Example Iso 27001 27002 Policy Standard Mapping [PDF]

Zitiervorschau

v2022.1

Policy Name

ISO 27002:2022 Cybersecurity Data Protection Program Crosswalk Mapping

Standard #

Asset Management

ISO 27001 v2013

ISO 27002 v2013

ISO 27002 v2022

AICPA TSC 2017 (SOC 2)

CIS CSC v8.0

COBIT 2019

EDM01.02 APO01.09 APO04.01 APO13.01 APO13.02

Security & Privacy Governance Program

4.3 4.4 5.1 6.1.1

GOV-02

Steering Committee

4.3 6.2 7.4 9.3 10.2

GOV-03

Publishing Security & Privacy Documentation

4.3 5.2 7.5.1 7.5.2 7.5.3

5.1.1

5.1 5.37

CC5.3

APO01.09

GOV-04

Periodic Review & Update of Security & Privacy Program

6.1.1 7.4

5.1.2

5.1 5.37

CC5.3

EDM01.01 EDM01.03 EDM05.01 APO02.02 APO13.03

GOV-05

Assigned Security & Privacy Responsibilities

5.3

5.2

CC1.1 CC1.3

APO01.05

GOV-06

Measures of Performance

9.1

CC1.2 CC1.5 CC2.2

EDM01.03 EDM05.01 EDM05.03 APO02.02 MEA01.04

GOV-07

Contacts With Authorities

6.1.3

5.5

GOV-08

Contacts With Groups & Associations

6.1.4

5.6

GOV-09

Defining Business Context & Mission

GOV-01

Security & Privacy Governance

Standard Name

5.1.1

5.1 5.4 5.37

CC1.2

A&A-01 AIS-01 BCR-01 CCC-01 CEK-01 DCS-01 A&A-01 AIS-01 BCR-01 CCC-01 CEK-01 DCS-01

SO1

ISO 27018 v2014

ISO 27701 v2019 5.3.1 5.3.2 5.3.3 5.4 5.4.1 5.4.1.1

MPA Content Security Program v4.07 MS-1.0 MS-1.1 MS-1.2 MS-1.3

NIAC Insurance Data Security Model Law (MDL-668) Sec 4A Sec 4B Sec 4E(1) Sec 4G

NIST Privacy Framework v1.0

GV.PO-P1 GV.PO-P6

NIST 800-53 rev4

PM-1

NIST 800-53 rev5

NIST 800-218 v1.1

NIST CSF v1.1

OWASP Top 10 v2017

PCIDSS v3.2

US FACTA

US FAR 52.204-21

US FDA 21 CFR Part 11

12.1 12.1.1

PM-1

GRC-06 STA-04

Principle 16 Principle 19 Principle 20

AIS-03 SEF-05 TVM-09 TVM-10

SO11 S12 S13 S14 S15

11.2.6

1 1.3 2.1 2.2

5.30 5.31 7.9

BAI09.01 BAI09.02 BAI09.03 BAI09.04 BAI09.05

Stakeholder Identification & involvement

AST-04

Asset Inventories

8.1.1

5.9

1 1.1 2.1 2.2 2.4 6.6

BAI09.01

AST-05

Software Licensing Restrictions

18.1.2

5.32 6.2

2.2

BAI09.05

4.2

PM-1

PM-1

Sec 4D(2) Sec 4G

GV.MT-P2

PM-1

PM-1

MS-1.0 MS-1.1 MS-1.2 MS-1.3 MS-3.0

Sec 4C(1)

ID.IM-P2 GV.PO-P3 CM.PO-P2

PL-9 PM-2 PM-6

PL-9 PM-2 PM-6 PM-29

MS-1.2 MS-1.3

Sec 4D(2) Sec 4E(1)

GV.MT-P4 PR.PO-P5 PR.PO-P6

PM-6

PM-6

MS-5.2

Sec 4D(4)

IR-6

IR-6

Sec 4D(4)

PM-15

PM-15

MS-1.0 MS-1.1 MS-1.2 MS-1.3

6.2.1.2

MS-1.0 MS-1.1 MS-1.2 MS-1.3

5.1 5.3

9.1

6.3.1.4

4.1 4.2 4.2.1 4.2.2

DCS-05

ID.IM-P5 ID.BE-P1 ID.BE-P2 GV.RM-P3 DS-11.6 DS-11.6.1 DS-11.6.2 PS-12.0 PS-13.0 PS-14.0

SO15

US FERPA

US FFIEC

US FINRA

S-P (17 CFR §248.30)

