From 6ab9cbd4412c5d0fd1f62823379e546df8958ed1 Mon Sep 17 00:00:00 2001 From: Mariano Date: Wed, 6 May 2026 12:14:50 +0100 Subject: [PATCH 01/18] fix(treatment-plan): cap linked-work lists and treatment plan body height Long Tasks/Controls lists or AI-generated treatment plans were stretching the right (Linked Work) and middle (Treatment plan) columns past the Strategy column, leaving the row visually unbalanced and forcing the whole page to scroll just to see the bottom controls. - LinkedWork: each list (Tasks, Controls) now caps at max-h-80 with internal overflow-y-auto. The progress bar / counts stay pinned. - DescriptionEditor: markdown preview and the auto-growing textarea share a TEXTAREA_MAX_PX (480) cap. Past the cap, internal scroll takes over instead of pushing the row down. Net effect: the three columns stay roughly aligned regardless of how many tasks/controls are linked or how long the AI's plan runs. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../treatment-plan/DescriptionEditor.tsx | 22 +++++++++++++++---- .../risks/treatment-plan/LinkedWork.tsx | 8 +++++-- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/apps/app/src/components/risks/treatment-plan/DescriptionEditor.tsx b/apps/app/src/components/risks/treatment-plan/DescriptionEditor.tsx index 6c23fd7db6..d3a95757e1 100644 --- a/apps/app/src/components/risks/treatment-plan/DescriptionEditor.tsx +++ b/apps/app/src/components/risks/treatment-plan/DescriptionEditor.tsx @@ -34,6 +34,14 @@ const TERMINAL_FAILURE_STATUSES = new Set([ 'TIMED_OUT', ]); +/** + * Cap (in px) for both the markdown preview and the auto-growing textarea. + * Past this height, the body scrolls internally so the Treatment plan column + * stays roughly aligned with the Strategy and Linked Work columns instead + * of pushing the whole row downward when AI emits a long plan. + */ +const TEXTAREA_MAX_PX = 480; + function regenStatusCopy(status: string | undefined): { headline: string; sub: string } { if (!status || status === 'WAITING_FOR_DEPLOY') { return { @@ -102,14 +110,17 @@ export function DescriptionEditor({ if (value.trim().length === 0) setMode('edit'); }, [value, mode, saving]); - // Auto-grow the textarea to fit content. Run on draft change AND on mode - // change (so switching from preview to edit sizes correctly on first paint). + // Auto-grow the textarea to fit content, but cap at TEXTAREA_MAX_PX so a + // long draft doesn't stretch the Treatment plan column past the Strategy + // / Linked Work columns. Internal scroll kicks in past the cap. useLayoutEffect(() => { if (mode !== 'edit') return; const el = textareaRef.current; if (!el) return; el.style.height = 'auto'; - el.style.height = `${Math.max(el.scrollHeight, 200)}px`; + const next = Math.max(Math.min(el.scrollHeight, TEXTAREA_MAX_PX), 200); + el.style.height = `${next}px`; + el.style.overflowY = el.scrollHeight > TEXTAREA_MAX_PX ? 'auto' : 'hidden'; }, [draft, mode]); const isDirty = draft.trim() !== (value ?? '').trim(); @@ -139,7 +150,10 @@ export function DescriptionEditor({ return (
{mode === 'preview' && hasValue ? ( -
+
) : ( diff --git a/apps/app/src/components/risks/treatment-plan/LinkedWork.tsx b/apps/app/src/components/risks/treatment-plan/LinkedWork.tsx index 29ed127162..7060a11d77 100644 --- a/apps/app/src/components/risks/treatment-plan/LinkedWork.tsx +++ b/apps/app/src/components/risks/treatment-plan/LinkedWork.tsx @@ -109,7 +109,10 @@ export function LinkedWork({ orgId, tasks, onUnlinkTask }: LinkedWorkProps) { No tasks linked. Link tasks from the Tasks tab to track mitigation progress.

) : ( -
    + // Cap the height so a long linked-task list doesn't stretch the + // Linked Work column past the Strategy / Treatment plan columns. + // Internal scroll keeps the visible list compact. +
      {tasks.map((t, i) => { const taskDone = isTaskDone(t.status); const isUnlinking = unlinking === t.id; @@ -170,7 +173,8 @@ export function LinkedWork({ orgId, tasks, onUnlinkTask }: LinkedWorkProps) { No controls linked (derived from tasks).

      ) : ( -
        + // Same height cap as the Tasks list above. +
          {controls.map((c, i) => (
        • Date: Wed, 6 May 2026 12:36:39 +0100 Subject: [PATCH 02/18] fix(treatment-plan): paginate linked tasks and controls (4 per page) + seed fix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit LinkedWork - Each list (Tasks, Controls) now paginates at 4 items per page with prev/next + "X–Y of N" controls. Replaces the prior height cap + internal scroll. Long linked sets stay visually compact and the Linked Work column no longer pushes past the Strategy / Treatment plan columns regardless of list size. - Pagination state resets defensively when the underlying list shrinks past the current page (e.g. after an unlink). Seed fix (FrameworkEditorControlTemplate.json) - `documentTypes: null` → `documentTypes: []` for all 204 rows. The schema requires a non-nullable `EvidenceFormType[]` (default `[]`) but the export was writing nulls, which Prisma rejects on upsert. - Mapped enum values from kebab-case (`"infrastructure-inventory"`) to the TS-side snake_case (`"infrastructure_inventory"`). Prisma's client expects the enum identifier, not the `@map`'d DB string. Together these unblock `bun run db:seed` from a clean DB. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../risks/treatment-plan/LinkedWork.tsx | 223 ++- .../FrameworkEditorControlTemplate.json | 1568 +++++++++++++++-- 2 files changed, 1616 insertions(+), 175 deletions(-) diff --git a/apps/app/src/components/risks/treatment-plan/LinkedWork.tsx b/apps/app/src/components/risks/treatment-plan/LinkedWork.tsx index 7060a11d77..e99f859747 100644 --- a/apps/app/src/components/risks/treatment-plan/LinkedWork.tsx +++ b/apps/app/src/components/risks/treatment-plan/LinkedWork.tsx @@ -2,9 +2,20 @@ import { cn } from '@/lib/utils'; import { TaskStatus } from '@db'; -import { Checkmark, Close, TrashCan } from '@trycompai/design-system/icons'; +import { + Checkmark, + ChevronLeft, + ChevronRight, + Close, + TrashCan, +} from '@trycompai/design-system/icons'; import Link from 'next/link'; -import { useState } from 'react'; +import { useEffect, useState } from 'react'; + +// Show 4 items per page in each list (Tasks + Controls). Long lists used +// to stretch the column past the Strategy / Treatment-plan columns and +// force the page to scroll just to see the bottom controls. +const PAGE_SIZE = 4; interface LinkedTask { id: string; @@ -51,6 +62,52 @@ function deriveControls(tasks: LinkedTask[]): DerivedControl[] { })); } +function Pagination({ + page, + pageCount, + onPageChange, + total, +}: { + page: number; + pageCount: number; + onPageChange: (next: number) => void; + total: number; +}) { + if (pageCount <= 1) return null; + const start = (page - 1) * PAGE_SIZE + 1; + const end = Math.min(page * PAGE_SIZE, total); + return ( +
          + + {start}–{end} of {total} + +
          + + + {page} / {pageCount} + + +
          +
          + ); +} + function StatusIcon({ done }: { done: boolean }) { if (done) { return ( @@ -87,6 +144,28 @@ export function LinkedWork({ orgId, tasks, onUnlinkTask }: LinkedWorkProps) { } }; + // Per-list pagination (Tasks + Controls). Reset to page 1 when the + // underlying list shrinks past the current page (e.g. after an unlink + // that drops the last task on the visible page). + const [taskPage, setTaskPage] = useState(1); + const [controlPage, setControlPage] = useState(1); + const taskPageCount = Math.max(1, Math.ceil(tasks.length / PAGE_SIZE)); + const controlPageCount = Math.max(1, Math.ceil(controls.length / PAGE_SIZE)); + useEffect(() => { + if (taskPage > taskPageCount) setTaskPage(taskPageCount); + }, [taskPage, taskPageCount]); + useEffect(() => { + if (controlPage > controlPageCount) setControlPage(controlPageCount); + }, [controlPage, controlPageCount]); + const visibleTasks = tasks.slice( + (taskPage - 1) * PAGE_SIZE, + (taskPage - 1) * PAGE_SIZE + PAGE_SIZE, + ); + const visibleControls = controls.slice( + (controlPage - 1) * PAGE_SIZE, + (controlPage - 1) * PAGE_SIZE + PAGE_SIZE, + ); + return (
          {/* Tasks group */} @@ -109,51 +188,56 @@ export function LinkedWork({ orgId, tasks, onUnlinkTask }: LinkedWorkProps) { No tasks linked. Link tasks from the Tasks tab to track mitigation progress.

          ) : ( - // Cap the height so a long linked-task list doesn't stretch the - // Linked Work column past the Strategy / Treatment plan columns. - // Internal scroll keeps the visible list compact. -
            - {tasks.map((t, i) => { - const taskDone = isTaskDone(t.status); - const isUnlinking = unlinking === t.id; - return ( -
          • 0 && 'border-t border-border', - )} - > - +
              + {visibleTasks.map((t, i) => { + const taskDone = isTaskDone(t.status); + const isUnlinking = unlinking === t.id; + return ( +
            • 0 && 'border-t border-border', )} > - - {t.title} - - {onUnlinkTask && ( - - )} -
              • - ); - })} -
            + + {t.title} + + {onUnlinkTask && ( + + )} +
            • + ); + })} +
          + + )}
          @@ -173,30 +257,37 @@ export function LinkedWork({ orgId, tasks, onUnlinkTask }: LinkedWorkProps) { No controls linked (derived from tasks).

          ) : ( - // Same height cap as the Tasks list above. -
            - {controls.map((c, i) => ( -
          • 0 && 'border-t border-border')} - > - +
              + {visibleControls.map((c, i) => ( +
            • 0 && 'border-t border-border')} > - - {c.name} - -
              • - ))} -
            + + + {c.name} + +
            • + ))} +
          + + )}
diff --git a/packages/db/prisma/seed/primitives/FrameworkEditorControlTemplate.json b/packages/db/prisma/seed/primitives/FrameworkEditorControlTemplate.json index 725d7e3524..0e881f1fad 100644 --- a/packages/db/prisma/seed/primitives/FrameworkEditorControlTemplate.json +++ b/packages/db/prisma/seed/primitives/FrameworkEditorControlTemplate.json @@ -4,349 +4,1699 @@ "name": "Secure Data Transfer", "description": "Protect Information in Transit", "createdAt": "2025-06-04 16:09:44.637", - "updatedAt": "2025-06-04 19:41:05.066" + "updatedAt": "2025-06-04 19:41:05.066", + "documentTypes": [] }, { "id": "frk_ct_684071e280c4e0f777b957f7", "name": "Data Privacy", "description": "Protect Privacy and Personal Data (PII)", "createdAt": "2025-06-04 16:18:42.339", - "updatedAt": "2025-06-04 19:41:05.908" + "updatedAt": "2025-06-04 19:41:05.908", + "documentTypes": [] }, { "id": "frk_ct_684073617d0706858cceb8c7", "name": "Asset Return", "description": "Ensure Return of Assets Upon Termination", "createdAt": "2025-06-04 16:25:04.708", - "updatedAt": "2025-06-04 19:41:06.360" + "updatedAt": "2025-06-04 19:41:06.360", + "documentTypes": [] }, { "id": "frk_ct_68407429371f33886d8ab80d", "name": "Encryption Key Management", "description": "Implement Cryptographic Key Lifecycle Management", "createdAt": "2025-06-04 16:28:25.083", - "updatedAt": "2025-06-04 19:41:06.998" + "updatedAt": "2025-06-04 19:41:06.998", + "documentTypes": [] }, { "id": "frk_ct_6840705b6dcee0506dabacfb", "name": "Regulatory Compliance", "description": "Identify and Comply with Legal and Contractual Requirements", "createdAt": "2025-06-04 16:12:11.272", - "updatedAt": "2025-06-04 19:41:05.205" + "updatedAt": "2025-06-04 19:41:05.205", + "documentTypes": [] }, { "id": "frk_ct_6840738800f98fa3c0f3a3ae", "name": "Configuration & Patch Management", "description": "Harden baselines; patch swiftly", "createdAt": "2025-06-04 16:25:43.882", - "updatedAt": "2025-06-04 19:41:06.507" + "updatedAt": "2025-06-04 19:41:06.507", + "documentTypes": [] }, { "id": "frk_ct_684072e06f4a49ee669076cc", "name": "Endpoint Protection", "description": "Protect Systems Against Malware", "createdAt": "2025-06-04 16:22:56.279", - "updatedAt": "2025-06-09 02:50:51.955" + "updatedAt": "2025-06-09 02:50:51.955", + "documentTypes": [] }, { "id": "frk_ct_684070831cc83c4ab4c2c4d8", "name": "Security Logging", "description": "Enable Logging of Security Events", "createdAt": "2025-06-04 16:12:50.757", - "updatedAt": "2025-06-04 19:41:05.344" + "updatedAt": "2025-06-04 19:41:05.344", + "documentTypes": [] }, { "id": "frk_ct_6840731ae0b857152b35ca8f", "name": "Remote-Work Security", "description": "Implement Secure Remote Working Practices", "createdAt": "2025-06-04 16:23:54.000", - "updatedAt": "2025-06-04 19:41:06.238" + "updatedAt": "2025-06-04 19:41:06.238", + "documentTypes": [] }, { "id": "frk_ct_684073ba24475a83ba048022", "name": "Segregation of duties", "description": "Implement Segregation of Duties", "createdAt": "2025-06-04 16:26:33.778", - "updatedAt": "2025-06-04 19:41:06.631" + "updatedAt": "2025-06-04 19:41:06.631", + "documentTypes": [] }, { "id": "frk_ct_684073d541bfb8b8b777e529", "name": "Threat intelligence", "description": "Implement a Threat Intelligence Program", "createdAt": "2025-06-04 16:27:01.369", - "updatedAt": "2025-06-04 19:41:06.752" + "updatedAt": "2025-06-04 19:41:06.752", + "documentTypes": [] }, { "id": "frk_ct_68407c9513000617776104c7", "name": "Acceptable Use", "description": "Establish an Acceptable Use Policy for Information and Assets", "createdAt": "2025-06-04 17:04:20.799", - "updatedAt": "2025-06-04 19:41:07.258" - }, - { - "id": "frk_ct_6849ba93636ff0155eb89158", - "name": "Utility Tool monitoring", - "description": "Audits the execution of privileged program", - "createdAt": "2025-06-11 17:19:15.284", - "updatedAt": "2025-06-11 17:19:15.284" - }, - { - "id": "frk_ct_683f4a410cf5bf6d40bf3583", - "name": "Access Rights", - "description": "Manage User Access Rights Lifecycle", - "createdAt": "2025-06-03 19:17:20.504", - "updatedAt": "2025-06-04 19:41:03.426" + "updatedAt": "2025-06-04 19:41:07.258", + "documentTypes": [] }, { "id": "frk_ct_683f4ae4acbd63d0e558a6f5", "name": "Credential Management", "description": "Protect Authentication Information", "createdAt": "2025-06-03 19:20:04.055", - "updatedAt": "2025-06-04 19:41:03.601" + "updatedAt": "2025-06-04 19:41:03.601", + "documentTypes": [] }, { "id": "frk_ct_683f4b7614d209f8b6ffd477", "name": "Resource Capacity Management", "description": "Perform Capacity Management for Resources", "createdAt": "2025-06-03 19:22:30.199", - "updatedAt": "2025-06-04 19:41:03.729" + "updatedAt": "2025-06-04 19:41:03.729", + "documentTypes": [] }, { "id": "frk_ct_683f4c30e2d3f1117fa58e13", "name": "Change management", "description": "Apply Change Management for Information Systems", "createdAt": "2025-06-03 19:25:36.373", - "updatedAt": "2025-06-04 19:41:03.850" + "updatedAt": "2025-06-04 19:41:03.850", + "documentTypes": [] }, { "id": "frk_ct_683f4c9db20e7cf4a303af1f", "name": "Compliance Register", "description": "Maintain compliance register exceptions", "createdAt": "2025-06-03 19:27:24.623", - "updatedAt": "2025-06-04 19:41:03.972" - }, - { - "id": "frk_ct_683f4dd564057a97ae323c9f", - "name": "Disaster Recovery Planning", - "description": "Test DR; meet RTO/RPO", - "createdAt": "2025-06-03 19:32:37.325", - "updatedAt": "2025-06-04 19:41:04.410" + "updatedAt": "2025-06-04 19:41:03.972", + "documentTypes": [] }, { "id": "frk_ct_683f4ef6c6a5481a377be413", "name": "Standard Operating Procedures (SOPs)", "description": "Document Operational Procedures", "createdAt": "2025-06-03 19:37:26.001", - "updatedAt": "2025-06-04 19:41:04.534" + "updatedAt": "2025-06-04 19:41:04.534", + "documentTypes": [] }, { "id": "frk_ct_683f4f59dea367ca96145e14", "name": "Independent ISMS Review", "description": "Conduct Independent Review of the ISMS", "createdAt": "2025-06-03 19:39:04.628", - "updatedAt": "2025-06-04 19:41:04.669" + "updatedAt": "2025-06-04 19:41:04.669", + "documentTypes": [] }, { "id": "frk_ct_683f50556124040dc15d62cb", "name": "Continuity-Time Security", "description": "Maintain Security During Disruptions", "createdAt": "2025-06-03 19:43:16.530", - "updatedAt": "2025-06-04 19:41:04.806" + "updatedAt": "2025-06-04 19:41:04.806", + "documentTypes": [] }, { "id": "frk_ct_683f50aae46f5e4e096e6bb3", "name": "Secure SDLC Integration", "description": "Integrate Information Security into Project Management", "createdAt": "2025-06-03 19:44:41.732", - "updatedAt": "2025-06-04 19:41:04.941" + "updatedAt": "2025-06-04 19:41:04.941", + "documentTypes": [] }, { "id": "frk_ct_684070c1f0091d850df02e59", "name": "Mobile Security", "description": "Enforce MDM on mobile", "createdAt": "2025-06-04 16:13:52.979", - "updatedAt": "2025-06-04 19:41:05.484" + "updatedAt": "2025-06-04 19:41:05.484", + "documentTypes": [] }, { "id": "frk_ct_68407122565b1968676d93db", "name": "Physical Access Control", "description": "Control Physical Entry to Facilities", "createdAt": "2025-06-04 16:15:29.760", - "updatedAt": "2025-06-04 19:41:05.759" + "updatedAt": "2025-06-04 19:41:05.759", + "documentTypes": [] }, { "id": "frk_ct_68407406644c56d42eac3295", "name": "Endpoint Security", "description": "Secure User Endpoint Devices", "createdAt": "2025-06-04 16:27:49.808", - "updatedAt": "2025-06-04 19:41:06.874" - }, - { - "id": "frk_ct_683f4d7360a876b972aba39a", - "name": "Vulnerability Management", - "description": "Manage both software and code vulnerabilities", - "createdAt": "2025-06-03 19:30:59.173", - "updatedAt": "2025-06-09 03:19:38.679" - }, - { - "id": "frk_ct_683f3ecd42e62fde624c59c1", - "name": "Policy Compliance", - "description": "Ensure Compliance with Security Policies and Standards", - "createdAt": "2025-06-03 18:28:29.154", - "updatedAt": "2025-06-04 19:41:01.555" + "updatedAt": "2025-06-04 19:41:06.874", + "documentTypes": [] }, { "id": "frk_ct_683f4036b541126388e2989a", "name": "Security Governance Roles", "description": "Define Security Roles and Responsibilities", "createdAt": "2025-06-03 18:34:29.668", - "updatedAt": "2025-06-04 19:41:01.679" - }, - { - "id": "frk_ct_683f41e775f4ca03d8f6bae2", - "name": "Management Security Accountability", - "description": "Ensure Management Addresses Security Responsibilities", - "createdAt": "2025-06-03 18:41:43.467", - "updatedAt": "2025-06-04 19:41:01.801" - }, - { - "id": "frk_ct_683f42c71eea99f22f9df060", - "name": "Asset Inventory", - "description": "Maintain an Inventory of Information Assets", - "createdAt": "2025-06-03 18:45:27.396", - "updatedAt": "2025-06-04 19:41:01.922" + "updatedAt": "2025-06-04 19:41:01.679", + "documentTypes": [] }, { "id": "frk_ct_683f43a65de3b6044e63220f", "name": "Personnel Security", "description": "Screen onboard offboard securely", "createdAt": "2025-06-03 18:49:09.819", - "updatedAt": "2025-06-04 19:41:02.105" + "updatedAt": "2025-06-04 19:41:02.105", + "documentTypes": [] }, { "id": "frk_ct_683f4457b14856e700c8c25b", "name": "Disciplinary process", "description": "Establish a Disciplinary Process for Security Violations", "createdAt": "2025-06-03 18:52:06.698", - "updatedAt": "2025-06-04 19:41:02.231" + "updatedAt": "2025-06-04 19:41:02.231", + "documentTypes": [] }, { "id": "frk_ct_683f44c8074680be528353c1", "name": "Data Retention & Destruction", "description": "Follow retention; securely dispose", "createdAt": "2025-06-03 18:54:00.325", - "updatedAt": "2025-06-04 19:41:02.378" + "updatedAt": "2025-06-04 19:41:02.378", + "documentTypes": [] }, { "id": "frk_ct_683f45c5058c486f3fa5b7bc", "name": "Regulatory Liaison", "description": "Maintain Contact with Authorities", "createdAt": "2025-06-03 18:58:13.372", - "updatedAt": "2025-06-04 19:41:02.510" + "updatedAt": "2025-06-04 19:41:02.510", + "documentTypes": [] }, { "id": "frk_ct_683f464bec8bea67de7b9c31", "name": "Information Classification", "description": "Classify Information by Sensitivity", "createdAt": "2025-06-03 19:00:26.503", - "updatedAt": "2025-06-04 19:41:02.645" + "updatedAt": "2025-06-04 19:41:02.645", + "documentTypes": [] }, { "id": "frk_ct_683f46f3f181af3f93773c1d", "name": "Security Monitoring & Detection", "description": "Central SIEM with alerting", "createdAt": "2025-06-03 19:03:14.483", - "updatedAt": "2025-06-04 19:41:02.777" + "updatedAt": "2025-06-04 19:41:02.777", + "documentTypes": [] }, { "id": "frk_ct_683f47cc2faa426603d6bee8", "name": "Security Incident Management", "description": "Establish an Incident Management Policy and Procedures", "createdAt": "2025-06-03 19:06:52.138", - "updatedAt": "2025-06-04 19:41:03.035" - }, - { - "id": "frk_ct_683f484fc7b5506ab97c26af", - "name": "Risk Management", - "description": "Maintain a Risk Management Program", - "createdAt": "2025-06-03 19:09:02.849", - "updatedAt": "2025-06-04 19:41:03.156" + "updatedAt": "2025-06-04 19:41:03.035", + "documentTypes": [] }, { "id": "frk_ct_683f48ee9534e1e0a088e922", "name": "Supplier Security", "description": "Ensure Security in Supplier Relationships", "createdAt": "2025-06-03 19:11:41.449", - "updatedAt": "2025-06-04 19:41:03.278" + "updatedAt": "2025-06-04 19:41:03.278", + "documentTypes": [] }, { "id": "frk_ct_6849c343d7fbe4e71446ce78", "name": "Data Masking", "description": "Hide sensitive fields", "createdAt": "2025-06-11 17:56:19.307", - "updatedAt": "2025-06-11 17:56:19.307" - }, - { - "id": "frk_ct_68b59a16b172e5c360e57536", - "name": "GDPR", - "description": "GDPR Controls", - "createdAt": "2025-09-01 13:05:26.037", - "updatedAt": "2025-09-01 13:05:26.037" + "updatedAt": "2025-06-11 17:56:19.307", + "documentTypes": [] }, { "id": "frk_ct_68b59e50eeb9f92ce425327c", "name": "ISO", "description": "ISO Controls", "createdAt": "2025-09-01 13:23:28.289", - "updatedAt": "2025-09-01 13:23:28.289" + "updatedAt": "2025-09-01 13:23:28.289", + "documentTypes": [] }, { "id": "frk_ct_68c1eb1c5f317f452216e2d7", "name": "PCI", "description": "PCI Controls", "createdAt": "2025-09-10 21:18:19.912", - "updatedAt": "2025-09-10 21:18:19.912" + "updatedAt": "2025-09-10 21:18:19.912", + "documentTypes": [] }, { "id": "frk_ct_68cc25ac90e3fe79c1beb98d", "name": "ISO 42001", "description": "Additional ISO 42001 Controls", "createdAt": "2025-09-18 15:30:51.512", - "updatedAt": "2025-09-18 15:30:51.512" + "updatedAt": "2025-09-18 15:30:51.512", + "documentTypes": [] }, { "id": "frk_ct_68e1364141d03b5e6d70e728", "name": "NEN 7510", "description": "NEN 7510 Controls", "createdAt": "2025-10-04 14:59:12.925", - "updatedAt": "2025-10-04 14:59:12.925" + "updatedAt": "2025-10-04 14:59:12.925", + "documentTypes": [] }, { "id": "frk_ct_68e8079750107bcc63fc79d9", "name": "Encrypted Data at Rest", "description": "The organization encrypts all production databases containing customer data at rest", "createdAt": "2025-10-09 19:05:59.357", - "updatedAt": "2025-10-09 19:05:59.357" + "updatedAt": "2025-10-09 19:05:59.357", + "documentTypes": [] }, { "id": "frk_ct_68e80a11f225cb2253e31fa0", "name": "Organization Structure & Reporting Lines", "description": "Management establishes, with board