331 – Guarantee legal compliance

Summary

The system must comply with the legal requirements of the jurisdiction to which it is subject.

Description

If a system complies with legal requirements becomes responsible and lawful in its operation. It protects the organization from legal consequences, builds trust with users and stakeholders, and aligns the systems with regulatory expectations. Non-compliance with legal requirements can lead to serious consequences, including fines, penalties, legal actions, and reputational damage.

Supported In

Advanced: True

References

• GDPR-R45. Fulfillment of legal obligations
• FCRA-605-H_2. Regulations
• GLBA-501_A. Privacy obligation policy
• MISRAC-1_1. All code shall conform to legal compliance
• NYDFS-500_3. Cybersecurity policy
• PDPA-3_12. Policies and practices
• PDPO-5_19. Compliance with data access request
• PDPO-S1_5. Information to be generally available
• CMMC-AC_L2-3_1_3. Control CUI flow
• HITRUST-01_a. Access control policy
• HITRUST-02_d. Management responsibilities
• HITRUST-04_a. Information security policy document
• HITRUST-06_a. Identification of applicable legislation
• HITRUST-06_b. Intellectual property rights
• HITRUST-06_f. Regulation of cryptographic controls
• HITRUST-06_g. Compliance with security policies and standards
• HITRUST-09_i. System acceptance
• HITRUST-13_g. Purpose legitimacy
• FEDRAMP-SA-1. System and services acquisition policy and procedures
• FEDRAMP-SC-1. System and communications protection policy and procedures
• ISO27002-5_34. Privacy and protection of Personal Identifiable Information (PII)
• LGPD-7_II. Requirements for the Processing of Personal Data
• LGPD-7_VI. Requirements for the Processing of Personal Data
• LGPD-26. Rules
• LGPD-51. Good Practice and Governance
• WASSEC-8_4_1. Compliance report
• OSSTMM3-9_1_1. Wireless security (posture review) - Policy
• PTES-7_2_1. Post exploitation - Rules of engagement (protect the client)
• OWASPRISKS-P5. Non-transparent policies, terms and conditions
• MVSP-1_6. Business controls - Compliance
• NIST800115-6_6. Legal considerations
• SIGLITE-SL_23. Is there an information security policy that has been approved by management and an owner to maintain and review the policy?
• SIG-B_1. Security policy
• SIG-B_1_1. Security policy
• SIG-L_1. Compliance
• ASVS-1_1_1. Secure Software Development Lifecycle
• ISO27001-5_34. Privacy and protection of Personal Identifiable Information (PII)

Weaknesses

• 118 – Regulation infringement

Last updated

2024/01/18