§ 1232h

US GLBA

US HIPAA

6801(b)(1)

164.306 164.306(a) 164.306(b) 164.306(c) 164.306(d) 164.306(e)

HIPAA - HICP Small Practice

10.S.A

HIPAA - HICP Medium Practice

8.M.A

HIPAA - HICP Large Practice

8.M.A 10.M.A

US - CA CCPA

1798.81.5(b)

US - MA 201 CMR 17.00

17.03(1) 17.04 17.03(2)(b)(2)

US - NY DFS 23 NYCRR500

US - OR 646A

US-TX Cybersecurity Act

SCF #

PR.DS-P3

ID.GV-1

12.1 12.1.1

§ 11.10 § 11.10(j)

§ 1232h

D1.G.SP.B.4

S-P (17 CFR §248.30)

6801(b)(1)

§ 1232h

PO.2 PO.2.1 PO.2.2 PO.2.3

ID.AM-6

12.5 12.5.1 12.5.2 12.5.3 12.5.4 12.5.5

D1.R.St.B.1 D1.TC.Cu.B.1

Safeguards Rule

164.306 164.308 164.308(a)(1)(i) 164.312 164.316 164.316(a) 164.306(e) 164.316(b) 164.316(b)(1) 164.316(b)(1)(i) 164.316(b)(1)(ii) 164.316(b)(2)(iii)

164.308(a)(2)

D2.IS.Is.B.1 D2.IS.Is.E.2

PR.IP-8

4.S.A 10.S.A

4.M.B

10.S.A

5.S.B 10.S.A

5.M.B 8.M.A

10.S.A

5.1.2 6.1

4.M.B 10.M.A

1798.81.5(b)

10.M.A

1798.81.5(b)

5.M.B 8.M.A 10.M.A

1798.81.5(b)

10.M.A

500.02

Sec 10

GOV-01

Mechanisms exist to establish, maintain and disseminate cybersecurity and privacy policies, standards and procedures. 500.03

500.04

Sec 10

GOV-02

Sec 10

GOV-03

Mechanisms exist to review the cybersecurity and privacy program, including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

622(2)(d)(A)(i)

Sec 9

GOV-04

Mechanisms exist to assign a qualified individual with the mission and resources to centrallymanage, coordinate, develop, implement and maintain an enterprise-wide cybersecurity and privacy program.

622(2)(d)(A)(vi) 622(2)(d)(B)(iii)

Sec 10 Sec 11

GOV-05

Mechanisms exist to develop, report and monitor cybersecurity and privacy program measures of performance.

Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.

8.M.A 8.M.C

8.M.A 8.M.C 7.L.A 8.L.B

Sec 5 Sec 11

GOV-06

8.M.A 8.M.C

8.M.A 8.M.C 9.L.D

Sec 5 Sec 11

GOV-07

5.S.A

5.M.A

5.M.A 2.L.A

AST-01

Mechanisms exist to identify and assess the security of technology assets that support more than one critical business function. ID.IM-P8

AST-01.1

5.9

EDM05.01 EDM05.02 EDM05.03 DSS06.02

ID.IM-P2 ID.IM-P8

AST-01.2

SO15

6.5 6.5.1 6.5.1.1

ID.IM-P1

MS-8.0 DS-6.12 DS-12.0 DS-12.1

ID.IM-P1 ID.IM-P4 ID.IM-P5 ID.IM-P8

PS-12.0 PS-21.3

ID.IM-P2

SA-4(12)

6.15.1.2

APO01.06

Accountability Information

5.9

EDM05.01 EDM05.02 EDM05.03 APO01.06

AST-09

Provenance

5.21

AST-10

Network Diagrams & Data Flow Diagrams (DFDs)