oversight, structures, reporting lines, authorities, and responsibilities", "createdAt": "2025-10-09 19:16:33.433", - "updatedAt": "2025-10-09 19:16:33.433" + "updatedAt": "2025-10-09 19:16:33.433", + "documentTypes": [] }, { - "id": "frk_ct_684070f0b4f6c2036306e23c", - "name": "Network Security", - "description": "Enforce segmentation and firewalls", - "createdAt": "2025-06-04 16:14:40.321", - "updatedAt": "2025-11-19 11:44:13.157" + "id": "frk_ct_6849ba93636ff0155eb89158", + "name": "Utility Tool monitoring", + "description": "Audits the execution of privileged program", + "createdAt": "2025-06-11 17:19:15.284", + "updatedAt": "2026-04-20 15:33:55.351", + "documentTypes": [ + "infrastructure_inventory" + ] }, { "id": "frk_ct_691e53f4024ab9cc096bbc70", "name": "ISO 9001", "description": "ISO 9001 Controls", "createdAt": "2025-11-19 23:34:11.538", - "updatedAt": "2025-11-19 23:34:11.538" + "updatedAt": "2025-11-19 23:34:11.538", + "documentTypes": [] + }, + { + "id": "frk_ct_69becde6133891181f5fbfe1", + "name": "Fridge kept between 2-5", + "description": "Keep fridge between 2and 5degrees", + "createdAt": "2026-03-21 16:57:10.184", + "updatedAt": "2026-03-21 17:05:13.971", + "documentTypes": [ + "board_meeting" + ] + }, + { + "id": "frk_ct_69bed10053f2dfa2421b5e4e", + "name": "New Control", + "description": "Bla", + "createdAt": "2026-03-21 17:10:24.047", + "updatedAt": "2026-03-21 17:10:24.047", + "documentTypes": [] + }, + { + "id": "frk_ct_69dd33a6d12ae294a95e9ac1", + "name": "PCI DSS scope & cardholder data environment (CDE)", + "description": "Defines and maintains the PCI DSS scope, CDE boundary, and inventory of in-scope components; records periodic scope confirmation and significant-change reviews.", + "createdAt": "2026-04-13 18:19:18.314", + "updatedAt": "2026-04-13 18:19:18.314", + "documentTypes": [] + }, + { + "id": "frk_ct_69dd33a6c094ddd8a7268013", + "name": "PCI DSS program management", + "description": "Governs the overall PCI DSS compliance program: executive ownership, SP-specific duties, customer attestations, and coordination of PCI-driven reviews and testing cadences.", + "createdAt": "2026-04-13 18:19:18.460", + "updatedAt": "2026-04-13 18:19:18.460", + "documentTypes": [] + }, + { + "id": "frk_ct_683f4a410cf5bf6d40bf3583", + "name": "Access Rights", + "description": "Manage User Access Rights Lifecycle", + "createdAt": "2025-06-03 19:17:20.504", + "updatedAt": "2026-04-13 22:30:52.353", + "documentTypes": [ + "access_request" + ] + }, + { + "id": "frk_ct_684070f0b4f6c2036306e23c", + "name": "Network Security", + "description": "Enforce segmentation and firewalls", + "createdAt": "2025-06-04 16:14:40.321", + "updatedAt": "2026-04-20 15:33:55.130", + "documentTypes": [ + "network_diagram" + ] + }, + { + "id": "frk_ct_683f42c71eea99f22f9df060", + "name": "Asset Inventory", + "description": "Maintain an Inventory of Information Assets", + "createdAt": "2025-06-03 18:45:27.396", + "updatedAt": "2026-04-20 15:33:55.801", + "documentTypes": [ + "infrastructure_inventory" + ] + }, + { + "id": "frk_ct_683f4dd564057a97ae323c9f", + "name": "Disaster Recovery Planning", + "description": "Test DR; meet RTO/RPO", + "createdAt": "2025-06-03 19:32:37.325", + "updatedAt": "2026-04-20 17:55:13.005", + "documentTypes": [ + "board_meeting", + "tabletop_exercise" + ] + }, + { + "id": "frk_ct_683f41e775f4ca03d8f6bae2", + "name": "Management Security Accountability", + "description": "Ensure Management Addresses Security Responsibilities", + "createdAt": "2025-06-03 18:41:43.467", + "updatedAt": "2026-04-27 17:12:09.307", + "documentTypes": [ + "rbac_matrix" + ] + }, + { + "id": "frk_ct_683f3ecd42e62fde624c59c1", + "name": "Policy Compliance", + "description": "Ensure Compliance with Security Policies and Standards", + "createdAt": "2025-06-03 18:28:29.154", + "updatedAt": "2026-04-27 17:12:14.631", + "documentTypes": [ + "rbac_matrix" + ] + }, + { + "id": "frk_ct_683f484fc7b5506ab97c26af", + "name": "Risk Management", + "description": "Maintain a Risk Management Program", + "createdAt": "2025-06-03 19:09:02.849", + "updatedAt": "2026-04-27 17:12:22.641", + "documentTypes": [ + "rbac_matrix" + ] + }, + { + "id": "frk_ct_69dd33a73264cb77236367ba", + "name": "E-commerce & payment page integrity", + "description": "Protects online payment pages from unauthorized scripts and content changes: authorized script lists, integrity/subresource controls, and monitoring for skimming-related tampering.", + "createdAt": "2026-04-13 18:19:18.749", + "updatedAt": "2026-04-13 18:19:18.749", + "documentTypes": [] + }, + { + "id": "frk_ct_69dd3265dadac07cd88ae96c", + "name": "Payment terminals & POI", + "description": "Addresses card-present capture devices: inventory (make/model/serial/location), tamper checks, staff awareness, and substitution controls—not general building access alone.", + "createdAt": "2026-04-13 18:13:56.945", + "updatedAt": "2026-04-13 18:19:18.854", + "documentTypes": [] + }, + { + "id": "frk_ct_69dd33a74b6fd1d459c4af20", + "name": "ASV & PCI assessment interfaces", + "description": "Runs the PCI external scanning channel (ASV), tracks passing scans and disputes, and interfaces with assessors (e.g. QSA) separately from day-to-day internal vulnerability scanning.", + "createdAt": "2026-04-13 18:19:18.620", + "updatedAt": "2026-04-13 22:28:31.756", + "documentTypes": [ + "penetration_test" + ] + }, + { + "id": "frk_ct_69e639b8c95150ea34dc07bf", + "name": "Physical & Environmental Security", + "description": "Defines and maintains physical perimeters, entry controls, environmental threat protections, cabling security, and secure siting of equipment.", + "createdAt": "2026-04-20 14:35:36.406", + "updatedAt": "2026-04-20 14:35:36.406", + "documentTypes": [] + }, + { + "id": "frk_ct_69e639b9bf66b5a6ffb17d27", + "name": "Supplier & Third-Party Security", + "description": "Manages supplier due diligence, contract clauses, ongoing monitoring, and supply-chain risk for ICT services.", + "createdAt": "2026-04-20 14:35:36.585", + "updatedAt": "2026-04-20 14:35:36.585", + "documentTypes": [] + }, + { + "id": "frk_ct_69e639b9d5ced482c12ae932", + "name": "Business Continuity & ICT Readiness", + "description": "Extends DR to include BIA, continuity strategy, tabletop/real exercises, and ICT readiness commitments per service tier.", + "createdAt": "2026-04-20 14:35:36.850", + "updatedAt": "2026-04-20 14:35:36.850", + "documentTypes": [] + }, + { + "id": "frk_ct_69e639b9148c96a37c8936fc", + "name": "Legal, Regulatory & IP Compliance", + "description": "Maintains an obligations register for applicable laws, regulations, contracts, and IP; tracks assurance for PII handling.", + "createdAt": "2026-04-20 14:35:37.106", + "updatedAt": "2026-04-20 15:31:42.642", + "documentTypes": [ + "board_meeting", + "meeting" + ] + }, + { + "id": "frk_ct_69e639b90a3bf8c1443cbf5b", + "name": "Risk Management", + "description": "Formal risk identification, assessment, treatment, and monitoring process, including risk register and treatment plans.", + "createdAt": "2026-04-20 14:35:36.757", + "updatedAt": "2026-04-20 15:33:55.473", + "documentTypes": [ + "tabletop_exercise" + ] + }, + { + "id": "frk_ct_69e639b96ad6c5e729676acb", + "name": "Internal Audit & Management Review", + "description": "Plans and executes internal ISMS audits, tracks findings, and facilitates periodic management review of ISMS effectiveness.", + "createdAt": "2026-04-20 14:35:36.934", + "updatedAt": "2026-04-20 15:33:55.598", + "documentTypes": [ + "tabletop_exercise", + "infrastructure_inventory", + "rbac_matrix", + "access_request" + ] + }, + { + "id": "frk_ct_683f4d7360a876b972aba39a", + "name": "Vulnerability Management", + "description": "Manage both software and code vulnerabilities", + "createdAt": "2025-06-03 19:30:59.173", + "updatedAt": "2026-04-20 15:33:55.918", + "documentTypes": [ + "penetration_test" + ] + }, + { + "id": "frk_ct_69e65ef9c20933590d85cc31", + "name": "Physical & Environmental Security", + "description": "Defines and maintains physical perimeters, entry controls, environmental threat protections, cabling security, and secure siting of equipment.", + "createdAt": "2026-04-20 17:14:33.358", + "updatedAt": "2026-04-20 17:14:33.358", + "documentTypes": [] + }, + { + "id": "frk_ct_69e669af7fd9ef27754dc041", + "name": "Encrypted Data at Rest", + "description": "The organization encrypts all production databases containing customer data at rest", + "createdAt": "2026-04-20 18:00:14.801", + "updatedAt": "2026-04-20 18:00:14.801", + "documentTypes": [] + }, + { + "id": "frk_ct_69e6766bd8ca18f572d4c34f", + "name": "Scope & Governance", + "description": "Defines the scope and boundaries of the Information Security Management System (ISMS), including internal and external context, interested parties, and the organizational roles, responsibilities, and authorities that lead information security. Establishes top-management commitment and the governance structure that keeps the ISMS aligned with the business.", + "createdAt": "2026-04-20 18:54:35.207", + "updatedAt": "2026-04-20 18:54:35.207", + "documentTypes": [] + }, + { + "id": "frk_ct_69e6766b7c6c7a214eea9c3c", + "name": "Statement of Applicability (SoA)", + "description": "Produces and maintains the ISO 27001 Statement of Applicability: the authoritative list of every Annex A control showing whether it is included or excluded from the ISMS, the justification for each decision, and the current implementation status. Updated whenever risk treatment decisions change.", + "createdAt": "2026-04-20 18:54:35.277", + "updatedAt": "2026-04-20 18:54:35.277", + "documentTypes": [] + }, + { + "id": "frk_ct_69e6766b4fd2b466bf7686cf", + "name": "Performance Monitoring & Measurement", + "description": "Measures how well the ISMS is achieving its intended outcomes by defining security metrics and KPIs (e.g. control coverage, incident MTTD/MTTR, training completion, audit findings aging), collecting results on a defined cadence, and reporting them to management. Evaluates compliance with legal, regulatory, and contractual requirements over time.", + "createdAt": "2026-04-20 18:54:35.339", + "updatedAt": "2026-04-20 18:54:35.339", + "documentTypes": [] + }, + { + "id": "frk_ct_69e6766bd483954a1f0b8445", + "name": "Continual Improvement & Corrective Action", + "description": "Captures nonconformities identified through audits, incidents, management reviews, or day-to-day operations, performs root-cause analysis, and drives corrective and preventive actions to completion. Feeds lessons learned back into policies, controls, and the risk register so the ISMS improves over time.", + "createdAt": "2026-04-20 18:54:35.391", + "updatedAt": "2026-04-20 18:54:35.391", + "documentTypes": [] + }, + { + "id": "frk_ct_69e676cf185023edccc55755", + "name": "Scope & Governance", + "description": "Defines the scope and boundaries of the Information Security Management System (ISMS), including internal and external context, interested parties, and the organizational roles, responsibilities, and authorities that lead information security. Establishes top-management commitment and the governance structure that keeps the ISMS aligned with the business.", + "createdAt": "2026-04-20 18:56:15.151", + "updatedAt": "2026-04-20 18:56:15.151", + "documentTypes": [] + }, + { + "id": "frk_ct_69e6789971bc8d38d8df1c7c", + "name": " Accountability and governance", + "description": "", + "createdAt": "2026-04-20 19:03:53.126", + "updatedAt": "2026-04-20 19:03:53.126", + "documentTypes": [] + }, + { + "id": "frk_ct_69e678bab215222879333e90", + "name": " Accountability and governance", + "description": "", + "createdAt": "2026-04-20 19:04:25.931", + "updatedAt": "2026-04-20 19:04:25.931", + "documentTypes": [] + }, + { + "id": "frk_ct_69e678c48b22e4ca14c99684", + "name": " Accountability and governance", + "description": " Accountability and governance", + "createdAt": "2026-04-20 19:04:36.248", + "updatedAt": "2026-04-20 19:04:36.248", + "documentTypes": [] + }, + { + "id": "frk_ct_69e69e7b48867208ff473273", + "name": " Privacy rights", + "description": "", + "createdAt": "2026-04-20 21:45:30.896", + "updatedAt": "2026-04-20 21:45:30.896", + "documentTypes": [] + }, + { + "id": "frk_ct_69e914db8cd2039367ccbf0f", + "name": "ASV Scanning", + "description": "Engage a PCI SSC Approved Scanning Vendor (ASV) to perform external vulnerability scans at least quarterly and after any significant change, and remediate findings to meet ASV passing criteria.", + "createdAt": "2026-04-22 18:35:07.366", + "updatedAt": "2026-04-22 18:35:07.366", + "documentTypes": [] + }, + { + "id": "frk_ct_69e918e7f403f696c2577de1", + "name": "Lawful Basis Register", + "description": "Document and maintain a register of the lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests) relied on for each processing activity, including the assessment supporting the chosen basis.", + "createdAt": "2026-04-22 18:52:22.734", + "updatedAt": "2026-04-22 18:52:22.734", + "documentTypes": [] + }, + { + "id": "frk_ct_69e918e7f7739946f5034799", + "name": "Privacy Notice", + "description": "Publish a clear, concise, and accessible privacy notice that describes processing activities, lawful bases, data subject rights, recipients, retention, international transfers, and contact details for the controller and DPO. Review and update on material changes.", + "createdAt": "2026-04-22 18:52:23.184", + "updatedAt": "2026-04-22 18:52:23.184", + "documentTypes": [] + }, + { + "id": "frk_ct_69e918e805776785f8f80a14", + "name": "Privacy by Design and by Default", + "description": "Embed data protection principles into the design of systems and processes. Require privacy review at product inception and at every change that affects personal data processing, and default all settings to the most privacy-protective option.", + "createdAt": "2026-04-22 18:52:23.661", + "updatedAt": "2026-04-22 18:52:23.661", + "documentTypes": [] + }, + { + "id": "frk_ct_69e639b958a20954c4afa186", + "name": "Human Resources Security", + "description": "Owns pre-employment screening, confidentiality agreements, awareness training curriculum, and disciplinary handling for security violations.", + "createdAt": "2026-04-20 14:35:36.677", + "updatedAt": "2026-04-30 21:36:55.261", + "documentTypes": [ + "employee_performance_evaluation" + ] + }, + { + "id": "frk_ct_69e918e8cc289b978f31a12a", + "name": "Data Minimization, Encryption, and Pseudonymization", + "description": "Limit personal data collected to what is necessary for the processing purpose. Encrypt personal data in transit and at rest, and pseudonymize or anonymize personal data wherever feasible.", + "createdAt": "2026-04-22 18:52:24.037", + "updatedAt": "2026-04-22 18:52:24.037", + "documentTypes": [] + }, + { + "id": "frk_ct_69e918e94e68c0fb15ee98d0", + "name": "Personal Data Breach Response Procedure", + "description": "Maintain and test an incident response procedure that detects, assesses, and documents personal data breaches, notifies the relevant supervisory authority within 72 hours, and notifies affected data subjects when the breach is likely to result in high risk to their rights and freedoms.", + "createdAt": "2026-04-22 18:52:25.287", + "updatedAt": "2026-04-22 18:52:25.287", + "documentTypes": [] + }, + { + "id": "frk_ct_69e918e8c57e2f6756c995ca", + "name": "Information Security Policy and Awareness Training", + "description": "Maintain an internal information security policy covering access control, acceptable use, and personal data handling. Deliver data protection awareness training to personnel at onboarding and at least annually.", + "createdAt": "2026-04-22 18:52:24.472", + "updatedAt": "2026-04-22 18:52:24.472", + "documentTypes": [] + }, + { + "id": "frk_ct_69e918ea7bd6df3b3cdd2ddc", + "name": "GDPR Accountability Roles and Representatives", + "description": "Designate an owner accountable for GDPR compliance. Where required, appoint a Data Protection Officer and, for controllers or processors established outside the EU, appoint an EU representative. Maintain documented responsibilities and contact details.", + "createdAt": "2026-04-22 18:52:25.760", + "updatedAt": "2026-04-22 18:52:25.760", + "documentTypes": [] + }, + { + "id": "frk_ct_69e918eaa930d07ea41dd0d0", + "name": "Data Processing Agreements with Third Parties", + "description": "Execute a written Data Processing Agreement with every processor that handles personal data on behalf of the organization, including the subject matter, duration, purpose, type of personal data, obligations of the processor, sub-processor rules, and data return or deletion at end of service.", + "createdAt": "2026-04-22 18:52:26.128", + "updatedAt": "2026-04-22 18:52:26.128", + "documentTypes": [] + }, + { + "id": "frk_ct_69e918eb724c553d2e5749ea", + "name": "Data Subject Rights Request Workflow", + "description": "Provide a documented, accessible workflow for data subjects to exercise their rights of access, rectification, erasure, restriction, portability, and objection. Verify identity, respond within one month (extendable by two months where justified), and log each request and its outcome.", + "createdAt": "2026-04-22 18:52:26.576", + "updatedAt": "2026-04-22 18:52:26.576", + "documentTypes": [] + }, + { + "id": "frk_ct_69e918eb8f6e80605d3fa3e5", + "name": "Automated Decision-Making Safeguards", + "description": "Identify processing activities involving solely automated decision-making (including profiling) with legal or similarly significant effects. Provide data subjects with meaningful information about the logic, the right to human intervention, to express their point of view, and to contest the decision.", + "createdAt": "2026-04-22 18:52:26.922", + "updatedAt": "2026-04-22 18:52:26.922", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dac2ff1cd0bfe0c8614", + "name": "AI Organizational Context", + "description": "Determine and maintain a record of external and internal issues relevant to the organization's purpose that affect its ability to achieve the intended outcomes of the AI management system (AIMS), including the role of the organization (e.g. AI provider, developer, deployer, user, subject).", + "createdAt": "2026-04-23 21:22:52.179", + "updatedAt": "2026-04-23 21:22:52.179", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dad9910710084d184a2", + "name": "AI Interested Parties", + "description": "Identify interested parties relevant to the AIMS, their needs and expectations, and determine which of those requirements will be addressed through the AI management system.", + "createdAt": "2026-04-23 21:22:53.084", + "updatedAt": "2026-04-23 21:22:53.084", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8daea335821ba4148123", + "name": "AIMS Scope Definition", + "description": "Define and document the boundaries and applicability of the AI management system, considering external/internal issues, interested-party requirements, organizational activities, and the role of the organization in the AI lifecycle.", + "createdAt": "2026-04-23 21:22:53.937", + "updatedAt": "2026-04-23 21:22:53.937", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8daf133ebd28ca732b9d", + "name": "AI Management System Establishment", + "description": "Establish, implement, maintain and continually improve an AI management system, including the processes needed and their interactions, in accordance with ISO/IEC 42001.", + "createdAt": "2026-04-23 21:22:54.821", + "updatedAt": "2026-04-23 21:22:54.821", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8db0b7f88f1ce0079240", + "name": "AI Leadership Commitment", + "description": "Top management demonstrates leadership and commitment to the AIMS by ensuring AI policy and objectives are established, AIMS requirements are integrated into business processes, resources are available, and the effectiveness of the AIMS is communicated.", + "createdAt": "2026-04-23 21:22:55.746", + "updatedAt": "2026-04-23 21:22:55.746", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8db16a12eecb3f3a5ecb", + "name": "AI Policy", + "description": "Establish, approve, communicate, and make available a documented AI policy that is appropriate to the organization's purpose, provides a framework for AI objectives, and includes commitments to satisfy applicable requirements and continually improve the AIMS.", + "createdAt": "2026-04-23 21:22:56.581", + "updatedAt": "2026-04-23 21:22:56.581", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8db2c7ed1af765c5981d", + "name": "AI Policy Alignment with Other Organizational Policies", + "description": "Ensure the AI policy is aligned with and complements related organizational policies (e.g. information security, privacy, quality, risk management, ethics) and that conflicts are identified and resolved.", + "createdAt": "2026-04-23 21:22:57.841", + "updatedAt": "2026-04-23 21:22:57.841", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8db3571415b8485b6976", + "name": "AI Policy Review", + "description": "Review the AI policy at planned intervals and when significant changes occur to ensure its continuing suitability, adequacy and effectiveness, and update it as required.", + "createdAt": "2026-04-23 21:22:58.691", + "updatedAt": "2026-04-23 21:22:58.691", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8db4a22bb4f0e4c649e1", + "name": "AI Organizational Roles, Responsibilities and Authorities", + "description": "Assign, document and communicate responsibilities and authorities for roles relevant to the AIMS, ensuring accountability for AI policy conformance, AIMS performance reporting, and AI system outcomes.", + "createdAt": "2026-04-23 21:22:59.530", + "updatedAt": "2026-04-23 21:22:59.530", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8db5182a7a6a4ad28ce1", + "name": "AI Concern Reporting", + "description": "Establish and operate a mechanism enabling personnel and external parties to report concerns about the organization's AI systems (including ethical, legal, safety and societal concerns) without fear of reprisal, with defined triage and response procedures.", + "createdAt": "2026-04-23 21:23:00.996", + "updatedAt": "2026-04-23 21:23:00.996", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8db62ab22968f85f85f6", + "name": "AI Risk and Opportunity Actions", + "description": "Determine risks and opportunities that need to be addressed to give assurance the AIMS can achieve its intended outcomes, prevent undesired effects, and drive improvement; plan actions to address them and integrate them into AIMS processes.", + "createdAt": "2026-04-23 21:23:01.768", + "updatedAt": "2026-04-23 