"u-text-palette-1-base\">All relevant legislative statutory, regulatory, contractual requirements and how the organization meets these requirements should be identified, documented and kept up to date.<\/span><\/em><\/strong><\/p>\n<ul class=\"u-text u-text-black u-text-5\">\n<li>For the organization and, if applicable, for information systems define and document the specific controls and individual responsibilities to meet requirements from applicable legislation and contracts.<\/li>\n<\/ul>\n<h4 class=\"u-text u-text-6\"><b>13.1.2 Intellectual property rights<\/b><\/h4>\n<p><strong><em><span class=\"u-text-palette-1-base\">Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.<\/span><\/em><\/strong><\/p>\n<ul class=\"u-text u-text-7\">\n<li>Intellectual property rights include software or document copyright, design rights, trademarks, patents and source code licences. Copyright infringement can lead to legal action, which may involve fines and criminal proceedings.\u00a0<\/li>\n<li>To protect any material that may be considered intellectual property:<br \/>a) maintain appropriate asset registers and identify all assets with requirements to protect intellectual property rights;<br \/>b) acquire software only through known and reputable sources, to ensure that copyright is not violated;<br \/>c) comply with terms and conditions for software and information obtained from public networks;<br \/>d) maintain proof and evidence of ownership of licences, master disks, manuals, etc.; e) implement controls to ensure that any maximum number of users permitted within the licence is not exceeded;<br \/>f) carry out reviews that only authorized software and licensed products are installed; g) maintain awareness of policies to protect intellectual property rights and take disciplinary action against personnel breaching them;<br \/>h) do not copy in full or in part, books, reports or other documents, other than permitted by copyright law.<\/li>\n<\/ul>\n<h4 class=\"u-text u-text-8\"><b>13.1.3 Protection of records<\/b><\/h4>\n<p><strong><em><span class=\"u-text-palette-1-base\">Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.<\/span><\/em><\/strong><\/p>\n<ul class=\"u-text u-text-9\">\n<li>Retain securely records that are needed to meet statutory, regulatory or contractual requirements, as well as to support essential business activities. First, categorize these records into record types, e.g. accounting records, database records, transaction logs, audit logs and operational procedures, each with details of of allowable storage media, e.g. paper, microfiche, magnetic, optical.<\/li>\n<li>Establish a retention schedule identifying records and the period of time for which they should be retained. National law or regulation may set the time period and data content for information retention.<\/li>\n<li>Safeguard against loss of records due to future technology change and be aware of the possibility of deterioration of media used for storage of records. Where electronic storage media are chosen, establish procedures to ensure the ability to access data (both media and format readability) throughout the retention period. Storage and handling procedures should be implemented in accordance with manufacturer\u2019s recommendations.<\/li>\n<li>Cryptographic keys and programs associated with encrypted archives or digital signatures should also be stored to enable decryption of the records for the length of time the records are retained.<\/li>\n<li>This system chosen for storage should permit appropriate destruction of records after that period if they are not needed by the organization.<\/li>\n<\/ul>\n<h4 class=\"u-text u-text-10\"><b>13.1.4 Privacy and protection of personally identifiable information<\/b><\/h4>\n<p><strong><em><span class=\"u-text-palette-1-base\">Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable.<\/span><\/em><\/strong><\/p>\n<ul class=\"u-text u-text-11\">\n<li>Introduce controls and impose duties on those collecting, processing and disseminating personally identifiable information (generally information on living individuals who can be identified from that information). Data privacy is about the appropriate use and management of data, not just encryption. Data is no longer only inside the organisation\u2019s perimeter; it is in the cloud, on portable end-user devices where users work from home, and is often shared with partners or online services that might have it anywhere in the world.\u00a0<\/li>\n<li>Develop organization\u2019s data policy for protection of personally identifiable information and if applicable, appoint of a person responsible, such as a privacy officer, who provides guidance to managers, users and service providers on their individual responsibilities and the specific procedures that should be followed.