5.9

AST-11

Security of Assets & Media

11.2.6

7.9

6.8.2.6

DS-6.6

AST-12

Unattended End-User Equipment

11.2.6 11.2.8

7.9 8.1

6.8.2.8

DS-6.6

AST-13

Kiosks & Point of Sale (PoS) Devices

11.2.8

8.1

AST-14

Tamper Detection

11.2.6

7.9

AST-15

Secure Disposal, Destruction or Re-Use of Equipment

11.2.7

7.14 8.10

AST-16

Return of Assets

8.1.4

5.11

CC2.1

3.8 12.4

6.5.1.2

ID.AM-1 ID.AM-2 ID.AM-4

D1.G.IT.B.1 D4.RM.Dd.B.2 D4.C.Co.B.3

1.1.2 2.4

CM-8 PM-5

SC-18(2)

SC-18(2)

AST-02.7

CM-13

AST-02.8

164.310(d)(2)(iii)

5.S.A

5.M.A 9.M.D

5.M.A 9.M.D 2.L.E

CM-8 PM-5

AST-02

Mechanisms exist to perform inventories of technology assets that: ▪ Accurately reflects the current systems, applications and services in use; ▪ Is at the level of granularity deemed necessary for tracking and reporting; ▪ Includes organization-defined information deemed necessary to achieve effective property accountability; and ▪ Is available for review and audit by designated organizational personnel. Mechanisms exist to protect Intellectual Property (IP) rights with software licensing restrictions.

Mechanisms exist to create and maintain a map of technology assets where sensitive data is stored, transmitted or processed.

Mechanisms exist to assign asset ownership responsibilities to a department, team or individual to establish a common understanding of requirements for asset protection.

ID.IM-P2

DSP-05 IVS-08

Mechanisms exist to identify and involve pertinent stakeholders of critical systems, applications and services to support the ongoing secure management of those assets.

DS-6.11 PS-12.0 PS-12.3 PS-13.0 PS-8.3 PS-8.4

5.9

Mechanisms exist to establish contact with selected groups and associations within the cybersecurity & privacy communities to: ▪ Facilitate ongoing cybersecurity and privacy education and training for organizational personnel; ▪ Maintain currency with recommended cybersecurity and privacy practices, techniques and technologies; and Mechanisms exist to define the context of its business model and document the mission of the organization.

Mechanisms exist to facilitate an IT Asset Management (ITAM) program to implement and manage asset management controls. 1798.81.5(b)

APO09.01 APO09.02 BAI09.01 BAI09.02

DCS-05 DSP-03 STA-07 UEM-04

Mechanisms exist to coordinate cybersecurity, privacy and business alignment through a steering committee or advisory board, comprising of key cybersecurity, privacy and business executives, which meets formally and on a regular basis.

GOV-08

12.3.3 12.3.4 12.3.7

PM-5

17.03(2)(a)

17.03(2)(j)

ID.BE-1 ID.BE-2

PM-5

17.03(1) 17.04 17.03(2)(b)(2)

Secure Controls Framework (SCF) Control Description Mechanisms exist to facilitate the implementation of cybersecurity and privacy governance controls.

5.9 5.30

5.9

8.1.2

GV.PO-P1 GV.PO-P6 GV.MT-P3 GV.MT-P4 GV.MT-P5 GV.MT-P6

6.2 6.2.1 6.2.1.1

5.2.1 5.2.2

SO1

EDM05.01 EDM05.02 EDM05.03 APO01.01 APO01.02 APO01.03

4.1 4.2

AST-03

AST-08

5.2 5.2.1 5.2.2

GRC-05 GRC-07

GRC-08

Asset-Service Dependencies

Assigning Ownership of Assets

ISO 22301 v2019

6.3.1.3

AST-02

AST-07

ENISA v2.0

CC2.3

Asset Governance

Data Action Mapping

Principle 2

CSA CCM v4

GOV-01.1

AST-01

AST-06

COSO v2017

3/10/2022

MS-8.0 DS-6.12

ID.IM-P1

CM-8(4)

PL-2 SA-5(1) SA-5(2) SA-5(3) SA-5(4)

2.5

AST-03

CM-8(4)

AST-03.1

SR-4 SR-4(1) SR-4(2)

AST-03.2

PL-2 SA-4(1) SA-4(2)

Mechanisms exist to include capturing the name, position and/or role of individuals responsible/accountable for administering assets as part of the technology asset inventory process.