21:23:01.768", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8db77c8dd4b36c9ac007", + "name": "AI Risk Assessment", + "description": "Establish and maintain an AI risk assessment process (criteria, identification, analysis, evaluation) specific to AI systems, and retain documented information of its results. Perform AI risk assessments at planned intervals and when significant changes occur.", + "createdAt": "2026-04-23 21:23:02.585", + "updatedAt": "2026-04-23 21:23:02.585", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8db865093703fdf71fc7", + "name": "AI Risk Treatment", + "description": "Define and implement an AI risk treatment process to select treatment options, determine controls, produce a Statement of Applicability, and formulate an AI risk treatment plan. Implement the treatment plan and retain documented information of the results.", + "createdAt": "2026-04-23 21:23:03.753", + "updatedAt": "2026-04-23 21:23:03.753", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8db92daf193f6aba0348", + "name": "AI System Impact Assessment Process", + "description": "Establish and maintain a documented process to assess the potential consequences for individuals, groups and society of the development, provision or use of AI systems, covering intended and reasonably foreseeable misuse scenarios.", + "createdAt": "2026-04-23 21:23:05.149", + "updatedAt": "2026-04-23 21:23:05.149", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dbbf19cd6ba156e97bd", + "name": "AI System Impact Assessment Documentation", + "description": "Document the results of each AI system impact assessment and retain the records in accordance with the documented information requirements of the AIMS; make results available to relevant interested parties as appropriate.", + "createdAt": "2026-04-23 21:23:07.233", + "updatedAt": "2026-04-23 21:23:07.233", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dbccf28e8a000ba1934", + "name": "Assessing AI System Impact on Individuals and Groups", + "description": "Assess potential impacts of AI systems on individuals and groups of individuals, including fairness, discrimination, human rights, health, safety and wellbeing, and incorporate results into design, deployment and operational decisions.", + "createdAt": "2026-04-23 21:23:08.072", + "updatedAt": "2026-04-23 21:23:08.072", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dd6097d1766ac51e294", + "name": "AI Data Provenance", + "description": "Record and maintain the provenance of data used in AI systems (source, transformations, lineage, handling history) to support reproducibility, accountability and impact assessment.", + "createdAt": "2026-04-23 21:23:34.319", + "updatedAt": "2026-04-23 21:23:34.319", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dbdbd2ce5e539a326fa", + "name": "Assessing Societal Impacts of AI Systems", + "description": "Assess potential societal impacts of AI systems (including economic, environmental, cultural and democratic impacts) and consider mitigations in the design, deployment and operation of the system.", + "createdAt": "2026-04-23 21:23:08.850", + "updatedAt": "2026-04-23 21:23:08.850", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dbe99f14797e50f9685", + "name": "AI Objectives and Planning", + "description": "Establish measurable AI objectives at relevant functions and levels, consistent with the AI policy. Plan how they will be achieved: what will be done, what resources, who is responsible, when completed, and how results evaluated.", + "createdAt": "2026-04-23 21:23:09.905", + "updatedAt": "2026-04-23 21:23:09.905", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dbfb341d9b1021c8897", + "name": "AI Change Planning", + "description": "Plan changes to the AIMS in a controlled manner, considering purpose, potential consequences, integrity, resources and allocation of responsibilities, before changes are implemented.", + "createdAt": "2026-04-23 21:23:10.790", + "updatedAt": "2026-04-23 21:23:10.790", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dc048654718cfb1d12c", + "name": "AI Resources", + "description": "Determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the AIMS, including people, infrastructure, data, computing, tooling and budget.", + "createdAt": "2026-04-23 21:23:11.621", + "updatedAt": "2026-04-23 21:23:11.621", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dc1f55bd5e338716f16", + "name": "AI Resource Documentation", + "description": "Document the resources used for AI systems (data, tooling, system/computing resources, human resources) including their intended use, owner, sensitivity and lifecycle, and maintain the documentation up to date.", + "createdAt": "2026-04-23 21:23:12.671", + "updatedAt": "2026-04-23 21:23:12.671", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dc2e0fd4e97481baafd", + "name": "AI Data Resources", + "description": "Identify, inventory and manage data resources used for AI systems (training, validation, testing, operational inputs), including ownership, classification, access, retention and intended use.", + "createdAt": "2026-04-23 21:23:13.659", + "updatedAt": "2026-04-23 21:23:13.659", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dc3a37b3f833dc7d6f3", + "name": "AI Tooling Resources", + "description": "Identify and manage tooling resources used across the AI lifecycle (frameworks, libraries, model registries, MLOps platforms), including versioning, approved-use policy and security review.", + "createdAt": "2026-04-23 21:23:14.591", + "updatedAt": "2026-04-23 21:23:14.591", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dc4c401188497d417c2", + "name": "AI System and Computing Resources", + "description": "Identify and manage system and computing resources supporting AI systems (compute, storage, networking, accelerators), including capacity planning, environmental isolation and secure configuration.", + "createdAt": "2026-04-23 21:23:15.623", + "updatedAt": "2026-04-23 21:23:15.623", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dc5682f9f3146944252", + "name": "AI Human Resources", + "description": "Document the human resources and competencies needed to develop, deploy, operate, maintain and oversee AI systems, including role profiles, training expectations and human oversight responsibilities.", + "createdAt": "2026-04-23 21:23:16.571", + "updatedAt": "2026-04-23 21:23:16.571", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dc6f10b53075c3beacb", + "name": "AI Competence", + "description": "Determine competence required for AI-related roles, ensure personnel are competent on the basis of appropriate education, training or experience, take actions to close competence gaps, and retain evidence of competence.", + "createdAt": "2026-04-23 21:23:17.543", + "updatedAt": "2026-04-23 21:23:17.543", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dc667172a41022fcf27", + "name": "AI Awareness", + "description": "Ensure persons doing work under the organization's control are aware of the AI policy, their contribution to AIMS effectiveness, implications of non-conformance, and the potential impacts of AI systems they develop, deploy or use.", + "createdAt": "2026-04-23 21:23:18.443", + "updatedAt": "2026-04-23 21:23:18.443", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dc718a407d992cda795", + "name": "AI Communication", + "description": "Determine internal and external communications relevant to the AIMS, including what, when, with whom, how and by whom communications take place, covering AI system behavior, incidents, and stakeholder information.", + "createdAt": "2026-04-23 21:23:19.450", + "updatedAt": "2026-04-23 21:23:19.450", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dc8ec4ced8e76b114c0", + "name": "AIMS Documented Information", + "description": "Establish and control the documented information required by ISO/IEC 42001 and determined by the organization as necessary for AIMS effectiveness, including creation, update, identification, review, approval, access and retention.", + "createdAt": "2026-04-23 21:23:20.391", + "updatedAt": "2026-04-23 21:23:20.391", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dcaa9b51a2b1e5f2abd", + "name": "AI Operational Planning and Control", + "description": "Plan, implement and control the processes needed to meet AIMS requirements and to implement the actions determined in Clause 6, including criteria, documented information and control of changes and outsourced processes.", + "createdAt": "2026-04-23 21:23:22.151", + "updatedAt": "2026-04-23 21:23:22.151", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dcb210958cb72f499f2", + "name": "Responsible AI Development Objectives", + "description": "Establish objectives for the responsible development of AI systems (e.g. fairness, reliability, safety, security, privacy, transparency, explainability, accountability, environmental impact) and ensure development activities are directed to meet them.", + "createdAt": "2026-04-23 21:23:23.066", + "updatedAt": "2026-04-23 21:23:23.066", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dccd7c01c6d2503448b", + "name": "Trustworthy AI Design and Development Processes", + "description": "Define and apply processes for the trustworthy design and development of AI systems that translate the organization's responsible-development objectives into concrete design, engineering and review activities.", + "createdAt": "2026-04-23 21:23:24.060", + "updatedAt": "2026-04-23 21:23:24.060", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dcd4cffcf9dd949ca02", + "name": "AI System Requirements and Specification", + "description": "Define, document and approve requirements and specifications for AI systems, including intended purpose, performance, safety, security, privacy, fairness, transparency, human oversight and applicable regulatory requirements.", + "createdAt": "2026-04-23 21:23:24.936", + "updatedAt": "2026-04-23 21:23:24.936", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dcef8ff3c2ed55ea14a", + "name": "AI System Design and Development Documentation", + "description": "Document the design and development of AI systems (data, architecture, training procedures, parameters, evaluation, known limitations) sufficient to enable assessment, reproduction and ongoing oversight.", + "createdAt": "2026-04-23 21:23:25.908", + "updatedAt": "2026-04-23 21:23:25.908", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dcfcba021703a55bf97", + "name": "AI System Verification and Validation", + "description": "Define and apply verification and validation measures for AI systems (functional testing, performance, robustness, fairness, safety, security, privacy) and criteria for acceptance before deployment and after significant changes.", + "createdAt": "2026-04-23 21:23:26.814", + "updatedAt": "2026-04-23 21:23:26.814", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dd0de2f746bb95acd4b", + "name": "AI System Deployment", + "description": "Control the deployment of AI systems, including release criteria, staged rollout, approvals, rollback procedures, and readiness of operational and monitoring controls before go-live.", + "createdAt": "2026-04-23 21:23:27.765", + "updatedAt": "2026-04-23 21:23:27.765", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dd148f84ea6656bce7d", + "name": "AI System Operation and Monitoring", + "description": "Operate and monitor AI systems in production for performance, drift, reliability, safety, security and ethical outcomes; define metrics, thresholds, alerting and response procedures.", + "createdAt": "2026-04-23 21:23:28.747", + "updatedAt": "2026-04-23 21:23:28.747", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dd28d9b23fd806840e7", + "name": "AI System Technical Documentation", + "description": "Produce and maintain technical documentation for each AI system (intended use, capabilities, limitations, training/evaluation data, risk information) appropriate to support interested parties and regulators.", + "createdAt": "2026-04-23 21:23:29.776", + "updatedAt": "2026-04-23 21:23:29.776", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dd38d7945cd54758b49", + "name": "AI System Event Logging", + "description": "Record event logs generated by AI systems (inputs, outputs, decisions, user interactions, system events) with sufficient integrity, retention and access control to support monitoring, incident response and accountability.", + "createdAt": "2026-04-23 21:23:30.669", + "updatedAt": "2026-04-23 21:23:30.669", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dd44d3b368f85df728c", + "name": "Data for AI Development and Enhancement", + "description": "Define requirements and controls for data used to develop and enhance AI systems, including suitability for purpose, representativeness, access, versioning and change management.", + "createdAt": "2026-04-23 21:23:31.574", + "updatedAt": "2026-04-23 21:23:31.574", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dd5a750b30e2eb69d18", + "name": "AI Data Acquisition", + "description": "Define and apply controls for acquiring data used in AI systems, including lawful basis, contractual rights, licensing, ethical sourcing, consent where required, and documentation of acquisition criteria.", + "createdAt": "2026-04-23 21:23:32.528", + "updatedAt": "2026-04-23 21:23:32.528", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dd54053dfd453b9dc4a", + "name": "AI Data Quality", + "description": "Define and maintain data-quality requirements for AI systems (accuracy, completeness, consistency, timeliness, relevance, bias), and perform periodic data-quality assessments with remediation.", + "createdAt": "2026-04-23 21:23:33.454", + "updatedAt": "2026-04-23 21:23:33.454", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dd7f551ad7a56706b46", + "name": "AI Data Preparation", + "description": "Document and control data preparation activities (cleaning, labeling, annotation, transformation, augmentation, splitting) including rationale, tooling, reviewers and acceptance criteria.", + "createdAt": "2026-04-23 21:23:35.182", + "updatedAt": "2026-04-23 21:23:35.182", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dd8aa91ceac379fa2c3", + "name": "AI System Documentation and Information for Users", + "description": "Provide users of AI systems with the information needed to use the system appropriately, including intended purpose, capabilities, limitations, data requirements, human-oversight responsibilities and known risks.", + "createdAt": "2026-04-23 21:23:36.161", + "updatedAt": "2026-04-23 21:23:36.161", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dd9462f30b929260abf", + "name": "AI External Reporting", + "description": "Define and operate processes for external reporting relating to AI systems (regulators, customers, the public) including triggering conditions, content, approval and distribution channels.", + "createdAt": "2026-04-23 21:23:36.996", + "updatedAt": "2026-04-23 21:23:36.996", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dda97d0010af0cf826d", + "name": "AI Incident Communication", + "description": "Define and operate a process for communicating AI system incidents to affected interested parties (internal stakeholders, users, subjects, suppliers, authorities) in a timely and appropriate manner.", + "createdAt": "2026-04-23 21:23:37.843", + "updatedAt": "2026-04-23 21:23:37.843", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8ddbb737f1f09bbcd82e", + "name": "Information for Interested Parties", + "description": "Determine and provide relevant information about AI systems to interested parties (including data subjects and affected communities) commensurate with their role and the potential impact of the system.", + "createdAt": "2026-04-23 21:23:38.808", + "updatedAt": "2026-04-23 21:23:38.808", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8ddce361e7f7eb0fc2b9", + "name": "Responsible AI Use Processes", + "description": "Establish processes for the responsible use of AI systems within the organization, including acceptable-use guidance, human-oversight requirements, escalation paths and periodic review.", + "createdAt": "2026-04-23 21:23:39.820", + "updatedAt": "2026-04-23 21:23:39.820", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dddda00d3522c538085", + "name": "Responsible AI Use Objectives", + "description": "Define and communicate objectives for the responsible use of AI systems (e.g. accountability, transparency, human oversight, harm prevention) and measure progress against them.", + "createdAt": "2026-04-23 21:23:40.793", + "updatedAt": "2026-04-23 21:23:40.793", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8dde7453dbed221162e8", + "name": "Intended Use of AI System", + "description": "Determine, document and communicate the intended use of each AI system and the conditions of such use; take measures to prevent and respond to reasonably foreseeable misuse.", + "createdAt": "2026-04-23 21:23:41.657", + "updatedAt": "2026-04-23 21:23:41.657", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8ddf8ba2e517ab4a366d", + "name": "AI Third-Party Responsibility Allocation", + "description": "Identify and document roles and responsibilities among the organization, suppliers, partners and customers across the AI lifecycle, including obligations relating to impact assessment, monitoring and incident handling.", + "createdAt": "2026-04-23 21:23:42.517", + "updatedAt": "2026-04-23 21:23:42.517", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8ddf2226651c7382d81c", + "name": "AI Suppliers", + "description": "Define and apply criteria and controls for AI-related suppliers (model, data, tooling, service providers), including due diligence, contractual obligations, monitoring and offboarding.", + "createdAt": "2026-04-23 21:23:43.415", + "updatedAt": "2026-04-23 21:23:43.415", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8de02be9da8bf00ad0aa", + "name": "AI Customers", + "description": "Provide customers with the information and mechanisms needed for the responsible use of AI systems, including intended use, limitations, required human oversight, and channels for feedback and incident reporting.", + "createdAt": "2026-04-23 21:23:44.268", + "updatedAt": "2026-04-23 21:23:44.268", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8de1bd41309fdbe08e20", + "name": "AI Performance Monitoring, Measurement, Analysis and Evaluation", + "description": "Determine what needs monitoring and measurement for the AIMS and for individual AI systems, methods, when performed, when analyzed/evaluated, and retain evidence of the results.", + "createdAt": "2026-04-23 21:23:45.072", + "updatedAt": "2026-04-23 21:23:45.072", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8de2d97d1f09cc61b896", + "name": "AI Internal Audit", + "description": "Plan, establish, implement and maintain an internal audit program for the AIMS, including frequency, methods, responsibilities, criteria and scope; conduct audits, report results and retain evidence.", + "createdAt": "2026-04-23 21:23:45.909", + "updatedAt": "2026-04-23 21:23:45.909", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8de302274112e7ccc264", + "name": "AI Management Review", + "description": "Top management reviews the AIMS at planned intervals, considering the required inputs (status of actions, changes, performance, risks, opportunities, improvement), and produces outputs on decisions and improvements.", + "createdAt": "2026-04-23 21:23:47.180", + "updatedAt": "2026-04-23 21:23:47.180", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8de5cc73e611573e6db4", + "name": "AI Continual Improvement", + "description": "Continually improve the suitability, adequacy and effectiveness of the AIMS, including the AI policy, objectives, risk treatments and controls, based on audit results, monitoring, review and lessons learned.", + "createdAt": "2026-04-23 21:23:48.839", + "updatedAt": "2026-04-23 21:23:48.839", + "documentTypes": [] + }, + { + "id": "frk_ct_69ea8de6018b6b80d862c906", + "name": "AI Nonconformity and Corrective Action", + "description": "When a nonconformity occurs (including from an AI incident), react, evaluate the need for action to eliminate the cause, implement corrective actions, review effectiveness and update the AIMS as needed.", + "createdAt": "2026-04-23 21:23:49.838", + "updatedAt": "2026-04-23 21:23:49.838", + "documentTypes": [] + }, + { + "id": "frk_ct_69e918e9be6da6eba7d0ea4e", + "name": "Data Protection Impact Assessment Process", + "description": "Maintain a documented DPIA methodology with criteria for when an assessment is required (e.g., high-risk processing, new technologies, systematic monitoring). Retain DPIA records and consult the supervisory authority when residual risk remains high.", + "createdAt": "2026-04-22 18:52:24.847", + "updatedAt": "2026-04-23 23:20:37.875", + "documentTypes": [ + "risk_committee_meeting", + "tabletop_exercise" + ] + }, + { + "id": "frk_ct_69e918e6d72a45b4f933a112", + "name": "Data Inventory and Mapping", + "description": "Maintain a documented inventory of personal data processed by the organization, including data categories, sources, purposes, legal basis, recipients, retention periods, and who has access to each data set. Review at least annually and on material changes to processing activities.", + "createdAt": "2026-04-22 18:52:22.361", + "updatedAt": "2026-04-23 23:22:07.864", + "documentTypes": [ + "access_request", + "rbac_matrix" + ] + }, + { + "id": "frk_ct_69eb876ea13506b36fd63a3e", + "name": "HIPAA Security Program Governance", + "description": "Establish and maintain the organization's HIPAA security program, including general security standards, security official designation, policy documentation, and retention requirements.", + "createdAt": "2026-04-24 15:08:29.644", + "updatedAt": "2026-04-24 15:08:29.644", + "documentTypes": [] + }, + { + "id": "frk_ct_69eb876ec7f4fc346ff10b12", + "name": "Risk Analysis & Management", + "description": "Conduct risk analysis, implement risk management measures sufficient to reduce risks to a reasonable level, and periodically evaluate security controls.", + "createdAt": "2026-04-24 15:08:30.167", + "updatedAt": "2026-04-24 15:08:30.167", + "documentTypes": [] + }, + { + "id": "frk_ct_69eb876f6362393759ecd351", + "name": "Workforce Security & Sanctions", + "description": "Authorize, supervise, and manage workforce access to ePHI including clearance procedures, termination, and sanctions for non-compliance.", + "createdAt": "2026-04-24 15:08:30.533", + "updatedAt": "2026-04-24 