To achieve Privacy+ certified status, companies must establish and have a third-party audit of internal controls designed to meet a specific set of control objectives designed to preserve information privacy. The control objectives have been established by PRISM International and must be met by all Privacy+ participants.
Each Privacy+ participating company will have a unique set of internal controls supporting the control objectives. The requirement of the internal controls is that, in the judgment of the participant’s auditor, they are sufficient to support the control objectives. To assist participants in understanding the types of internal controls required to support the control objectives, PRISM International provides the following sample internal controls in support of each control objective. These are examples; participants may replace or add individual internal controls based on their own internal risk assessment of their specific operations.
The control objectives are as follows (bullet points are sample internal controls):
Control Objective 1—Organization and Management Control
Controls provide reasonable assurance that management provides oversight, segregates duties, and guides employee behavior through a formal program.
- The organization has an updated organizational chart.
- The organization has a formal, written employee handbook.
- The organization has formal, written job descriptions.
Control Objective 2—Information Security Policy
Controls provide reasonable assurance that management has implemented an information security program that governs the implementation of security practices.
- The organization has a formal, written information security policy.
- The information security policy appoints a manager or individual responsible for overseeing the program.
- The information security policy identifies the laws or regulations that the organization is required to follow.
- The information security policy specifies operational procedures for physical access to and the handling of customer information stored physically or electronically at the organization’s site.
- The information security policy specifies the process for incident response that complies with Payment Card Industry Data Security Standard (PCI DSS) requirement 12.9.
- The information security policy fully addresses PCI Requirements 9 and 12.
- The information security policy specifies the methods for employee training to be conducted at least annually.
- The information security policy specifies disciplinary procedures for employees found in violation of the policy.
Control Objective 3—Risk Assessment
Controls provide reasonable assurance that management has implemented a risk-assessment function to identify new risks or changes to the environment that would necessitate the modification of controls.
- The organization has a formal, written risk-assessment plan.
- The organization conducts a risk assessment at least annually, resulting in documented threats and mitigation plans.
Control Objective 4—Human Resources Controls
Controls provide reasonable assurance that employees and contractors understand their security responsibilities and are suitable for the roles for which they are considered.
- The organization performs background checks on potential employees, including criminal, credit, pre-employment, and reference checks.
- Each employee and contractor signs a confidentiality agreement.
- The organization has documented hiring and termination procedures to provide or remove access to customer information.
Control Objective 5—Vendor Management
Controls provide reasonable assurance that third parties understand their security responsibilities and are capable of following the organization’s security requirements.
- The organization has a formal selection process to evaluate third-party capabilities and service delivery.
- Each vendor signs a confidentiality agreement.
- The organization contractually communicates security responsibilities to each vendor.
Control Objective 6—Physical Access Controls
Controls provide reasonable assurance that unauthorized access to secure areas in the corporate administrative and records storage sites is prevented.
- All access points to the facility are locked or have an electronic access mechanism.
- The facility is equipped with a burglar alarm and monitored 24/7.
- All entry points are monitored at all times.
- All visitors provide valid identification and sign a written log to gain entry.
- All visitors wear a badge that clearly designates them as a visitor.
- All visitors are escorted at all times by an authorized employee unless preauthorized as a known visitor, such as common vendors.
- Unattended vehicles containing client information are locked.
- Entry to client record sites is logged, either manually or electronically.
- Strict control over the internal or external distribution of any kind of media is maintained, including the following:
- Classify the media so the sensitivity of the data can be determined.
- Send the media by secured courier or other delivery method that can be accurately tracked.
Control Objective 7—Environmental Controls
Controls provide reasonable assurance that negative impact from environmental factors is effectively mitigated.
- The facility is equipped with a fire suppression system.
- The facility is equipped with a fire detection system and monitored 24/7.
- Critical operation servers, including those containing client-owned information, are equipped with battery backup systems.
- Critical operation servers are properly cooled if contained within an enclosed computer room.
Control Objective 8—Logical Access Controls
Controls provide reasonable assurance that logical access mechanisms are in place to appropriately restrict access to applications, data, network resources, and operating systems.
- Each user account is authorized according to business needs. All privileges are assigned based on job classification and function.
- There is a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services.
- Employee passwords must be changed during designated intervals, not to exceed 90 days.
- Systems are configured to enforce strong password construction (at least 7 characters, alpha and numeric characters, requiring at least one special character), if the current software supports this function.
- Clients complete a predetermined authorization process prior to receiving credentials to records management tools.
Control Objective 9—Network Security
Controls provide reasonable assurance that best practices have been implemented to restrict unauthorized access to internal network resources.
- A firewall is installed at each Internet connection and between any wireless networks.
- External vulnerability scans are performed at least quarterly or after any significant change in the network to validate and identify vulnerabilities in the configuration.
- Antivirus and antimalware utilities are installed on every system commonly affected by malicious code, with automatic updates configured.
- Patch management is performed at least quarterly and within 30 days for critical releases.
Control Objective 10—Electronic Access to Client Information
Controls provide reasonable assurance that best practices have been implemented to protect client information that is stored or transmitted via electronic means.
- Websites or browser-based utilities use secure sockets layer encryption when accessing client information.