Mechanisms exist to track the origin, development, ownership, location and changes to systems, system components and associated data.

ID.AM-3

1.1.2 1.1.3

D4.C.Co.B.4 D4.C.Co.Int.1

4.L.B 8.L.D

AST-04

Mechanisms exist to maintain network architecture diagrams that: ▪ Contain sufficient detail to assess the security of the network's architecture; ▪ Reflect the current architecture of the network environment; and ▪ Document all sensitive data flows. Mechanisms exist to maintain strict control over the internal or external distribution of any kind of sensitive/regulated media.

9.6 9.6.1 9.6.2 9.6.3

AST-05

Mechanisms exist to implement enhanced protection measures for unattended systems to protect against tampering and unauthorized access. AST-06

Mechanisms exist to appropriately protect devices that capture sensitive/regulated data via direct physical interaction from tampering and substitution.

9.9 9.9.1 9.9.2 9.9.3

AST-07

PS-11.5 PS-20.1 PS-20.2 PS-21.2 DS-6.6.1

CC6.5

3.5

DSP-02

6.8.2.7 7.4.8

HRS-05

6.5.1.4

Sec 4D(2)

SA-19(3)

SR-12

9.8 9.8.1 9.8.2

52.204-21(b)(1)(vii)

164.310(d)(2)(i) 164.310(d)(2)(ii)

5.S.C

5.M.D

5.M.D 5.L.A 9.L.C

AST-08

Mechanisms exist to inspect mobile devices for evidence of tampering upon return from geographic regions of concern or other known hostile environments that could lead to device compromise.

AST-09

Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.

Mechanisms exist to ensure that employees and third-party users return all organizational assets in their possession upon termination of employment, contract or agreement. AST-10

**Copyrighted Material** - It is prohibited to disclose this document to third-parties without an executed Non-Disclosure Agreement (NDA) to protect this Intellectual Property (IP).

1 of 13

v2022.1

ISO 27002:2022 Cybersecurity Data Protection Program Crosswalk Mapping

AST-17

Removal of Assets

11.2.5

7.10

6.8.2.5

AST-18

Use of Personal Devices

AST-19

Tamper Protection

11.2.6

7.9

BCD-01

Business Continuity Management System (BCMS)

17.1.1 17.1.2

5.29 5.30

BCD-02

Business Continuity & Disaster Recovery Coordinate with Related Plans

5.29 5.30

BCD-03

Coordinate With External Service Providers

5.29 5.30

BCD-04

Contingency Plan Testing & Exercises

17.1.3

5.29 5.30

CC7.5 A1.3

BCD-05

Alternate Storage Site

17.2.1

8.14

A1.2

BCD-06

Alternate Processing Site

17.2.1

8.14

A1.2

BCD-07

Data Backups

12.3.1

8.13

CC7.5 A1.2

11.2

BCD-08

Testing for Reliability & Integrity

12.3.1

8.13

CC7.5 A1.2

11.3 11.5

BCD-09

Separate Storage for Critical Information

12.3.1

8.13

A1.2

BCD-10

Cryptographic Protection

12.3.1

8.13

A1.2

BCD-11

Redundant Secondary System

17.2.1

8.14

CAP-01

Capacity & Performance Management

12.1.3

8.6

A1.1

CAP-02

Capacity Planning

12.1.3

8.6

A1.1

CHG-01

Change Management Program

12.1.2

8.19 8.32

CC3.4 CC8.1

CHG-02

Configuration Change Control

12.1.2 14.2.2

8.19 8.32

CHG-03

Test, Validate & Document Changes

14.2.3

8.19 8.32

CLD-01

Cloud Services

5.23

IPY-01 IPY-04 IVS-06 IVS-07 IVS-08 STA-05

CLD-02

Cloud Security Architecture

5.23

CLD-03

Application & Program Interface (API) Security

CLD-04

PS-17.0 PS-17.1 PS-17.3

3/10/2022

D1.G.IT.E.3 D1.G.IT.E.2

PR.DS-3

164.310(d)(1) 164.310(d)(2)

5.S.C

5.M.D

Mechanisms exist to authorize, control and track technology assets entering and exiting organizational facilities.

5.M.D 5.L.A

622(2)(d)(C)(ii)

AST-11

Mechanisms exist to restrict the possession and usage of personally-owned technology devices within organization-controlled facilities.