15:08:30.533", + "documentTypes": [] + }, + { + "id": "frk_ct_69eb876f3270ed0b11233ece", + "name": "Security Awareness & Training", + "description": "Implement a security awareness and training program including periodic security reminders, protection from malicious software, login monitoring, and password management.", + "createdAt": "2026-04-24 15:08:31.066", + "updatedAt": "2026-04-24 15:08:31.066", + "documentTypes": [] + }, + { + "id": "frk_ct_69eb87703649e5234a56d529", + "name": "Business Associate Management", + "description": "Establish and maintain written agreements (BAAs) with business associates and subcontractors that create, receive, maintain, or transmit ePHI, ensuring satisfactory assurances of compliance.", + "createdAt": "2026-04-24 15:08:31.949", + "updatedAt": "2026-04-24 15:08:31.949", + "documentTypes": [] + }, + { + "id": "frk_ct_69eb877091d96bcaeae40219", + "name": "Physical Facility Security", + "description": "Implement policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed, including contingency operations, facility security plans, access controls, and maintenance records.", + "createdAt": "2026-04-24 15:08:32.455", + "updatedAt": "2026-04-24 15:08:32.455", + "documentTypes": [] + }, + { + "id": "frk_ct_69eb87717ae82d509fb927ed", + "name": "Device & Media Controls", + "description": "Implement policies and procedures governing the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, including disposal, re-use, accountability, and data backup.", + "createdAt": "2026-04-24 15:08:32.904", + "updatedAt": "2026-04-24 15:08:32.904", + "documentTypes": [] + }, + { + "id": "frk_ct_69eb87701093fde54e1169dc", + "name": "Contingency Plan Operations", + "description": "Establish and test procedures for responding to emergencies or failures that damage systems containing ePHI, including emergency mode operation, testing, and criticality analysis.", + "createdAt": "2026-04-24 15:08:31.504", + "updatedAt": "2026-04-24 15:18:01.227", + "documentTypes": [ + "tabletop_exercise" + ] + }, + { + "id": "frk_ct_69efd5a32e52c113f97254db", + "name": "CCPA-Compliant Privacy Policy", + "description": "Maintain and publish a privacy policy that discloses categories of personal information collected, sources, business or commercial purposes, categories of recipients, consumer rights under CCPA/CPRA, the methods to exercise those rights, and contact information for privacy inquiries. Review and update at least every 12 months.", + "createdAt": "2026-04-27 21:31:15.380", + "updatedAt": "2026-04-27 21:31:15.380", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5aac8f24094878ff701", + "name": "Right to Opt-Out of Sale or Sharing", + "description": "Establish a process to honor consumer opt-out requests for the sale or sharing of personal information, including support for the Global Privacy Control (GPC) browser signal.", + "createdAt": "2026-04-27 21:31:22.134", + "updatedAt": "2026-04-27 21:31:22.134", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5ad9dcc82739178f525", + "name": "Right to Non-Discrimination", + "description": "Prohibit discrimination against consumers who exercise their CCPA/CPRA rights, including denial of goods/services, charging different prices, or providing a different level of quality, except where the difference is reasonably related to the value provided by the consumer's data.", + "createdAt": "2026-04-27 21:31:24.810", + "updatedAt": "2026-04-27 21:31:24.810", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5a87004249e7b6e62af", + "name": "Right to Delete Process", + "description": "Establish a process to receive, verify, and fulfill consumer requests to delete personal information, including communicating deletion requests to service providers and contractors. Document any statutory exceptions relied on for retention.", + "createdAt": "2026-04-27 21:31:19.952", + "updatedAt": "2026-04-27 21:57:22.639", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5a6e66d4c6c92fdd3df", + "name": "Right to Know Process", + "description": "Establish a process for receiving and responding to consumer requests for the categories and specific pieces of personal information collected, sources, business purposes, and third parties with whom information is shared. Respond within 45 days, with one 45-day extension as permitted.", + "createdAt": "2026-04-27 21:31:17.813", + "updatedAt": "2026-04-27 21:57:21.470", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5b1e6f19c87845f5939", + "name": "Right to Correct Process", + "description": "Establish a process for consumers to request correction of inaccurate personal information, verifying the request and using commercially reasonable efforts to correct the data and notify service providers as required by the CPRA.", + "createdAt": "2026-04-27 21:31:28.990", + "updatedAt": "2026-04-27 21:31:28.990", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5b3cdfebf7ee46a5cf7", + "name": "Right to Limit Use of Sensitive Personal Information", + "description": "Provide consumers a clear method (e.g., \"Limit the Use of My Sensitive Personal Information\" link) to restrict the use and disclosure of sensitive personal information to purposes permitted by the CPRA.", + "createdAt": "2026-04-27 21:31:30.657", + "updatedAt": "2026-04-27 21:31:30.657", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5c84ccf6f3f5bbe29bd", + "name": "CCPA Privacy Training Program", + "description": "Provide annual training to all employees handling personal information or consumer rights requests on CCPA/CPRA requirements, internal procedures for processing requests, and how to direct consumers to exercise their rights.", + "createdAt": "2026-04-27 21:31:51.784", + "updatedAt": "2026-04-27 21:31:51.784", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5cb8d9092bd71665722", + "name": "Service Provider and Contractor Agreements", + "description": "Maintain written contracts with all service providers, contractors, and third parties processing personal information that include CCPA/CPRA-required terms: limited business purpose, prohibition on selling/sharing, cooperation with consumer rights requests, and confidentiality obligations.", + "createdAt": "2026-04-27 21:31:55.110", + "updatedAt": "2026-04-27 21:31:55.110", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5cd34220c6db57b2710", + "name": "Consumer Request Records Retention", + "description": "Maintain records of all consumer requests received under the CCPA/CPRA and the business's responses for at least 24 months, including the date of receipt, nature of the request, manner in which it was responded to, and the date of response.", + "createdAt": "2026-04-27 21:31:56.814", + "updatedAt": "2026-04-27 21:31:56.814", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5ce50b1ede13c3848f2", + "name": "\"Do Not Sell or Share My Personal Information\" Link", + "description": "Provide a clear and conspicuous \"Do Not Sell or Share My Personal Information\" link on the homepage and any page collecting personal information that allows consumers to opt out of the sale or sharing of their personal information without requiring account creation.", + "createdAt": "2026-04-27 21:31:58.305", + "updatedAt": "2026-04-27 21:31:58.305", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5d1c0499ab2c136b759", + "name": "Minor Consent Management", + "description": "Before selling or sharing personal information of consumers known to be under 16, obtain affirmative opt-in consent. For consumers under 13, obtain verifiable parental consent in compliance with COPPA and CCPA/CPRA.", + "createdAt": "2026-04-27 21:32:00.557", + "updatedAt": "2026-04-27 21:32:00.557", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5e12d61c6019d213f60", + "name": "Notice at Collection", + "description": "Provide a CCPA-compliant Notice at Collection at or before the point of collection, listing the categories of personal information and sensitive personal information collected, the purposes of use, retention periods, and whether the information is sold or shared.", + "createdAt": "2026-04-27 21:32:17.049", + "updatedAt": "2026-04-27 21:32:17.049", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5e71ad52c5ab2ec069e", + "name": "Notice of Financial Incentive", + "description": "If the business offers a financial incentive or price/service difference in exchange for personal information, publish a Notice of Financial Incentive that explains the material terms, the method to opt in and withdraw, and a good-faith estimate of the value of the consumer's data.", + "createdAt": "2026-04-27 21:32:22.978", + "updatedAt": "2026-04-27 21:32:22.978", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5ee3eb484fc081cd20a", + "name": "Prominent Privacy Policy Display", + "description": "Display a clear, conspicuous link to the privacy policy on the website homepage footer and within mobile applications, ensuring it is accessible from every page that collects personal information.", + "createdAt": "2026-04-27 21:32:29.896", + "updatedAt": "2026-04-27 21:32:29.896", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5e906d5418ee6b5dc6a", + "name": "Data Breach Notification Process", + "description": "Maintain a documented breach response and notification process that meets California's data breach notification requirements (Cal. Civ. Code § 1798.82) for unauthorized acquisition of personal information, including timely consumer notification and any required Attorney General notification.", + "createdAt": "2026-04-27 21:32:24.934", + "updatedAt": "2026-04-27 21:49:53.331", + "documentTypes": [ + "tabletop_exercise" + ] + }, + { + "id": "frk_ct_69efd5d2b0758b1e1c1b6d87", + "name": "Periodic CCPA Compliance Audit", + "description": "Conduct documented audits of CCPA/CPRA compliance at least annually, covering disclosures, request handling, training, vendor contracts, and security controls. Track regulatory changes and update compliance measures accordingly.", + "createdAt": "2026-04-27 21:32:02.371", + "updatedAt": "2026-04-27 21:49:57.931", + "documentTypes": [ + "risk_committee_meeting", + "meeting" + ] + }, + { + "id": "frk_ct_69efd5c9acbf83b0a500050e", + "name": "Reasonable Security Safeguards for Personal Information", + "description": "Implement and maintain reasonable technical and organizational security safeguards (e.g., access controls, encryption in transit and at rest, logging, vulnerability management) appropriate to the nature of the personal information processed, in order to protect against unauthorized access, destruction, use, modification, or disclosure.", + "createdAt": "2026-04-27 21:31:53.365", + "updatedAt": "2026-04-27 21:49:55.673", + "documentTypes": [ + "penetration_test", + "rbac_matrix" + ] + }, + { + "id": "frk_ct_69efd5c63e9c6fc1f8bec055", + "name": "Consumer Identity Verification Procedure", + "description": "Implement reasonable, risk-based identity verification procedures for consumer rights requests, matching the level of verification to the sensitivity of the data involved. Prevent fraudulent or unauthorized access to personal information.", + "createdAt": "2026-04-27 21:31:49.977", + "updatedAt": "2026-04-27 21:57:25.018", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5a163fc3dcd87372ccc", + "name": "Personal Information Inventory and Data Flow Mapping", + "description": "Maintain an up-to-date inventory of all categories of personal information the business collects, stores, processes, sells, or shares. Classify data by sensitivity, identify sources and recipients, and map data flows across systems and third parties.", + "createdAt": "2026-04-27 21:31:13.217", + "updatedAt": "2026-04-27 21:49:59.459", + "documentTypes": [ + "infrastructure_inventory" + ] + }, + { + "id": "frk_ct_69f3d976c53fd192b48e6236", + "name": "Privacy Officer Designation", + "description": "Formally designate one or more individuals accountable for the organization's PIPEDA compliance, document the role and responsibilities, and publish the privacy officer's name and contact details so they can be made known on request.", + "createdAt": "2026-04-30 22:36:38.301", + "updatedAt": "2026-04-30 22:36:38.301", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d9793720eec4d4945150", + "name": "Third-Party Data Processing Agreements", + "description": "Use written contracts or other binding means to ensure third parties processing personal information on the organization's behalf provide a comparable level of privacy protection. Verify implementation through due diligence and periodic review.", + "createdAt": "2026-04-30 22:36:41.204", + "updatedAt": "2026-04-30 22:36:41.204", + "documentTypes": [] + }, + { + "id": "frk_ct_69efd5e395082fabf04e53b7", + "name": "Authorized Agent Process", + "description": "Establish a process to accept, verify, and respond to consumer rights requests submitted by an authorized agent on the consumer's behalf, including written authorization or power-of-attorney verification as permitted by the CCPA/CPRA.", + "createdAt": "2026-04-27 21:32:18.953", + "updatedAt": "2026-04-27 21:57:23.968", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d9781dacd8da2864fd17", + "name": "Privacy Awareness and Training Program", + "description": "Deliver mandatory privacy training to all staff who handle personal information, covering the organization's privacy policies, the 10 Fair Information Principles, and individual responsibilities. Track completion and refresh annually.", + "createdAt": "2026-04-30 22:36:40.156", + "updatedAt": "2026-04-30 22:36:40.156", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d97a7b80d8564339ffc5", + "name": "Documentation of Collection Purposes", + "description": "Maintain a written record of every purpose for which personal information is collected, including the specific data elements involved and the legal/business basis. Update the record whenever purposes change or are added.", + "createdAt": "2026-04-30 22:36:42.181", + "updatedAt": "2026-04-30 23:49:15.788", + "documentTypes": [ + "infrastructure_inventory" + ] + }, + { + "id": "frk_ct_69f3d97b66301a97f6b8e4a3", + "name": "Notification of Purposes at Collection", + "description": "Communicate the purposes for collecting personal information to individuals at or before the time of collection, in plain language, through standardized written notices and trained verbal scripts. Re-notify before any new use or disclosure.", + "createdAt": "2026-04-30 22:36:43.064", + "updatedAt": "2026-04-30 22:36:43.064", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d97c03fd8213c05dbbde", + "name": "Consent Management Procedure", + "description": "Define and operate a procedure for obtaining and recording knowledge and consent for the collection, use, and disclosure of personal information. Match the form of consent (express vs. implied) to the sensitivity of the information and the reasonable expectations of the individual.", + "createdAt": "2026-04-30 22:36:44.103", + "updatedAt": "2026-04-30 22:36:44.103", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d97d7c0f6c1d629e8fbf", + "name": "Consent Withdrawal Mechanism", + "description": "Provide individuals with a clear, accessible way to withdraw consent at any time, subject to legal or contractual restrictions, and inform them of the consequences. Honor withdrawal requests within a defined timeframe and update downstream systems accordingly.", + "createdAt": "2026-04-30 22:36:45.325", + "updatedAt": "2026-04-30 22:36:45.325", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d97fab711de81e99e786", + "name": "Express Consent for Sensitive Information", + "description": "Require express, opt-in consent before collecting, using, or disclosing sensitive personal information (e.g. medical, financial, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, sex life or sexual orientation).", + "createdAt": "2026-04-30 22:36:46.705", + "updatedAt": "2026-04-30 22:36:46.705", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d9808d78f354f8f804b4", + "name": "Data Minimization Standard", + "description": "Restrict the type and amount of personal information collected to what is strictly necessary for the identified purposes. Document mandatory vs. optional fields on every collection point and review collection forms periodically to remove unnecessary fields.", + "createdAt": "2026-04-30 22:36:47.690", + "updatedAt": "2026-04-30 22:36:47.690", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d981cefe4efa0efe0847", + "name": "Fair and Lawful Collection Procedure", + "description": "Collect personal information only by fair and lawful means, never through deception about purposes or consent. Apply heightened controls to high-risk identifiers (e.g. Social Insurance Number) so they are collected only where legally required.", + "createdAt": "2026-04-30 22:36:48.716", + "updatedAt": "2026-04-30 22:36:48.716", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d98163541c15c34554c0", + "name": "Use and Disclosure Limitation", + "description": "Use and disclose personal information only for the purposes for which it was collected, except with fresh consent or as required by law. Document any new use or disclosure together with its legal basis or consent record before processing begins.", + "createdAt": "2026-04-30 22:36:49.496", + "updatedAt": "2026-04-30 22:36:49.496", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d982f21bf2e86c1ef98d", + "name": "Data Retention Schedule", + "description": "Maintain a documented retention schedule with minimum and maximum retention periods for each category of personal information, aligned to the original collection purpose. Retain information used in decisions about an individual long enough for them to access it.", + "createdAt": "2026-04-30 22:36:50.318", + "updatedAt": "2026-04-30 22:36:50.318", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d983dce2e00263034481", + "name": "Secure Data Disposal and Anonymization", + "description": "Destroy, erase, or irreversibly anonymize personal information once it is no longer needed, using methods that prevent unauthorized recovery. Maintain disposal records and apply equivalent controls to information held by contractors.", + "createdAt": "2026-04-30 22:36:51.145", + "updatedAt": "2026-04-30 22:36:51.145", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d9846258471679ba5a28", + "name": "Data Accuracy Policy", + "description": "Establish a policy that defines accuracy, completeness, and currency requirements for each category of personal information based on its use, including the source of the information, the dates of collection and update, and the procedure for individuals to challenge accuracy.", + "createdAt": "2026-04-30 22:36:52.016", + "updatedAt": "2026-04-30 22:36:52.016", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d9854a029af0a24299a3", + "name": "Periodic Accuracy Review and Audit", + "description": "Conduct periodic reviews or audits of personal information used on an ongoing basis to confirm it remains accurate, complete, and up-to-date for its identified purposes, and propagate amendments to third parties that received the original data.", + "createdAt": "2026-04-30 22:36:52.923", + "updatedAt": "2026-04-30 22:36:52.923", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d9864551468e007fc4d8", + "name": "Information Security Policy", + "description": "Maintain an information security policy that defines security objectives, roles, and minimum control requirements for personal information across all formats and locations, with safeguards calibrated to the sensitivity of the data.", + "createdAt": "2026-04-30 22:36:53.909", + "updatedAt": "2026-04-30 22:36:53.909", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d987482f9da8d882e592", + "name": "Physical Safeguards", + "description": "Apply physical security measures to areas where personal information is stored or processed, including locked cabinets, restricted-access offices, secured premises, alarms, and clean-desk practices for paper records.", + "createdAt": "2026-04-30 22:36:54.736", + "updatedAt": "2026-04-30 22:36:54.736", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d98a95c7623e660bf33d", + "name": "Public Privacy Policy Publication", + "description": "Publish a privacy policy that is readily available and written in plain language, covering the privacy officer's contact details, how to access personal information, what categories of information are held and their general use, and any disclosures to related organizations.", + "createdAt": "2026-04-30 22:36:58.165", + "updatedAt": "2026-04-30 22:36:58.165", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d98b12951c79a1a1cf36", + "name": "Privacy Information Materials", + "description": "Develop and distribute supplementary privacy materials (brochures, web notices, in-product disclosures) so that individuals who do not use one specific channel can still obtain information about the organization's policies and practices, including any tracking technologies used online.", + "createdAt": "2026-04-30 22:36:59.041", + "updatedAt": "2026-04-30 22:36:59.041", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d98c52d9000ac36cc791", + "name": "Individual Access Request Procedure", + "description": "Operate a documented procedure for receiving written access requests, helping individuals prepare them, retrieving the requested information, and responding within 30 days at minimal or no cost. Provide an account of how the information has been or will be used and the third parties to which it has been disclosed.", + "createdAt": "2026-04-30 22:36:59.904", + "updatedAt": "2026-04-30 22:36:59.904", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d98d61c5a3ef65a23e20", + "name": "Identity Verification for Access Requests", + "description": "Verify the identity of individuals submitting access requests using a method proportionate to the sensitivity of the data, requesting only the minimum information necessary to authenticate the requester.", + "createdAt": "2026-04-30 22:37:00.849", + "updatedAt": "2026-04-30 22:37:00.849", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d98e0758e358b1f71b49", + "name": "Information Amendment and Refusal Procedure", + "description": "Allow individuals to challenge the accuracy and completeness of their personal information; amend records when the challenge is substantiated and propagate the amendment to third parties. When refusing access, respond in writing with reasons, applicable PIPEDA exceptions, and recourse — and retain the information long enough for the individual to exhaust recourse.", + "createdAt": "2026-04-30 