>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

TPM-04Privacy Risk Assessment

>Control Description

Organization reviews the privacy practices of service providers who access, collect, process, transfer, or store personal information on Organization's behalf upon initial procurement and renewal; non-compliance is tracked through remediation.

Theme

Process

Type

Corrective

Policy/Standard

Vendor Information Security Policy

>Implementation Guidance

1. Ensure that a process is defined and documented to review the privacy practices of service providers who access, collect, process, transfer, or store personal information on Organization's behalf. 2. Ensure that the reviews are conducted at the time of initial procurement and at renewal. 3. Ensure that any non-compliances are tracked to remediation.

>Testing Procedure

1. Inspect and validate that a process is defined and documented to review the privacy practices of service providers who access, collect, process, transfer, or store personal information on Organization's behalf. 2. Validate for a sample vendor that the reviews are conducted at the time of initial procurement and at renewal. 3. Validate for a sample non-compliance event that it was tracked to remediation.

>Audit Artifacts

E-TPM-07
E-TPM-08
E-TPM-09

Ask AI

Configure your API key to use AI features.