Professional Documents
Culture Documents
Chairman
CEO BOD
VP VP VP VP VP VP
(Internal Audit) CIO (Purchase)
VP
(Sales & Marketing) (Production) (Quality Control) (Design & Dev.)
(Logistics)
Manager Manager Manager Manager Manager Manager Manager Manager Manager Manager Manager Manager
(Internal Audit) (Finance) (Accounts) (I T) (Purchase) (Store) (Logistics) (HR/Adm.) (Regional) (Production) (Quality (Design & Dev.)
Control)
Manager
(Branch)
Shift In
charge
Assistants Assistants Assistants Assistants Assistants Assistants Assistants Assistants Assistants Supervisor Lab Assistants
Inspector
Laborers
10.2 Department policies and The department has documented its own policies and procedures. They are
Department policies and procedures do not exist.
procedures. well understood by department staff.
11 – Control Procedures
11.1 Senior management Senior management monitors the department's performance against Senior management does not monitor
(Company ) reviews. objectives and budget. department performance.
EDM03.02 Direct the establishment of risk management practices to provide reasonable assurance that IT risk management practices are appropriate to
Direct risk management. ensure that the actual IT risk does not exceed the board’s risk appetite.
EDM03.03 Monitor the key goals and metrics of the risk management processes and establish how deviations or problems will be identified, tracked and
Monitor risk management. reported for remediation.
NA Compliant P
Definition of Body
1) Corporate Sec 43A Is the organization a ‘body corporate’ as defined in the IT (Amendment) Act, 2008 (ITAA 2008)?
Body Corporate – means any company and includes a firm, sole proprietorship, or other association of individuals
Definition engaged in commercial or
professional activities
2) Organization's Role Clarification Is the Organization aware of the privacy role it performs based on its functions, activities & business?
Provides services to its clients (organizations) under a lawful contract having indirect relationship with the end
Role 2: Data Processor customers (providers of information)
as per the instructions from data controller; e.g. business process outsourcing service providers
Provides employment or other related services / benefits to its employees and / or enable employees to perform their
Role 3: Data Controller duties
Does the organziation deal (collect, process, store, transfer, access) with following categories of “sensitive personal data
3) Sensitive Personal Data or Sec 43A or information” (SPDI) as
Information (SPDI) defined under sec43A of the ITAA, 2008? Has it identified such functions, operations and actitivities that deal with SPDI?
Definiton of SPDI Rule 3 (u/s i. Password (Capable of providing information or access to SPDI listed below)
ii. financial information such as Bank account or credit card or debit card or other payment instrument details
vii. any of the detail relating to the above categories of or information received under above categories of SPDI by
SPDI the organization for
Any information that is freely available or accessible in public domain or furnished under the Right to Information Act,
Exceptions 2005 or any other law for the
time being in force shall not be regarded as sensitive personal data or information
e) Does it state?
iv. Disclosure policy and practices of the organization (refer question number 11)
v. Reasonable security practices and procedures adopted by the organization for securing SPDI
For organizations that act as data processors [refer Q 2 above], questions 5 to 11 (Rules 5 & 6 of Sections 43A in ITAA, 2008) are not applicable
5 Does the organization follow any due diligence to ensure SPDI is collected for a lawful purpose which is associated with
) Collection Limitation Rule 5 2(a) the function or activity of
the organization?
Due Diligence Rule 5 2(b) Does the organization follow any due diligence to ensure SPDI which is necessary for the above purpose is only collected?
When directly collecting SPDI from the provider of information, does the organization take reasonable steps to ensure
Informing the Providers of Rule 5(3) that the provider of
Information information is having knowledge about:
i. the fact that the SPDI is being collected
ii. the purpose for which SPDI is collected
iii. the intended recipients of SPDI