22:37:01.777", + "updatedAt": "2026-04-30 22:37:01.777", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d98f897fe2984e8163e5", + "name": "Privacy Complaint Procedure", + "description": "Provide an easily accessible, simple-to-use procedure for individuals to challenge the organization's compliance with PIPEDA. Publicize how to complain, acknowledge complaints promptly, and inform complainants of avenues of recourse including the Office of the Privacy Commissioner of Canada.", + "createdAt": "2026-04-30 22:37:02.629", + "updatedAt": "2026-04-30 22:37:02.629", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d98fd53148ecfa29efa0", + "name": "Complaint Investigation and Remediation", + "description": "Investigate every privacy complaint without delay, assigned to a competent and impartial reviewer. Where the complaint is justified, take corrective action — including amending policies, practices, or affected records — notify the complainant of the outcome, and record findings to drive systemic improvements.", + "createdAt": "2026-04-30 22:37:03.483", + "updatedAt": "2026-04-30 22:37:03.483", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d977f853eaee5ff05fe7", + "name": "Privacy Policies and Procedures Framework", + "description": "Maintain a documented privacy management framework that addresses each of the 10 Fair Information Principles, defines roles for privacy governance, and is reviewed and updated on a regular cadence.", + "createdAt": "2026-04-30 22:36:39.241", + "updatedAt": "2026-04-30 23:49:15.194", + "documentTypes": [ + "risk_committee_meeting", + "meeting" + ] + }, + { + "id": "frk_ct_69f3d988421e37ecdc514fc0", + "name": "Technical Safeguards", + "description": "Implement technical safeguards proportionate to data sensitivity — including identification, authentication, role-based access controls, encryption at rest and in transit, secure transmission channels, firewalls, audit logging, and timely patching.", + "createdAt": "2026-04-30 22:36:55.517", + "updatedAt": "2026-04-30 23:49:18.673", + "documentTypes": [ + "rbac_matrix", + "penetration_test", + "network_diagram", + "infrastructure_inventory" + ] + }, + { + "id": "frk_ct_69f3d9891d140c7d3b7d542c", + "name": "Information Security Breach Response", + "description": "Maintain a breach response procedure covering detection, containment, root-cause investigation, individual notification (where required), reporting to the Office of the Privacy Commissioner of Canada, and post-incident remediation.", + "createdAt": "2026-04-30 22:36:57.260", + "updatedAt": "2026-04-30 23:49:20.790", + "documentTypes": [ + "tabletop_exercise" + ] + }, + { + "id": "frk_ct_69f897d2abcbb2cff15807ac", + "name": "Data Encryption", + "description": "Implement data encryption both at rest and in transit for all PHI", + "createdAt": "2026-05-04 12:57:53.896", + "updatedAt": "2026-05-04 12:57:53.896", + "documentTypes": [] + }, + { + "id": "frk_ct_69f3d98847a47dc8f9eacae4", + "name": "Administrative Safeguards", + "description": "Apply administrative safeguards including need-to-know access authorization, security clearances proportionate to sensitivity, confidentiality agreements, ongoing employee awareness, monitoring and audits, and formal procedures for telework and working outside the office.", + "createdAt": "2026-04-30 22:36:56.336", + "updatedAt": "2026-04-30 23:49:20.160", + "documentTypes": [ + "employee_performance_evaluation", + "rbac_matrix" + ] } -] \ No newline at end of file +] From 8c72e20eb299aa112e215826b19e9459daa43e70 Mon Sep 17 00:00:00 2001 From: Mariano Date: Wed, 6 May 2026 12:38:06 +0100 Subject: [PATCH 03/18] chore(seed): refresh framework editor templates + finding templates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the seed JSON exports to the latest snapshot. Touches: - FindingTemplate: regenerated with current cuid-style ids and the current title/content set the audit team is using. - FrameworkEditorFramework / PolicyTemplate / Requirement / TaskTemplate: refreshed primitives to match the live framework editor state. - Three Control↔(Task|Policy|Requirement) join files: refreshed to match the new template ids. bun.lock: dedup of @jridgewell/trace-mapping pulled in by `bun install`. Co-Authored-By: Claude Opus 4.7 (1M context) --- bun.lock | 28 +- .../seed/primitives/FindingTemplate.json | 156 +- .../primitives/FrameworkEditorFramework.json | 108 +- .../FrameworkEditorPolicyTemplate.json | 432 +- .../FrameworkEditorRequirement.json | 5054 ++++++++++++++--- .../FrameworkEditorTaskTemplate.json | 844 ++- ...mplateToFrameworkEditorPolicyTemplate.json | 334 +- ...lTemplateToFrameworkEditorRequirement.json | 4336 +++++++++++++- ...TemplateToFrameworkEditorTaskTemplate.json | 968 +++- 9 files changed, 10934 insertions(+), 1326 deletions(-) diff --git a/bun.lock b/bun.lock index cbb2127cbc..a31aac1737 100644 --- a/bun.lock +++ b/bun.lock @@ -1649,7 +1649,7 @@ "@jridgewell/sourcemap-codec": ["@jridgewell/sourcemap-codec@1.5.5", "", {}, "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og=="], - "@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.9", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.0.3", "@jridgewell/sourcemap-codec": "^1.4.10" } }, "sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ=="], + "@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.31", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } }, "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw=="], "@jsonhero/path": ["@jsonhero/path@1.0.21", "", {}, "sha512-gVUDj/92acpVoJwsVJ/RuWOaHyG4oFzn898WNGQItLCTQ+hOaVlEaImhwE1WqOTf+l3dGOUkbSiVKlb3q1hd1Q=="], @@ -6727,8 +6727,6 @@ "@ai-sdk/xai/@ai-sdk/provider": ["@ai-sdk/provider@2.0.3", "", { "dependencies": { "json-schema": "^0.4.0" } }, "sha512-h88OPkavHTiN9tMn2l5awAznGB0lXzjcLhgR1/rvjB2zlLprsNxbM2tt6OJsHUxduLC3klq0/eqaSf6fX5XVww=="], - "@ampproject/remapping/@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.31", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } }, "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw=="], - "@angular-devkit/core/ajv": ["ajv@8.18.0", "", { "dependencies": { "fast-deep-equal": "^3.1.3", "fast-uri": "^3.0.1", "json-schema-traverse": "^1.0.0", "require-from-string": "^2.0.2" } }, "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A=="], "@angular-devkit/core/rxjs": ["rxjs@7.8.1", "", { "dependencies": { "tslib": "^2.1.0" } }, "sha512-AA3TVj+0A2iuIoQkWEK/tqFjBq2j+6PO6Y0zJcvzLAFhEFIO3HL0vls9hWLncZbAAbK0mar7oZ4V079I/qPMxg=="], @@ -6767,8 +6765,6 @@ "@babel/core/semver": ["semver@6.3.1", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA=="], - "@babel/generator/@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.31", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } }, "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw=="], - "@babel/helper-compilation-targets/lru-cache": ["lru-cache@5.1.1", "", { "dependencies": { "yallist": "^3.0.2" } }, "sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w=="], "@babel/helper-compilation-targets/semver": ["semver@6.3.1", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA=="], @@ -6807,6 +6803,8 @@ "@commitlint/types/chalk": ["chalk@5.6.2", "", {}, "sha512-7NzBL0rN6fMUW+f7A6Io4h40qQlG+xGmtMxfbnH/K7TAtt8JQWVQK+6g0UXKMeVJoyV5EkkNsErQ8pVD3bLHbA=="], + "@cspotcode/source-map-support/@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.9", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.0.3", "@jridgewell/sourcemap-codec": "^1.4.10" } }, "sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ=="], + "@discordjs/rest/@discordjs/collection": ["@discordjs/collection@2.1.1", "", {}, "sha512-LiSusze9Tc7qF03sLCujF5iZp7K+vRNEDBZ86FT9aQAv3vxMLihUvKvpsCWiQ2DJq1tVckopKm1rxomgNUc9hg=="], "@discordjs/rest/@sapphire/snowflake": ["@sapphire/snowflake@3.5.5", "", {}, "sha512-xzvBr1Q1c4lCe7i6sRnrofxeO1QTP/LKQ6A6qy0iB4x5yfiSfARMEQEghojzTNALDTcv8En04qYNIco9/K9eZQ=="], @@ -6901,28 +6899,16 @@ "@jest/reporters/@bcoe/v8-coverage": ["@bcoe/v8-coverage@0.2.3", "", {}, "sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw=="], - "@jest/reporters/@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.31", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } }, "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw=="], - "@jest/reporters/glob": ["glob@10.5.0", "", { "dependencies": { "foreground-child": "^3.1.0", "jackspeak": "^3.1.2", "minimatch": "^9.0.4", "minipass": "^7.1.2", "package-json-from-dist": "^1.0.0", "path-scurry": "^1.11.1" }, "bin": { "glob": "dist/esm/bin.mjs" } }, "sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg=="], "@jest/reporters/jest-worker": ["jest-worker@30.3.0", "", { "dependencies": { "@types/node": "*", "@ungap/structured-clone": "^1.3.0", "jest-util": "30.3.0", "merge-stream": "^2.0.0", "supports-color": "^8.1.1" } }, "sha512-DrCKkaQwHexjRUFTmPzs7sHQe0TSj9nvDALKGdwmK5mW9v7j90BudWirKAJHt3QQ9Dhrg1F7DogPzhChppkJpQ=="], "@jest/reporters/slash": ["slash@3.0.0", "", {}, "sha512-g9Q1haeby36OSStwb4ntCGGGaKsaVSjQ68fBxoQcutl5fS1vuY18H3wSt3jFyFtrkx+Kz0V1G85A4MyAdDMi2Q=="], - "@jest/source-map/@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.31", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } }, "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw=="], - "@jest/test-sequencer/slash": ["slash@3.0.0", "", {}, "sha512-g9Q1haeby36OSStwb4ntCGGGaKsaVSjQ68fBxoQcutl5fS1vuY18H3wSt3jFyFtrkx+Kz0V1G85A4MyAdDMi2Q=="], - "@jest/transform/@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.31", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } }, "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw=="], - "@jest/transform/slash": ["slash@3.0.0", "", {}, "sha512-g9Q1haeby36OSStwb4ntCGGGaKsaVSjQ68fBxoQcutl5fS1vuY18H3wSt3jFyFtrkx+Kz0V1G85A4MyAdDMi2Q=="], - "@jridgewell/gen-mapping/@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.31", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } }, "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw=="], - - "@jridgewell/remapping/@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.31", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } }, "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw=="], - - "@jridgewell/source-map/@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.31", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } }, "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw=="], - "@langchain/core/ansi-styles": ["ansi-styles@5.2.0", "", {}, "sha512-Cxwpt2SfTzTtXcfOlzGEee8O+c+MmUgGrNiBcXnuWxuFJHe6a5Hz7qwhwe5OgaSYI0IJvkLqWX1ASG+cJOkEiA=="], "@langchain/core/p-retry": ["p-retry@4.6.2", "", { "dependencies": { "@types/retry": "0.12.0", "retry": "^0.13.1" } }, "sha512-312Id396EbJdvRONlngUx0NydfrIQ5lsYu0znKVUzVvArzEIt08V1qhtyESbGVd1FGX7UKtiFp5uwKZdM8wIuQ=="], @@ -7373,8 +7359,6 @@ "are-we-there-yet/readable-stream": ["readable-stream@2.3.8", "", { "dependencies": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA=="], - "ast-v8-to-istanbul/@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.31", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } }, "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw=="], - "ast-v8-to-istanbul/js-tokens": ["js-tokens@10.0.0", "", {}, "sha512-lM/UBzQmfJRo9ABXbPWemivdCW8V2G8FHaHdypQaIy523snUjog0W71ayWXTjiR+ixeMyVHN2XcpnTd/liPg/Q=="], "babel-jest/slash": ["slash@3.0.0", "", {}, "sha512-g9Q1haeby36OSStwb4ntCGGGaKsaVSjQ68fBxoQcutl5fS1vuY18H3wSt3jFyFtrkx+Kz0V1G85A4MyAdDMi2Q=="], @@ -7669,8 +7653,6 @@ "istanbul-lib-report/supports-color": ["supports-color@7.2.0", "", { "dependencies": { "has-flag": "^4.0.0" } }, "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw=="], - "istanbul-lib-source-maps/@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.31", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } }, "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw=="], - "jest-changed-files/execa": ["execa@5.1.1", "", { "dependencies": { "cross-spawn": "^7.0.3", "get-stream": "^6.0.0", "human-signals": "^2.1.0", "is-stream": "^2.0.0", "merge-stream": "^2.0.0", "npm-run-path": "^4.0.1", "onetime": "^5.1.2", "signal-exit": "^3.0.3", "strip-final-newline": "^2.0.0" } }, "sha512-8uSpZZocAZRBAPIEINJj3Lo9HyGitllczc27Eh5YYojjMFMn8yHMDMaUHE2Jqfq05D/wucwI4JGURyXt1vchyg=="], "jest-changed-files/p-limit": ["p-limit@3.1.0", "", { "dependencies": { "yocto-queue": "^0.1.0" } }, "sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ=="], @@ -8367,8 +8349,6 @@ "terser/commander": ["commander@2.20.3", "", {}, "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="], - "terser-webpack-plugin/@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.31", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } }, "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw=="], - "terser-webpack-plugin/schema-utils": ["schema-utils@4.3.3", "", { "dependencies": { "@types/json-schema": "^7.0.9", "ajv": "^8.9.0", "ajv-formats": "^2.1.1", "ajv-keywords": "^5.1.0" } }, "sha512-eflK8wEtyOE6+hsaRVPxvUKYCpRgzLqDTb8krvAsRIwOGlHoSgYLgBXoubGgLd2fT41/OUYdb48v4k4WWHQurA=="], "test-exclude/glob": ["glob@10.5.0", "", { "dependencies": { "foreground-child": "^3.1.0", "jackspeak": "^3.1.2", "minimatch": "^9.0.4", "minipass": "^7.1.2", "package-json-from-dist": "^1.0.0", "path-scurry": "^1.11.1" }, "bin": { "glob": "dist/esm/bin.mjs" } }, "sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg=="], @@ -8425,8 +8405,6 @@ "uploadthing/effect": ["effect@3.17.7", "", { "dependencies": { "@standard-schema/spec": "^1.0.0", "fast-check": "^3.23.1" } }, "sha512-dpt0ONUn3zzAuul6k4nC/coTTw27AL5nhkORXgTi6NfMPzqWYa1M05oKmOMTxpVSTKepqXVcW9vIwkuaaqx9zA=="], - "v8-to-istanbul/@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.31", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.1.0", "@jridgewell/sourcemap-codec": "^1.4.14" } }, "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw=="], - "verror/core-util-is": ["core-util-is@1.0.2", "", {}, "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ=="], "vite/esbuild": ["esbuild@0.25.12", "", { "optionalDependencies": { "@esbuild/aix-ppc64": "0.25.12", "@esbuild/android-arm": "0.25.12", "@esbuild/android-arm64": "0.25.12", "@esbuild/android-x64": "0.25.12", "@esbuild/darwin-arm64": "0.25.12", "@esbuild/darwin-x64": "0.25.12", "@esbuild/freebsd-arm64": "0.25.12", "@esbuild/freebsd-x64": "0.25.12", "@esbuild/linux-arm": "0.25.12", "@esbuild/linux-arm64": "0.25.12", "@esbuild/linux-ia32": "0.25.12", "@esbuild/linux-loong64": "0.25.12", "@esbuild/linux-mips64el": "0.25.12", "@esbuild/linux-ppc64": "0.25.12", "@esbuild/linux-riscv64": "0.25.12", "@esbuild/linux-s390x": "0.25.12", "@esbuild/linux-x64": "0.25.12", "@esbuild/netbsd-arm64": "0.25.12", "@esbuild/netbsd-x64": "0.25.12", "@esbuild/openbsd-arm64": "0.25.12", "@esbuild/openbsd-x64": "0.25.12", "@esbuild/openharmony-arm64": "0.25.12", "@esbuild/sunos-x64": "0.25.12", "@esbuild/win32-arm64": "0.25.12", "@esbuild/win32-ia32": "0.25.12", "@esbuild/win32-x64": "0.25.12" }, "bin": { "esbuild": "bin/esbuild" } }, "sha512-bbPBYYrtZbkt6Os6FiTLCTFxvq4tt3JKall1vRwshA3fdVztsLAatFaZobhkBC8/BrPetoa0oksYoKXoG4ryJg=="], diff --git a/packages/db/prisma/seed/primitives/FindingTemplate.json b/packages/db/prisma/seed/primitives/FindingTemplate.json index cef1a14e63..d99ec2528d 100644 --- a/packages/db/prisma/seed/primitives/FindingTemplate.json +++ b/packages/db/prisma/seed/primitives/FindingTemplate.json @@ -1,83 +1,119 @@ [ { - "id": "fnd_t_evidence_issue_01", + "id": "fnd_t_69cd108ab21a08f93e582cba", "category": "evidence_issue", - "title": "Missing organization context", - "content": "The uploaded evidence does not clearly show the Organization Name or URL. Please provide a screenshot showing the context.", - "order": 1, - "createdAt": "2025-01-26 00:00:00.000", - "updatedAt": "2025-01-26 00:00:00.000" + "title": "Pull Requests Samples", + "content": "Please upload a sample of recently merged Pull Requests (5 examples). The evidence must clearly show: 1. The Author, 2. The Approver (must be different from the author), and 3. The Build/Test Status checks.", + "order": 0, + "createdAt": "2026-04-01 12:33:13.504", + "updatedAt": "2026-04-01 12:33:13.504" }, { - "id": "fnd_t_evidence_issue_02", + "id": "fnd_t_69d4f4c983e48b8f30dd2287", "category": "evidence_issue", - "title": "Evidence outside audit window", - "content": "The evidence date falls outside the currently active audit observation window. Please ensure evidence is relevant to the current period.", - "order": 2, - "createdAt": "2025-01-26 00:00:00.000", - "updatedAt": "2025-01-26 00:00:00.000" + "title": "Missing evidence – general", + "content": "The evidence provided does not currently demonstrate that this control requirement has been met. Please provide documentation, screenshots, records, or reports that show the control is implemented and operating.", + "order": 0, + "createdAt": "2026-04-07 12:12:56.833", + "updatedAt": "2026-04-07 12:12:56.833" }, { - "id": "fnd_t_evidence_issue_03", + "id": "fnd_t_69d4f4dab76e1864fa09c55a", "category": "evidence_issue", - "title": "Unreadable or corrupted file", - "content": "The auditor could not open or read the file due to low resolution or corruption. Please re-upload a clear copy.", - "order": 3, - "createdAt": "2025-01-26 00:00:00.000", - "updatedAt": "2025-01-26 00:00:00.000" + "title": "Evidence referenced but not included", + "content": "The submission references supporting documentation, but the referenced evidence is not included. Please upload the referenced materials for review.", + "order": 0, + "createdAt": "2026-04-07 12:13:14.348", + "updatedAt": "2026-04-07 12:13:14.348" }, { - "id": "fnd_t_further_evidence_01", - "category": "further_evidence", - "title": "Statement of intent - need proof of operation", - "content": "The attached document(s) is a statement of intent. This control requires Evidence of Operation (proof of action). Please upload specific logs, screenshots, system configs, or tickets that demonstrate this policy is currently being enforced.", - "order": 1, - "createdAt": "2025-01-26 00:00:00.000", - "updatedAt": "2025-01-26 00:00:00.000" + "id": "fnd_t_69d4f512d67eb0ae06f32d58", + "category": "evidence_issue", + "title": "Insufficient detail", + "content": "The current evidence does not provide enough detail to confirm the control design or operation. Please provide additional supporting information, such as expanded screenshots, system settings, further logs, or procedure details.", + "order": 0, + "createdAt": "2026-04-07 12:14:10.343", + "updatedAt": "2026-04-07 12:14:10.343" }, { - "id": "fnd_t_further_evidence_02", - "category": "further_evidence", - "title": "No evidence attached", - "content": "This task was marked as 'Done', but no file was attached. For an external audit, every completed task requires proof of execution. Please upload the specific evidence (screenshot, PDF, or export) and re-submit.", - "order": 2, - "createdAt": "2025-01-26 00:00:00.000", - "updatedAt": "2025-01-26 00:00:00.000" + "id": "fnd_t_69d4fb57f1f2214c213701fd", + "category": "evidence_issue", + "title": "Further evidence samples required", + "content": "The evidence provided is not currently sufficient to complete testing for this requirement. Please provide further evidence samples covering 5 samples or 10% of the organization’s headcount, whichever is greater. The samples should be representative of the relevant population for the period under review and include sufficient supporting documentation to allow assessment of control operation.", + "order": 0, + "createdAt": "2026-04-07 12:40:55.039", + "updatedAt": "2026-04-07 12:40:55.039" }, { - "id": "fnd_t_task_specific_01", - "category": "task_specific", - "title": "Pull Request samples required", - "content": "Please upload a sample of recently merged Pull Requests (5 examples). The evidence must clearly show: 1. The Author, 2. The Approver (must be different from the author), and 3. The Build/Test Status checks.", - "order": 1, - "createdAt": "2025-01-26 00:00:00.000", - "updatedAt": "2025-01-26 00:00:00.000" + "id": "fnd_t_69d4fb8390ce6bd186c87492", + "category": "evidence_issue", + "title": "One or more devices are failing", + "content": "The evidence provided indicates that one or more devices are currently in a failing or non-compliant state. Please review the affected devices and provide updated evidence.", + "order": 0, + "createdAt": "2026-04-07 12:41:38.763", + "updatedAt": "2026-04-07 12:41:38.763" }, { - "id": "fnd_t_task_specific_02", - "category": "task_specific", - "title": "Alert screenshot required", - "content": "Please upload a screenshot of an actual triggered alert (e.g., a notification from PagerDuty, Slack, or Email). The evidence must clearly show: 1. The Alert Name, 2. The Timestamp, and 3. The Severity Level.", - "order": 2, - "createdAt": "2025-01-26 00:00:00.000", - "updatedAt": "2025-01-26 00:00:00.000" + "id": "fnd_t_69d4fbae4fb6a512f01c618d", + "category": "evidence_issue", + "title": "One or more employees show incomplete training", + "content": "The evidence provided indicates that one or more employees have not completed the required training in full. ", + "order": 0, + "createdAt": "2026-04-07 12:42:21.501", + "updatedAt": "2026-04-07 12:42:21.501" }, { - "id": "fnd_t_task_specific_03", - "category": "task_specific", - "title": "System logs sample required", - "content": "Please provide a sample of System or Infrastructure Logs (e.g., AWS CloudWatch, Google Cloud Logging, Datadog). The sample must clearly show headers including: Timestamp, Event/Error Message, and Source/User.", - "order": 3, - "createdAt": "2025-01-26 00:00:00.000", - "updatedAt": "2025-01-26 00:00:00.000" + "id": "fnd_t_69d4fc1c1113cd6a2cac9f49", + "category": "evidence_issue", + "title": "Evidence unclear or illegible", + "content": "The submitted evidence is unclear and cannot be reliably assessed. Please provide a clearer version of the document or screenshot.", + "order": 0, + "createdAt": "2026-04-07 12:44:12.123", + "updatedAt": "2026-04-07 12:44:12.123" }, { - "id": "fnd_t_na_incorrect_01", - "category": "na_incorrect", - "title": "Control required for compliance", - "content": "This control is required for SOC 2 compliance, regardless of company size. However, the evidence can be scaled down to fit your stage. Please see the guidance documentation for acceptable lightweight evidence.", + "id": "fnd_t_69d4fc31b0b632da4020f804", + "category": "evidence_issue", + "title": "Evidence not current", + "content": "The evidence provided appears outdated and does not demonstrate current operation of the control. Please provide more recent evidence for the applicable review period.", + "order": 0, + "createdAt": "2026-04-07 