Business Continuity & Disaster Recovery

7.10

AST-12

CC7.5 CC9.1

11.0

DSS04.01 DSS04.02 DSS04.03 DSS04.04 DSS04.05 DSS04.06

Mechanisms exist to verify logical configuration settings and the physical integrity of critical technology assets throughout their lifecycle.

SA-18

SR-9 SR-9(1)

CP-1 CP-2 IR-4(3) PM-8 CP-10

CP-1 CP-2 IR-4(3) PM-8 CP-10

BCR-06

CP-2(1)

CP-2(1)

BCD-01.1

BCR-06

CP-2(7)

CP-2(7)

BCD-01.2

CP-4

CP-4

164.308(a)(7)(ii)(D)

BCD-04

6.14.1.3 6.14.2 6.14.2.1

CP-6

CP-6 PE-23

164.310(a)(2)(i)

BCD-08

6.14 6.14.1 6.14.1.1

CP-7

CP-7 PE-23

164.310(a)(2)(i)

BCD-09

PR.PO-P3

CP-9 SC-28(2)

CP-9 SC-28(2)

PR.IP-4

PR.DS-P6

CP-9(1)

CP-9(1)

PR.IP-4

CP-9(3)

CP-9(3)

BCD-11.2

CP-9(8)

BCD-11.4

CP-9(6)

CP-9(6)

BCD-11.7

PR.DS-P4

SC-5 SC-5(3)

SC-5 SC-5(3)

PR.DS-4

PR.DS-P4

SC-5 SC-5(2) CP-2(2)

SC-5 SC-5(2) CP-2(2)

PR.DS-4

PR.PO-P2

CM-3

CM-3

PR.PO-P2

CM-3

CM-3 SA-8(31)

CM-3(2) CM-5(2)

CM-3(2) CM-3(7) SA-8(31)

PS-21.2

BCR-01 BCR-03 BCR-04 BCR-05 BCR-07 BCR-09

SO19 SO20

4.3 4.3.1 4.3.2 4.4 5.1 5.2

6.14.1.2

MS-6.0

PR.PO-P7

AST-15

ID.BE-5 PR.IP-9 RC.RP-1

Mechanisms exist to facilitate the implementation of contingency planning controls to help ensure resilient assets and services.

164.308(a)(7)(ii)(B) 164.308(a)(7)(ii)(C) 164.310(b)

D5.IR.Pl.B.6

1798.81.5(b)

BCD-01

Mechanisms exist to coordinate contingency plan development with internal and external elements responsible for related plans.

Mechanisms exist to coordinate internal contingency plans with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.

BCR-06 BCR-10

DSS04.04

APO14.10 DSS04.07

SO22

8.5 8.6

6.9.3 6.9.3.1

BCR-08

BCR-06 BCR-08

Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization’s readiness to execute the plan. 6.14.1.3

PR.PO-P8

MS-6.2 DS-1.7 DS-3.10

Mechanisms exist to establish an alternate storage site that includes both the assets and necessary agreements to permit the storage and recovery of system backup information.

Mechanisms exist to establish an alternate processing site that provides security measures equivalent to that of the primary site.

164.308(a)(7)(ii)(A) 164.310(d)(2)(iv)

4.M.D

4.M.D

BCD-11

Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfying Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

Mechanisms exist to routinely test backups that verifies the reliability of the backup process, as well as the integrity and availability of the data. SO22

DS-3.10

BCD-11.1

Mechanisms exist to store backup copies of critical software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the system being backed up.

Cryptographic mechanisms exist to prevent the unauthorized disclosure and/or modification of backup information. 11.3

DS-3.10

BCR-03 BCR-11

IVS-02

6.9.1.3

Change Management

CCC-01 CEK-06 CEK-06

SO14

6.9.1.2

DS-7.1 DS-15.10 MS-7.0

CC3.4 CC8.1

CCC-02 CCC-05 CEK-05

SO14

6.11.2.2

DS-15.10

CC3.4 CC8.1

CCC-02

Principle 15

Sec 4D(2)

6.11.2.3

Mechanisms exist to facilitate the implementation of capacity management controls to ensure optimal system performance to meet expected and anticipated future capacity requirements.