<\/li>\n<\/ul>\n<p class=\"u-text u-text-12\">Read more:<\/p>\n<ul class=\"u-text u-text-13\">\n<li><span class=\"u-text-palette-1-base\">NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),\u00a0<a class=\"u-active-none u-border-none u-btn u-button-link u-button-style u-hover-none u-none u-text-palette-1-base u-btn-1\" href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/legacy\/sp\/nistspecialpublication800-122.pdf\">https:\/\/nvlpubs.nist.gov\/nistpubs\/legacy\/sp\/nistspecialpublication800-122.pdf<\/a><\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/section>\n<section id=\"sec-2ec6\" class=\"u-clearfix u-section-2\">\n<div class=\"u-clearfix u-sheet u-sheet-1\">\n<div class=\"u-clearfix u-expanded-width u-gutter-0 u-layout-wrap u-layout-wrap-1\">\n<div class=\"u-layout\">\n<div class=\"u-layout-row\">\n<div class=\"u-container-style u-layout-cell u-left-cell u-size-11 u-layout-cell-1\">\n<div class=\"u-container-layout u-container-layout-1\">\u00a0<\/div>\n<\/div>\n<div class=\"u-container-style u-layout-cell u-right-cell u-size-38 u-layout-cell-3\">\n<div class=\"u-container-layout u-container-layout-3\">\n<p><strong><em><span class=\"u-text-palette-1-base\">Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and other security requirements.\u00a0<\/span><\/em><\/strong><\/p>\n<ul class=\"u-text u-text-3\">\n<li>Organization\u2019s management should introduce and use operational monitoring, automatic measurement and reporting tools to review that information security requirements defined in policies, standards and other applicable regulations are met.<\/li>\n<li>Technical compliance review involves the examination of systems to ensure that hardware and software controls have been correctly implemented. Use automated tools that generate technical reports for subsequent interpretation by a technical specialist. Alternatively, manual reviews (supported by appropriate software tools, if necessary) by ancompetent authorized persons could be performed.<\/li>\n<li>Penetration testing and vulnerability assessments provide a snapshot of a system in a specific state at a specific time. If penetration tests or vulnerability assessments are used, plan and document them properly as such activities could lead to a compromise of the security of the system.<\/li>\n<li>The results of reviews and corrective actions should be recorded and maintained.<\/li>\n<li>In case the requirements are not met, manager of the organization:<br \/>a) identifies the causes of the non-compliance;<br \/>b) evaluates the need for actions to achieve compliance;<br \/>c) implements appropriate corrective action;<br \/>d) initiates review to verify the effectiveness of the corrective action and to identify any deficiencies or weaknesses.<\/li>\n<\/ul>\n<p class=\"u-text u-text-4\">Read more:<\/p>\n<ul class=\"u-text u-text-5\">\n<li><span class=\"u-text-palette-1-base\">NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment<\/span><\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/section>    <\/div>\n<\/div>\n<!-- \/module text -->\n\t        <\/div>\n\t    \t<\/div>\n\t\t    <\/div>\n\t    <!-- \/row_inner -->\n\t<\/div>\n\t<!-- \/module_row -->\n\t<\/div>\n\n\n","protected":false},"excerpt":{"rendered":"<p>13 Compliance 13.1 Compliance with legal and contractual requirements Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-130","page","type-page","status-publish","hentry","has-post-title","has-post-date","has-post-category","has-post-tag","has-post-comment","has-post-author",""],"builder_content":"<h4><b>13 Compliance<\/b><\/h4>\n<h4><b>13.1 Compliance with legal and contractual requirements<\/b><\/h4> <p>Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.<\/p> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4>\u00a0<\/h4> <h4><b>13.2\u00a0<\/b><b>Compliance with security policies and standards<\/b><\/h4>\n<section id=\"sec-118b\">\n<h4><b>13.1.1 Identification of applicable legislation and contractual requirements<\/b><\/h4> <p><strong><em>All relevant legislative statutory, regulatory, contractual requirements and how the organization meets these requirements should be identified, documented and kept up to date.<\/em><\/strong><\/p> <ul> <li>For the organization and, if applicable, for information systems define and document the specific controls and individual responsibilities to meet requirements from applicable legislation and contracts.<\/li> <\/ul> <h4><b>13.1.2 Intellectual property rights<\/b><\/h4> <p><strong><em>Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.<\/em><\/strong><\/p> <ul> <li>Intellectual property rights include software or document copyright, design rights, trademarks, patents and source code licences. Copyright infringement can lead to legal action, which may involve fines and criminal proceedings.\u00a0<\/li> <li>To protect any material that may be considered intellectual property:<br \/>a) maintain appropriate asset registers and identify all assets with requirements to protect intellectual property rights;<br \/>b) acquire software only through known and reputable sources, to ensure that copyright is not violated;<br \/>c) comply with terms and conditions for software and information obtained from public networks;<br \/>d) maintain proof and evidence of ownership of licences, master disks, manuals, etc.; e) implement controls to ensure that any maximum number of users permitted within the licence is not exceeded;<br \/>f) carry out reviews that only authorized software and licensed products are installed; g) maintain awareness of policies to protect intellectual property rights and take disciplinary action against personnel breaching them;<br \/>h) do not copy in full or in part, books, reports or other documents, other than permitted by copyright law.