12:44:32.547", + "updatedAt": "2026-04-07 12:44:32.547" + }, + { + "id": "fnd_t_69d4fd25ff4d03074ecaa0ee", + "category": "evidence_issue", + "title": "Backup restoration evidence required", + "content": "Backup restoration evidence is incomplete. A report has been provided, but supporting evidence such as a recording or screenshots of the restore test is also required.", + "order": 0, + "createdAt": "2026-04-07 12:48:36.879", + "updatedAt": "2026-04-07 12:48:36.879" + }, + { + "id": "fnd_t_69df9438c85454008e652d2b", + "category": "evidence_issue", + "title": "Logging evidence missing", + "content": "The evidence provided does not currently demonstrate logging for the relevant systems or activities. Please provide supporting evidence such as configuration screenshots, sample log output, or other records showing that logging is enabled and available for review.", + "order": 0, + "createdAt": "2026-04-15 13:35:51.809", + "updatedAt": "2026-04-15 13:35:51.809" + }, + { + "id": "fnd_t_69df94702fc4ed39f0d07bf2", + "category": "evidence_issue", + "title": "No evidence provided", + "content": "No evidence has been provided for this requirement. Please upload supporting evidence for review.", "order": 1, - "createdAt": "2025-01-26 00:00:00.000", - "updatedAt": "2025-01-26 00:00:00.000" + "createdAt": "2026-04-15 13:36:48.345", + "updatedAt": "2026-04-15 13:37:02.287" + }, + { + "id": "fnd_t_69df940c52b31c4abed9a9e0", + "category": "evidence_issue", + "title": "Alerts evidence missing", + "content": "The submission does not clearly demonstrate how security or operational alerts are generated, triaged, and resolved. Please provide monitoring workflow documentation or alert records.", + "order": 0, + "createdAt": "2026-04-15 13:35:07.725", + "updatedAt": "2026-04-15 13:37:46.984" } -] +] \ No newline at end of file diff --git a/packages/db/prisma/seed/primitives/FrameworkEditorFramework.json b/packages/db/prisma/seed/primitives/FrameworkEditorFramework.json index 0d624e4b5d..1158b7a0a1 100644 --- a/packages/db/prisma/seed/primitives/FrameworkEditorFramework.json +++ b/packages/db/prisma/seed/primitives/FrameworkEditorFramework.json @@ -26,24 +26,6 @@ "updatedAt": "2025-05-14 19:20:44.920", "visible": false }, - { - "id": "frk_683f3102f9ae801df35d47b4", - "name": "Test", - "description": "Test", - "version": "1.0.0", - "createdAt": "2025-06-03 17:29:37.982", - "updatedAt": "2025-06-03 17:30:09.651", - "visible": false - }, - { - "id": "frk_683f31582b71fc8d9253ad89", - "name": "Test2", - "description": "Test2", - "version": "1.0.0", - "createdAt": "2025-06-03 17:31:04.290", - "updatedAt": "2025-06-03 17:31:07.399", - "visible": false - }, { "id": "frk_681ebae2f29f0ab08eb802ec", "name": "SOC 2", @@ -53,15 +35,6 @@ "updatedAt": "2025-06-04 19:22:37.620", "visible": false }, - { - "id": "frk_683f377429b8408d1c85f9bd", - "name": "SOC 2", - "description": "SOC 2 Type I & II", - "version": "1", - "createdAt": "2025-06-03 17:57:07.496", - "updatedAt": "2025-06-04 21:53:53.548", - "visible": true - }, { "id": "frk_681ecc34e85064efdbb76993", "name": "ISO 27001", @@ -89,6 +62,24 @@ "updatedAt": "2025-09-01 16:51:38.334", "visible": true }, + { + "id": "frk_69d7e513446cc6e0376edf60", + "name": "SOC 2 Type 1", + "description": "SOC 2 Type 1 - Verify your security controls for a point-in-time", + "version": "1.0.0", + "createdAt": "2026-04-09 17:42:42.625", + "updatedAt": "2026-04-09 17:42:42.625", + "visible": false + }, + { + "id": "frk_683f377429b8408d1c85f9bd", + "name": "SOC 2", + "description": "SOC 2 Type I & II", + "version": "1", + "createdAt": "2025-06-03 17:57:07.496", + "updatedAt": "2026-04-09 20:08:16.014", + "visible": true + }, { "id": "frk_681ef4bb8eeb2b60d2d9d187", "name": "PCI v0", @@ -125,6 +116,15 @@ "updatedAt": "2025-09-22 11:10:57.835", "visible": false }, + { + "id": "frk_69dcfb280b550e7ee231f312", + "name": "PCI DSS Level 1", + "description": "Level 1 On-Site Assessment (ROC)", + "version": "1.0.0", + "createdAt": "2026-04-13 14:18:15.949", + "updatedAt": "2026-04-13 21:12:52.530", + "visible": true + }, { "id": "frk_68e135d0212b3b6cd39ceb94", "name": "NEN 7510", @@ -134,6 +134,33 @@ "updatedAt": "2025-10-07 20:22:47.176", "visible": true }, + { + "id": "frk_69efd433584ba436ae00d413", + "name": "CCPA", + "description": "California Consumer Privacy Act", + "version": "1.0.0", + "createdAt": "2026-04-27 21:25:07.381", + "updatedAt": "2026-04-28 14:21:21.191", + "visible": true + }, + { + "id": "frk_69e9187a649152cdc715f1ad", + "name": "GDPR (Test)", + "description": "Test framework derived from the gdpr.eu checklist. Not for production compliance use.", + "version": "1.0.0", + "createdAt": "2026-04-22 18:50:33.852", + "updatedAt": "2026-04-22 20:20:30.197", + "visible": false + }, + { + "id": "frk_69eb9ca15a99e0ad3107b033", + "name": "Cloud Cybersecurity Controls", + "description": "National Cybersecurity Authority ", + "version": "1.0.0", + "createdAt": "2026-04-24 16:38:57.256", + "updatedAt": "2026-04-24 16:39:18.628", + "visible": false + }, { "id": "frk_6924c5bf34ae90945076508e", "name": "NIST 800-53", @@ -151,5 +178,32 @@ "createdAt": "2025-11-19 20:30:44.681", "updatedAt": "2025-11-24 21:22:25.364", "visible": true + }, + { + "id": "frk_69bd4011a22723c759ca8e46", + "name": "PCI Level 1", + "description": "PCI Level 1 On-Site Assessment ", + "version": "1.0.0", + "createdAt": "2026-03-20 12:39:44.973", + "updatedAt": "2026-03-20 12:39:44.973", + "visible": false + }, + { + "id": "frk_69bd93a9a68c82ba0998008d", + "name": "SOC 2 v2", + "description": "March 2026", + "version": "1.0.0", + "createdAt": "2026-03-20 18:36:24.991", + "updatedAt": "2026-03-20 18:36:24.991", + "visible": false + }, + { + "id": "frk_69f3d7821751ec330608f200", + "name": "PIPEDA", + "description": "Personal Information Protection and Electronic Documents Act ", + "version": "1.0.0", + "createdAt": "2026-04-30 22:28:17.577", + "updatedAt": "2026-05-01 00:14:14.759", + "visible": false } ] \ No newline at end of file diff --git a/packages/db/prisma/seed/primitives/FrameworkEditorPolicyTemplate.json b/packages/db/prisma/seed/primitives/FrameworkEditorPolicyTemplate.json index e9a12f317e..02926456f3 100644 --- a/packages/db/prisma/seed/primitives/FrameworkEditorPolicyTemplate.json +++ b/packages/db/prisma/seed/primitives/FrameworkEditorPolicyTemplate.json @@ -5,39 +5,39 @@ "description": "Approves secure VPN or zero-trust methods, sets endpoint hardening and mobile controls, and logs and reviews remote sessions.", "frequency": "yearly", "department": "it", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Secure connectivity for off-site work while protecting {{DATA}} for {{COMPANY}} on personal and remote devices that access {{CRITICAL}} in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All remote network connections and any personally owned devices used for company activities. Applies to {{LOCATION}} staff and contractors using {{DEVICES}} to reach {{CRITICAL}} workloads.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Align to SOC 2 Security; extend to Confidentiality where applicable to data-in-transit and endpoint protection.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is accessed or stored, apply Security Rule technical safeguards: access control, audit controls, integrity, and transmission security.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Approved Remote Access Methods", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use VPN or zero-trust proxy with MFA for administrative or data-sensitive access to {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "SSH only with key-based authentication; prohibit direct RDP/SSH from the public internet.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable remote access on systems where it is not required.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Restrict remote access from outside {{GEO}} unless explicitly approved; use VPN while traveling.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Avoid split tunneling when accessing {{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enforce MFA on all remote admin access; restrict inbound management ports; manage changes to remote-access configs through change control.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Encrypt all remote sessions handling ePHI and avoid split tunneling when accessing ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Endpoint Security Requirements", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{DEVICES}} must run a supported OS, be fully patched, and have disk encryption enabled.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Install company-approved endpoint protection; auto-lock after 15 minutes idle.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Only managed {{DEVICES}} may access {{CRITICAL}} or store {{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Require device posture checks where supported before granting remote access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enforce device encryption and auto-lock for any endpoint that can access ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Mobile/BYOD Controls", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Register BYOD devices; enforce PIN/biometric, encryption, and remote-wipe capability.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Company email and data stored in a managed app or container where feasible.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove company data and access immediately upon contract end or device loss.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Require enrollment prior to access; record enrollment and removal events.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Prohibit backups of ePHI to personal cloud accounts; ensure remote wipe of ePHI when access is terminated.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Monitoring & Session Management", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log VPN and privileged remote sessions; retain logs for at least 90 days in {{GEO}} storage.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Auto-disconnect inactive VPN sessions after 12 hours or shorter if supported.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review remote-access logs monthly for anomalies, including access from outside {{GEO}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Alert on excessive authentication failures and unusual geolocation; sample log reviews monthly.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain audit logs for ePHI access via remote sessions and retain per policy.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly sample confirms 100% of remote devices meet patch/encryption policy; VPN logs reviewed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For teams over {{EMPLOYEES}} employees, expand the quarterly sample size and include a check of access to {{CRITICAL}} by {{DEVICES}}.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Temporary allowance for an unsupported device requires management approval and a remediation timeline. Note any added risk to {{DATA}} and compensating controls before granting access.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Non-compliant devices are blocked from the network until remediated; repeat violations are escalated to HR/management.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Evaluate new secure-access technologies and refine BYOD requirements annually, considering {{INDUSTRY}} needs and changes to {{GEO}}.", "type": "text"}]}], + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Secure connectivity for off-site work while protecting {{DATA}} for {{COMPANY}} on personal and remote devices that access {{CRITICAL}} in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All remote network connections and any personally owned devices used for company activities. Applies to {{LOCATION}} staff and contractors using {{DEVICES}} to reach {{CRITICAL}} workloads.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Align to SOC 2 Security; extend to Confidentiality where applicable to data-in-transit and endpoint protection.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is accessed or stored, apply Security Rule technical safeguards: access control, audit controls, integrity, and transmission security.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Apply remote-access controls to any session that can reach personal information held by {{COMPANY}}, in accordance with Principle 7 of PIPEDA Schedule 1.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Approved Remote Access Methods", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use VPN or zero-trust proxy with MFA for administrative or data-sensitive access to {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "SSH only with key-based authentication; prohibit direct RDP/SSH from the public internet.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable remote access on systems where it is not required.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Restrict remote access from outside {{GEO}} unless explicitly approved; use VPN while traveling.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Avoid split tunneling when accessing {{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enforce MFA on all remote admin access; restrict inbound management ports; manage changes to remote-access configs through change control.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Encrypt all remote sessions handling ePHI and avoid split tunneling when accessing ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Encrypt all remote sessions handling personal information; restrict remote access to managed {{DEVICES}} where the volume or sensitivity warrants it.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Endpoint Security Requirements", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{DEVICES}} must run a supported OS, be fully patched, and have disk encryption enabled.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Install company-approved endpoint protection; auto-lock after 15 minutes idle.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Only managed {{DEVICES}} may access {{CRITICAL}} or store {{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Require device posture checks where supported before granting remote access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enforce device encryption and auto-lock for any endpoint that can access ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Enforce device encryption and auto-lock for endpoints that can access personal information; verify posture before granting access.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Mobile/BYOD Controls", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Register BYOD devices; enforce PIN/biometric, encryption, and remote-wipe capability.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Company email and data stored in a managed app or container where feasible.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove company data and access immediately upon contract end or device loss.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Require enrollment prior to access; record enrollment and removal events.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Prohibit backups of ePHI to personal cloud accounts; ensure remote wipe of ePHI when access is terminated.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Prohibit backups of personal information to personal cloud accounts; ensure remote wipe of personal information on the {{LOCATION}} workforce's devices when access is terminated.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Monitoring & Session Management", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log VPN and privileged remote sessions; retain logs for at least 90 days in {{GEO}} storage.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Auto-disconnect inactive VPN sessions after 12 hours or shorter if supported.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review remote-access logs monthly for anomalies, including access from outside {{GEO}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Alert on excessive authentication failures and unusual geolocation; sample log reviews monthly.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain audit logs for ePHI access via remote sessions and retain per policy.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Maintain audit logs for remote access to personal information for at least 24 months; alert on anomalous geolocation when accessing sensitive personal information.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly sample confirms 100% of remote devices meet patch/encryption policy; VPN logs reviewed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For teams over {{EMPLOYEES}} employees, expand the quarterly sample size and include a check of access to {{CRITICAL}} by {{DEVICES}}.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Temporary allowance for an unsupported device requires management approval and a remediation timeline. Note any added risk to {{DATA}} and compensating controls before granting access.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Non-compliant devices are blocked from the network until remediated; repeat violations are escalated to HR/management.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Evaluate new secure-access technologies and refine BYOD requirements annually, considering {{INDUSTRY}} needs and changes to {{GEO}}.", "type": "text"}]}]}, "createdAt": "2025-06-27 07:04:11.567", - "updatedAt": "2025-08-19 18:23:48.629" + "updatedAt": "2026-04-30 23:21:57.740" }, { - "id": "frk_pt_685e453cad89de25e5aebf4a", - "name": "Acceptable Use & Workstation Security", - "description": "Sets responsible use rules, enforces endpoint encryption, patching, auto-lock, and restricts personal storage of company data.", + "id": "frk_pt_685e3f7b4ebcb27b60c51434", + "name": "Information Security & Privacy Governance", + "description": "Assigns clear ownership and management accountability for security and privacy, keeps policies current, and measures compliance through regular reviews.", "frequency": "yearly", - "department": "it", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define responsible use of company systems and secure configuration of endpoints.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All users and devices accessing company networks or data.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Acceptable Use Rules", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use company assets for authorized business activities; limited personal use allowed if it doesn’t create risk.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit illegal, harassing, or copyright-infringing activities.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Workstation Configuration & Updates", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enable full-disk encryption, host firewall, and automatic OS patches.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Auto-lock after 10 minutes idle and require password/PIN to resume.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Internet, Email & Messaging", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Users must not forward company data to personal email.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use approved messaging tools for business discussions.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Removable Media & Printing", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Collect printed sensitive docs immediately; shred when done.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Personal Devices & Local Storage", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "BYOD must meet endpoint-security requirements (PIN, encryption, patching) and register with IT.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store company data only in approved, encrypted containers or apps.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly workstation audit checks encryption, lock settings, and patch status.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Temporary deviation (e.g., lab testing) requires documented approval and time limit.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Policy breaches result in access suspension until remediation; severe cases escalate to HR.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update rules with new collaboration tools and emerging endpoint threats.", "type": "text"}]}], - "createdAt": "2025-06-27 07:16:12.366", - "updatedAt": "2025-08-19 18:24:37.446" + "department": "admin", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define clear ownership for security and privacy at {{COMPANY}} and ensure decisions are documented.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "This policy also establishes the framework for. information security in accordance with ", "type": "text"}, {"text": "NEN 7510 - Information Security in Healthcare", "type": "text", "marks": [{"type": "bold"}]}, {"text": ", ensuring the confidentiality, integrity, and availability (CIA) of health and personal information processed by {{COMPANY}}", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All personnel, contractors, information systems, SaaS/IaaS services hosted in {{CRITICAL}}, and company-managed {{DEVICES}}. Applies to the {{LOCATION}} workforce.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain governance to identify applicable requirements, assign ownership, and retain artifacts for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is involved, document responsibilities under the Security Rule and retain related documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Designate a Privacy Officer accountable for PIPEDA Schedule 1 compliance and document their authority across all personal information held by {{COMPANY}}, including data transferred to processors operating outside Canada.{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where health or patient information (personal data within the meaning of the GDPR/AVG) is processed, document responsibilities, ensure secure handling, and maintain records of processing in accordance with Dutch healthcare regulations.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Security Governance Roles", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Designate a Security & Privacy Owner (SPO) and a documented backup. Ensure coverage across {{LOCATION}} time zones.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record names in the Comp AI platform.