D5.IR.Pl.B.5 D5.IR.Pl.B.6 D5.IR.Pl.E.3 D3.PC.Im.E.4

Capacity & Performance Planning

CAP-01

CAP-03

6.4 6.4.1 6.4.2 6.4.3 6.4.4 6.4.5

§ 11.10 § 11.10(k) § 11.10(k)(1) § 11.10(k)(2)

Mechanisms exist to conduct capacity planning so that necessary capacity for information processing, telecommunications and environmental support will exist during contingency operations.

Mechanisms exist to facilitate the implementation of change management controls.

§ 11.10 § 11.10(k) § 11.10(k)(1) § 11.10(k)(2)

PR.IP-3

Mechanisms exist to maintain a failover system, that is not collocated with the primary system, application and/or service, which can be activated with little-to-no loss of information or disruption to operations.

1798.81.5(b)

CHG-01

Mechanisms exist to govern the technical configuration change control processes. D1.G.IT.B.4

CHG-02

Mechanisms exist to appropriately test and document proposed changes in a non-production environment before changes are implemented in a production environment. CHG-02.2

2.6 12.8.1

Mechanisms exist to facilitate the implementation of cloud management controls to ensure cloud instances are secure and in-line with industry practices. 52.204-21(b)(1)(iv)

4.L.A

1798.81.5(b)

CLD-01

IVS-06 IVS-07 IVS-08

52.204-21(b)(1)(iv)

4.L.A

CLD-02

8.26

IPY-01 IPY-02 IPY-03

52.204-21(b)(1)(iv)

4.L.A

CLD-04

Multi-Tenant Environments

5.23

IVS-06

52.204-21(b)(1)(iv)

4.L.A

CLD-06

CLD-05

Customer Responsibility Matrix (CRM)

5.23

CLD-06

Geolocation Requirements for Processing, Storage and Service Locations

5.23

CPL-01

Statutory, Regulatory & Contractual Compliance

Mechanisms exist to ensure the cloud security architecture supports the organization's technology strategy to securely design, configure and maintain cloud employments.

Mechanisms exist to ensure support for secure interoperability between components.

Cloud Security

18.1.1

5.31 8.34

DS-15.2

PO.2 PO.2.1 PO.2.2 PO.2.3 7.5 7.5.1 7.5.2 8.5.1 8.5.2

DSP-19 UEM-12 UEM-12

CC2.2 CC2.3

MEA02.01 MEA02.02 MEA03.01 MEA03.02 MEA03.03 MEA03.04

A&A-01 A&A-04 GRC-07 STA-06 STA-09 UEM-14

SO25

4.2.2

6.15 6.15.1 6.15.1.1

MS-4.0 MS-4.1 MS-4.2

Sec 4I Sec 6E(1) Sec 6E(2) Sec 6F Sec 7A Sec 7B

GV.PO-P5 GV.MT-P3

SA-9(5)

SA-9(5) SA-9(8)

PL-1 PM-8

PL-1 PM-8

CLD-06.1

Mechanisms exist to ensure multi-tenant owned or managed assets (physical and virtual) are designed and governed such that provider and customer (tenant) user access is appropriately segmented from other tenant users.

Mechanisms exist to document a Customer Responsibility Matrix (CRM) to delineate the assigned responsibilities for controls between the Cloud Service Provider (CSP) and its customers.

Mechanisms exist to control the location of cloud processing/storage based on business requirements that includes statutory, regulatory and contractual obligations. 52.204-21(b)(1)(iv)

ID.GV-3 PR.IP-5 DE.DP-2

12.1

52.204-21(b)(2) 52.204-21(c)

4.L.A

§ 11.10 § 11.10(a) § 11.10(b) § 11.10(c) § 11.10(d) § 11.10(e)

D1.G.Ov.E.2 D3.PC.Am.B.11

**Copyrighted Material** - It is prohibited to disclose this document to third-parties without an executed Non-Disclosure Agreement (NDA) to protect this Intellectual Property (IP).

6801(b)(3)

164.302 164.318 164.318(a) 164.318(a)(1) 164.318(a)(2) 164.318(b)

CLD-09

Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls. 1798.145

500.19

CPL-01

2 of 13