<\/li> <\/ul> <h4><b>13.1.3 Protection of records<\/b><\/h4> <p><strong><em>Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.<\/em><\/strong><\/p> <ul> <li>Retain securely records that are needed to meet statutory, regulatory or contractual requirements, as well as to support essential business activities. First, categorize these records into record types, e.g. accounting records, database records, transaction logs, audit logs and operational procedures, each with details of of allowable storage media, e.g. paper, microfiche, magnetic, optical.<\/li> <li>Establish a retention schedule identifying records and the period of time for which they should be retained. National law or regulation may set the time period and data content for information retention.<\/li> <li>Safeguard against loss of records due to future technology change and be aware of the possibility of deterioration of media used for storage of records. Where electronic storage media are chosen, establish procedures to ensure the ability to access data (both media and format readability) throughout the retention period. Storage and handling procedures should be implemented in accordance with manufacturer\u2019s recommendations.<\/li> <li>Cryptographic keys and programs associated with encrypted archives or digital signatures should also be stored to enable decryption of the records for the length of time the records are retained.<\/li> <li>This system chosen for storage should permit appropriate destruction of records after that period if they are not needed by the organization.<\/li> <\/ul> <h4><b>13.1.4 Privacy and protection of personally identifiable information<\/b><\/h4> <p><strong><em>Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable.<\/em><\/strong><\/p> <ul> <li>Introduce controls and impose duties on those collecting, processing and disseminating personally identifiable information (generally information on living individuals who can be identified from that information). Data privacy is about the appropriate use and management of data, not just encryption. Data is no longer only inside the organisation\u2019s perimeter; it is in the cloud, on portable end-user devices where users work from home, and is often shared with partners or online services that might have it anywhere in the world.\u00a0<\/li> <li>Develop organization\u2019s data policy for protection of personally identifiable information and if applicable, appoint of a person responsible, such as a privacy officer, who provides guidance to managers, users and service providers on their individual responsibilities and the specific procedures that should be followed.<\/li> <\/ul> <p>Read more:<\/p> <ul> <li>NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),\u00a0<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/legacy\/sp\/nistspecialpublication800-122.pdf\">https:\/\/nvlpubs.nist.gov\/nistpubs\/legacy\/sp\/nistspecialpublication800-122.pdf<\/a><\/li> <\/ul>\n<\/section> <section id=\"sec-2ec6\">\n\u00a0\n<p><strong><em>Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and other security requirements.\u00a0<\/em><\/strong><\/p> <ul> <li>Organization\u2019s management should introduce and use operational monitoring, automatic measurement and reporting tools to review that information security requirements defined in policies, standards and other applicable regulations are met.<\/li> <li>Technical compliance review involves the examination of systems to ensure that hardware and software controls have been correctly implemented. Use automated tools that generate technical reports for subsequent interpretation by a technical specialist. Alternatively, manual reviews (supported by appropriate software tools, if necessary) by ancompetent authorized persons could be performed.<\/li> <li>Penetration testing and vulnerability assessments provide a snapshot of a system in a specific state at a specific time. If penetration tests or vulnerability assessments are used, plan and document them properly as such activities could lead to a compromise of the security of the system.<\/li> <li>The results of reviews and corrective actions should be recorded and maintained.<\/li> <li>In case the requirements are not met, manager of the organization:<br \/>a) identifies the causes of the non-compliance;<br \/>b) evaluates the need for actions to achieve compliance;<br \/>c) implements appropriate corrective action;<br \/>d) initiates review to verify the effectiveness of the corrective action and to identify any deficiencies or weaknesses.<\/li> <\/ul> <p>Read more:<\/p> <ul> <li>NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment<\/li> <\/ul>\n<\/section>","_links":{"self":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages\/130","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=130"}],"version-history":[{"count":6,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages\/130\/revisions"}],"predecessor-version":[{"id":274,"href":"https:\/\/tcm.gov.to\/index.php?rest_route=\/wp\/v2\/pages\/130\/revisions\/274"}],"wp:attachment":[{"href":"https:\/\/tcm.gov.to\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=130"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}