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Re-confirm role assignments at least annually and after role changes.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Document the SPO’s scope, authority, and reporting line; keep a dated record of annual role reconfirmation.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Name a Security Official responsible for developing and implementing policies (164.308(a)(2)).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Publish the Privacy Officer's name and contact details and confirm them on request. The Privacy Officer is the named point of contact for the Office of the Privacy Commissioner of Canada (OPC).{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Assign accountability for implementing and maintaining NEN 7510 controls, including risk management, access security, training, and compliance with Dutch legal obligations.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Management Accountability", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "SPO presents a concise security status during scheduled management reviews.", "type": "text"}, {"type": "hardBreak"}, {"text": "For teams over {{EMPLOYEES}} employees, hold reviews at least quarterly.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Senior management signs an annual statement acknowledging ultimate responsibility for security and privacy.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Allocate at least one measurable security improvement task per sprint or work cycle, prioritized to protect {{DATA}} in {{CRITICAL}} and stored in {{GEO}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record management reviews, decisions, and assigned actions with due dates in Comp AI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure management oversight of Security Rule activities and document sanctions, if applied, per policy.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Review compliance with each of the 10 Fair Information Principles at least annually; record decisions, corrective actions, and assigned owners in the privacy programme record.{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Conduct annual management reviews that address the outcomes of risk assessments, incidents, and improvement actions required by NEN 7510. Risk registers, relevant metrics, and mitigation decisions must be recorded and tracked to completion.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Management", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store all policies in Comp AI; the SPO verifies access and link integrity annually. Note storage and retention locations in {{GEO}} where applicable.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain version control with change logs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Merge or retire overlapping policies to keep each document brief.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track effective dates and owners; preserve prior versions for audit sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain policy documents and revisions for 6 years (164.316(b)(2)(i)).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Maintain governance over policies that address each of the 10 Fair Information Principles; retain prior versions for at least 24 months to support access requests and OPC inquiries.{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure all NEN 7519-relevant documents (policies, risk assessments, incident records, and management reviews) are retained for the defined retention period and remain traceable for internal and external audits.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Security Awareness", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "New personnel read this policy set and electronically acknowledge before receiving system access to {{CRITICAL}} from {{DEVICES}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Distribute security awareness training annually, tailored to {{INDUSTRY}} risks and the handling of {{DATA}}; record completion for the {{LOCATION}} workforce.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track completion status and follow up on overdue training within defined timelines.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Provide Security Rule awareness and periodic updates for workforce with ePHI access (164.308(a)(5)).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Include the 10 Fair Information Principles, the Privacy Officer's role, and the access-request and complaint procedures in the awareness curriculum for staff who handle personal information.{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Deliver role-based awareness and training covering information security in healthcare, including protection of patient data, secure system use, and staff responsibilities under NEN 7510. Reassess training needs annually and after significant changes in technology or regulation.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Annual check that policies exist, the SPO and backup are documented, annual sign-off is filed, and the awareness log is current for the {{EMPLOYEES}} workforce.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain compliance with the ", "type": "text"}, {"text": "General Data Protection Regulation (GDPR/AVG)", "type": "text", "marks": [{"type": "bold"}]}, {"text": ", the ", "type": "text"}, {"text": "Dutch Medical Treatment Contracts Act (WGBO)", "type": "text", "marks": [{"type": "bold"}]}, {"text": ", and the ", "type": "text"}, {"text": "NEN 7510 suite", "type": "text", "marks": [{"type": "bold"}]}, {"text": ", including ", "type": "text"}, {"text": "NEN7512", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (secure data transmission) and ", "type": "text"}, {"text": "NEN 7513", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (logging and audit trail requirements).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document deviations in a “Security-Decisions” log with reason and expiry, including any residual risk to {{DATA}} and compensating controls in {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missing logs or overdue actions are corrected within two weeks or escalated at the next management review.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Audit and incident lessons feed into the next scheduled policy refresh. Update roles and training focus when {{GEO}} or {{INDUSTRY}} obligations change.", "type": "text"}]}]}, + "createdAt": "2025-06-27 06:51:38.574", + "updatedAt": "2026-04-30 23:21:41.599" }, { - "id": "frk_pt_685e46557bc14fbddea6468a", - "name": "Information Sharing & Transfer", - "description": "Restricts data transfers to approved encrypted channels, enforces NDAs and minimisation, records international safeguards, and audits transfer logs.", + "id": "frk_pt_685e405054f7c35d89ccccf2", + "name": "Policy Management & Exception Handling", + "description": "Inventories every policy, enforces version control and annual reviews, and documents, time-boxes, and sunsets any approved exceptions.", "frequency": "yearly", - "department": "it", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure data moves securely between systems, parties, and jurisdictions, preserving confidentiality and integrity.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All electronic and physical transfers of organisational or customer information.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Approved Transfer Methods", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use TLS-protected channels (HTTPS, SFTP, VPN) or end-to-end encrypted messaging.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt physical media; use tracked courier services.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "External Sharing & NDAs", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confirm recipient identity and need-to-know.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Execute NDA or contract before sharing Confidential or Restricted data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Share via least-privilege, time-bound links; disable after purpose met.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Data Minimisation & Redaction", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Share only necessary data fields; mask or anonymise where feasible.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove test or debug data from production extracts.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "International Transfers & Safeguards", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For personal data leaving its origin region, apply recognised safeguards (e.g., Standard Contractual Clauses).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain record of transfer bases in privacy processing log.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Logging & Audit Trail", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log outbound transfers of Restricted data: date, sender, recipient, content summary, method.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain logs for at least one year.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly sample of transfer logs shows 100 % encrypted channels and valid agreements.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "One-off unencrypted transfer allowed only for low-sensitivity data with management approval.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unauthorised or insecure transfers raise incident response; notify affected parties if required.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Add automated redaction and secure-send tools; update safeguards with legal changes.", "type": "text"}]}], - "createdAt": "2025-06-27 07:20:53.290", - "updatedAt": "2025-08-19 18:24:50.023" + "department": "admin", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure all governance, security, and privacy policies are current, traceable, and that any deviations are formally approved, time-boxed, and documented for {{COMPANY}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All organizational policies and standards, all personnel, and all systems governed by those documents. Applies to the {{LOCATION}} workforce and systems hosted in {{CRITICAL}}; store records in {{GEO}} where residency applies.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain policy ownership, version history, review notes, and exception records for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain Security Rule policies and any related exceptions for 6 years; ensure exceptions do not weaken safeguards for ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Retain privacy policy versions, exceptions, and review evidence for at least 24 months; ensure exceptions do not weaken safeguards required to protect personal information under PIPEDA.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Inventory & Ownership", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a master list of active policies, each with a named owner.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store the inventory in a shared repository accessible to all personnel, hosted in {{CRITICAL}} and retained per {{GEO}} requirements.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Include effective date and next review date in the inventory; map each policy to relevant controls where applicable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Identify HIPAA-relevant policies in the inventory and link to BAAs or procedures that reference them.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Identify privacy-relevant policies in the inventory and map each to the 10 Fair Information Principles they support.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Version Control & Distribution", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep policies under version control with commit history in Comp AI.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include a version number and last-review date in each document.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify personnel of major updates within five business days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Preserve prior versions and change logs for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain historical versions and acknowledgements for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Where a policy update changes how personal information is collected, used, disclosed, or retained, update the public privacy notice within 30 days and propagate changes to affected processors.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scheduled Review Cycle", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Owners review their policies at least once every 12 months and record “Reviewed – no change” or revisions in the change log.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Time reviews to precede planned audits.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record reviewer and date; align timing with audit windows.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Confirm HIPAA-related policies reflect current safeguards and regulatory updates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Confirm that each privacy policy reflects current OPC guidance and that retention, access, and complaint procedures remain accurate.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exception Request Process", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any employee may request an exception by submitting: scope, justification, risk, compensating controls, and proposed expiry.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The policy owner and senior management jointly approve or reject within ten business days; assess residual risk to {{DATA}} and impacts to systems in {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Link exceptions to the Risk Register and relevant controls; ensure expiries are time-boxed.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Assess impact on ePHI; exceptions must not bypass minimum necessary, access controls, or transmission security.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Assess any exception's impact on personal information; exceptions cannot bypass consent, access-request, breach-notification, or retention obligations under PIPEDA.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exception Register & Sunset", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record all approved exceptions in an Exception Register with owner and expiry date; host in {{CRITICAL}} and retain per {{GEO}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review the register monthly; close or renew any item reaching expiry.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track renewals and closures; keep evidence of monthly reviews.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Document HIPAA-related exceptions and closures; retain for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Document privacy-related exceptions and their closure; retain for at least 24 months.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Inventory exists; ≥ 90% of policies show review within 12 months; no exceptions past expiry. For teams over {{EMPLOYEES}} employees, expand monthly sampling of exceptions.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Handled via the “Exception Request Process” and logged in the Exception Register, including residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missing reviews or unmanaged exceptions are escalated to senior management and corrected within 30 days.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Incorporate audit findings and user feedback at the next scheduled review; update inventory fields or workflows when {{CRITICAL}} or {{GEO}} obligations change.", "type": "text"}]}]}, + "createdAt": "2025-06-27 06:55:11.688", + "updatedAt": "2026-04-30 23:21:42.717" }, { - "id": "frk_pt_685e40d46e7b1123022bf3e8", - "name": "Data Classification & Handling", - "description": "Uses a four-tier classification scheme to label data and prescribes access, encryption, sharing, and disposal rules for each level.", + "id": "frk_pt_685e410082a807a0274b4531", + "name": "Privacy & Data-Subject Rights", + "description": "Ensures personal data is processed on a lawful basis, keeps users informed, and fulfils data-subject requests within required timelines.", "frequency": "yearly", - "department": "it", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Protect information proportionately by assigning sensitivity levels and prescribing handling requirements for {{COMPANY}}. Emphasis on {{DATA}} processed in {{CRITICAL}} and stored or retained in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All data created, received, processed, or stored by the organisation, regardless of medium or location. Applies to the {{LOCATION}} workforce and any {{DEVICES}} that access {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain a documented scheme; ensure labelling, storage, access, transmission, and disposal practices align to Security and Confidentiality criteria; retain artefacts for the Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is involved, apply the Minimum Necessary standard and Security Rule safeguards for access control, audit controls, integrity, transmission security, and device/media handling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Classification Scheme", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Adopt four levels: Public, Internal, Confidential, Restricted.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define examples and default level (Internal) in a quick-reference guide, reflecting {{INDUSTRY}} data types and {{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure classification drives access control, encryption, monitoring, and retention requirements across {{CRITICAL}} and backups in {{GEO}}.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Treat ePHI as Restricted unless formally de-identified per policy.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Labelling & Identification", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Label documents and data stores at creation using headers, metadata tags, or clear folder names.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use automated tagging where supported; otherwise manual labels are required for Confidential and Restricted data.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Keep labels consistent across repositories and automate propagation where feasible in {{CRITICAL}}.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Mark repositories containing ePHI; prevent removal of labels during export.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Access & Storage Controls", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Grant access on a least-privilege basis aligned to classification level.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt Confidential and Restricted data at rest in {{CRITICAL}} and in backups stored in {{GEO}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log administrative access to Restricted data.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Review access rights on a defined cadence and protect encryption keys.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enable audit logging for ePHI access; restrict admin access and review regularly.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Transmission & Sharing Rules", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use encrypted channels (for example TLS, SFTP) for Confidential or Restricted data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit public-cloud file links without access control when data is above Internal.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "External sharing of Restricted data requires management approval and an NDA or contract.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Disable insecure protocols and enforce MFA for privileged transfers.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Encrypt ePHI in transit and use Business Associate Agreements where applicable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Retention & Disposal Alignment", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply retention periods from the Data Retention Policy to each classification, considering {{GEO}} obligations.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Destroy media holding Confidential or Restricted data using secure wipe or certified shredding.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure destruction is logged and, where used, certificates of destruction are filed.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Follow Device and Media Controls for ePHI and maintain documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly sample confirms correct labels, encryption, and access rights; ≥ 95% accuracy target. Scale the sample size proportionally for teams over {{EMPLOYEES}} employees.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Must document risk and compensating controls; senior management approval required. Note any residual risk to {{DATA}} and how it is mitigated in {{CRITICAL}} or through {{DEVICES}} controls.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Mislabelled or mishandled data triggers incident response and mandatory refresher training.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update examples and tooling as new {{INDUSTRY}} data types or regulations emerge, including changes affecting {{GEO}}.", "type": "text"}]}], - "createdAt": "2025-06-27 06:57:24.052", - "updatedAt": "2025-08-19 18:25:02.649" + "department": "gov", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure personal data ({{DATA}}) is processed lawfully and transparently at {{COMPANY}}, and that individuals can exercise their privacy rights across services running in {{CRITICAL}} and jurisdictions in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All personal data relating to customers, end-users, employees, contractors, or any identifiable individuals. Applies to the {{LOCATION}} workforce, systems hosted in {{CRITICAL}}, and managed {{DEVICES}} that process {{DATA}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Align practices with Security and Confidentiality criteria; retain artefacts (records of processing, notices, DSR logs) for the full Type 2 period plus 12 months; treat relevant vendors as subservice organisations where appropriate.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is involved, apply the HIPAA Privacy Rule (uses/disclosures, minimum necessary, Notice of Privacy Practices) and individual rights (access, amendment, accounting, restrictions, confidential communications). Retain required HIPAA documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Cover individuals' rights under PIPEDA: access (Principle 9), correction (Principle 6), and challenging compliance (Principle 10). Respond to written access requests within 30 days at minimal or no cost.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Lawful Basis & Data Minimisation", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Identify and record a lawful basis (for example contract, consent, legitimate interest) for each processing activity.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Collect only data necessary for the stated purpose; review forms and APIs annually to remove unused fields, reflecting {{INDUSTRY}} practices and any {{GEO}} limits.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure lawful-basis records link to data classification, retention period, and controls.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply minimum necessary; for uses/disclosures beyond TPO, obtain written authorisation or rely on another permitted basis; validate BAA coverage for Business Associates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Identify the documented purpose under PIPEDA Principle 2 for each processing activity; align consent and use with the privacy notice.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Transparency & Privacy Notice", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain an up-to-date public Privacy Notice describing categories of {{DATA}}, purposes, sharing, retention, rights, and international transfers (including outside {{GEO}}).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update the notice within 30 days of any significant change in processing.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Keep dated copies of prior notices and evidence of publication.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where applicable, maintain and furnish a Notice of Privacy Practices and update it upon material changes.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Maintain the PIPEDA Privacy Notice and update it within 30 days of any material change to collection, use, disclosure, or retention practices.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Data-Subject Request (DSR) Workflow", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide a visible channel (for example a privacy email or web form) for access, correction, deletion, or portability requests.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify requester identity and respond within applicable legal timelines in {{GEO}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log each request, decision, and completion date in a DSR log; restrict access.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Protect the DSR log, restrict access, and retain for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Process HIPAA individual-rights requests (access, amendment, accounting, restrictions, confidential communications) within HIPAA timelines; document decisions.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Process PIPEDA access requests within 30 days; provide an account of use and disclosure; identify third-party recipients as specifically as possible. Where access is refused, cite the specific Section 9 exception in writing and inform the individual of the right to complain to the OPC.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Consent & Preference Management", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Obtain explicit consent where required; store timestamp and method.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Offer easy withdrawal via self-service or support request; propagate changes across systems in {{CRITICAL}} within five business days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Propagate preference changes across integrated systems; retain consent and revocation records.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track and honour authorisations and revocations for uses/disclosures requiring authorisation; record agreed restrictions and confidential communication requests.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Honor consent withdrawal and propagate the change across {{CRITICAL}} and {{SOFTWARE}} within five business days; inform the individual of any consequences of withdrawal.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Record Keeping & Audit Trail", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a processing-activity record covering data categories, purposes, lawful bases, recipients, transfers, and safeguards (including residency in {{GEO}}).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain DSR logs and consent records for at least three years (or longer where required).", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Preserve change history for the processing record and DSR log.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain an accounting of disclosures (where required) and retain HIPAA-related records for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Retain access requests, decisions, and amendment evidence for at least 24 months to support OPC inquiries.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly review confirms the processing record is current, the Privacy Notice is updated as needed, and DSRs are closed on time. For teams over {{EMPLOYEES}} employees, expand sampling and include random checks of transfers in/out of {{GEO}} and processing in {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any deviation (for example extended DSR deadline) is documented with justification and regulatory allowance, including any residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missed deadlines or undocumented processing triggers incident response and notification to leadership; corrective action required.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Integrate feedback from users, audits, {{INDUSTRY}} updates, and regulatory changes affecting {{GEO}} into processes and the Privacy Notice.", "type": "text"}]}]}, + "createdAt": "2025-06-27 06:58:08.164", + "updatedAt": "2026-04-30 23:21:59.459" }, { "id": "frk_pt_685e42a3bbd08ad14de297f0", @@ -49,16 +49,6 @@ "createdAt": "2025-06-27 07:05:06.707", "updatedAt": "2025-08-19 18:25:14.107" }, - { - "id": "frk_pt_685e45c938ad29ad775a2344", - "name": "Background Screening & On/Off-boarding", - "description": "Screens new hires, provisions least-privilege access, disables accounts and recovers assets at exit, and archives records securely.", - "frequency": "yearly", - "department": "hr", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify workforce integrity for {{COMPANY}}, grant the right access to {{CRITICAL}} and {{DATA}} at start, and promptly revoke it at end of engagement.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All employees, contractors, interns, and temporary staff. Applies to the {{LOCATION}} workforce, including remote personnel using {{DEVICES}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain records of screenings, provisioning, and deprovisioning to support auditor sampling during the Type 2 period.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is involved, implement Workforce Security, Workforce Clearance, and Termination Procedures, and retain Security Rule documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Pre-Employment Background Screening", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct identity verification and right-to-work checks for all hires.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Perform criminal or reference checks proportional to role sensitivity, prioritizing roles with access to {{CRITICAL}} or {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Complete screening before system access is granted; document outcomes.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record screening scope and completion date in the personnel file.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply workforce clearance procedures for roles with ePHI access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Onboarding Provisioning", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Manager submits an access request ticket listing required systems and role.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Create individual accounts only; no shared credentials.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide security training and policy acknowledgement within the first week, before granting access to {{CRITICAL}} or {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Only managed {{DEVICES}} may be used to access {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Grant access based on least privilege and role; record approvals in the ticketing system.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Require Security Rule awareness for any role that accesses ePHI prior to granting such access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Off-boarding & Exit Procedures", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "HR or manager notifies IT of termination date at least 24 hours in advance.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable accounts and remove access to {{CRITICAL}} by close of last working day; revoke remote access on {{DEVICES}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Collect badges and credentials; schedule exit interview to remind departing staff of confidentiality obligations related to {{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Capture disablement timestamps and confirm removal from all groups and SSO apps.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply termination procedures for ePHI access, including revoking authentication credentials and remote access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Access Reconciliation & Asset Return", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Recover all company-owned {{DEVICES}}; verify data wipe before reuse.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Compare recovered asset list against inventory; investigate discrepancies.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove access from identity provider groups and cloud services within 24 hours.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Reconcile identity provider groups and tokens; document completion in the off-boarding checklist.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure devices that held ePHI are wiped or sanitized per policy before reassignment.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Record Retention", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store screening results and off-boarding checklists in a secure HR system for seven years or legal minimum; where residency applies, store records in {{GEO}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain provisioning and deprovisioning evidence for at least the audit period plus the organization’s standard buffer.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain HIPAA-related workforce documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monthly audit confirms 100% of terminated accounts are disabled and all assets are returned. For teams over {{EMPLOYEES}} employees, expand the sample size and include checks of {{CRITICAL}} access removal.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any skipped screening step requires executive approval and a documented risk note in the personnel file, including any residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missing background checks or lagging account disablement is escalated to HR and Security for remediation within five business days.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review screening vendors, checklist effectiveness, and timing metrics annually, considering {{INDUSTRY}} requirements and any changes to {{GEO}}.", "type": "text"}]}], - "createdAt": "2025-06-27 07:18:33.152", - "updatedAt": "2025-08-19 18:25:31.916" - }, { "id": "frk_pt_685e3fc75bd72cd0745dc5d1", "name": "Risk Management", @@ -79,6 +69,16 @@ "createdAt": "2025-06-27 07:08:04.684", "updatedAt": "2025-08-19 18:26:03.456" }, + { + "id": "frk_pt_685e462046667f75a50a2c3e", + "name": "Vendor & Third-Party Risk", + "description": "Inventories vendors, tiers them by data impact, conducts due diligence, embeds security clauses in contracts, and monitors attestations and incidents.", + "frequency": "yearly", + "department": "it", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Manage risks from suppliers that access {{COMPANY}} data or impact operations.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All SaaS, cloud, consulting, and data-processing vendors.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "State that the policy aligns to SOC 2 Trust Services Criteria, at minimum Security (Common Criteria). Name any optional criteria in scope (Availability, Confidentiality, Processing Integrity, Privacy).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Clarify that the policy covers vendors and any vendors that act as “subservice organizations” to your system as defined in SOC 2. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Use written contracts to ensure third parties processing personal information on behalf of {{COMPANY}} provide a comparable level of privacy protection. Maintain accountability for personal information transferred to vendors regardless of where they operate in {{GEO}}.{{/if}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "State that the policy applies to all vendors that create, receive, maintain, or transmit PHI, including subcontractors of Business Associates. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "State that the policy applies to all vendors (processors) that process personal data of EU/EEA data subjects on behalf of {{COMPANY}}, including subprocessors and the designated EU Representative (if applicable). ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Third parties that process or host {{DATA}} for {{COMPANY}} must demonstrate equivalent security controls, preferably NEN 7510 or ISO 27001 certification. Establish data processing agreements and periodically review supplier compliance.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Vendor Inventory & Tiering", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain central list of active vendors with owner and contact.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tier vendors by risk", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Critical = Business cannot run without it", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "High = handles customer or Restricted data", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Medium = internal tools", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Low = no data access", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Flag which vendors are subservice organizations in your SOC 2 report and record whether you use the carve-out or inclusive method for each.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Link each vendor entry to the service commitments and system requirements they support in your SOC 2 system description). ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Tag vendors that process personal information; record whether the data leaves Canada and the safeguards applied to those cross-border transfers.{{/if}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Classify each vendor’s HIPAA role: Business Associate, Subcontractor BA, or neither.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track whether PHI is stored, processed, or transmitted, where it resides, and whether data are de-identified or a limited data set. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a list of all vendors that process personal data, including:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Vendor name", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Type of personal data processed", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Lawful basis for processing", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Whether vendor acts as processor, subprocessor, or EU Representative", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Location of processing (EU/EEA or third country with transfer mechanism)", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track Data Processing Agreements (DPAs) with:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date signed", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date of last review", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Next review due", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Security Due Diligence", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Critical/High-risk: obtain SOC 2/ISO 27001 report or complete security questionnaire before contract.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Medium-risk: basic questionnaire or public security statement review.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record findings and approval decision.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prefer SOC 2 Type 2. Record report type, period covered, criteria in scope, auditor opinion, exceptions, relevant subservice organizations, and whether carve-out or inclusive.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Obtain a bridge (gap) letter when the SOC 2 period does not cover the present date. Note that a bridge letter is a management assertion, not auditor-attested.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Extract the vendor’s Complementary User Entity Controls (CUECs). Map each CUEC to your internal controls and keep evidence that you operate them.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "If no SOC 2 is available, collect alternate assurance (for example ISO 27001 certificate with SoA, pen test summary, security questionnaire) and record a risk-based acceptance with compensating controls and a timeline to obtain SOC 2. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}} ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Confirm the vendor can support {{COMPANY}}'s obligations: access-request fulfilment within 30 days, breach notification, and compliance with the 10 Fair Information Principles.{{/if}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Add a HIPAA checklist for Critical and High vendors that handle PHI:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Evidence of a HIPAA Security Rule risk analysis and risk management plan.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Administrative safeguards: workforce training, sanction policy, access authorization, termination, contingency planning and backups, periodic evaluations.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Physical safeguards: facility access controls, device and media controls, secure disposal.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Technical safeguards: unique IDs, access controls, audit controls, integrity controls, transmission security, authentication.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Logging: the vendor must maintain and retain system activity logs for ePHI and provide extracts on request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Data minimization: confirm “minimum necessary” access design and role-based access . ", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For Critical and High vendors that process personal data:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify GDPR-compliant DPA is signed before processing begins.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confirm vendor provides appropriate technical and organizational measures (TOMs).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assess cross-border data transfers and ensure valid transfer mechanism (e.g., SCCs, adequacy decision).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record evidence of review and approval.", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Contractual Safeguards", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include confidentiality, breach-notification, right-to-audit, and data-return clauses.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For personal-data processors, execute a data-processing agreement.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require vendors in Critical or High tiers to provide a current SOC 2 Type 2 report annually and a bridge letter for any period not covered.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include obligations to notify you of material control changes, new subprocessors, or security incidents, and to cooperate with your incident investigations. Tie this to your service commitments and system requirements.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Preserve right-to-audit or, at minimum, right to obtain independent assurance (SOC report or equivalent) and remediation evidence for noted exceptions. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}} ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Require contractual commitments to: limit processing to documented purposes, return or securely destroy personal information on termination, notify {{COMPANY}} of any privacy breach without undue delay, and submit to {{COMPANY}}'s direction on access requests.{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The BAA must at minimum require the BA to:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use and disclose PHI only as permitted by the BAA and HIPAA; apply minimum necessary.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Implement the HIPAA Security Rule safeguards and ensure subcontractors sign equivalent BAAs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Report any security incident or breach without unreasonable delay and set an internal time box (for example, within 5 calendar days) with content requirements for the notice.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Make PHI available to support individual rights: access within 30 days, amendment, and accounting of disclosures within 60 days; incorporate amendments as directed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Make internal practices, books, and records relating to PHI available to HHS upon request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Return or destroy PHI at termination and stop all uses; if infeasible, extend protections and limit uses.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Permit termination for material breach of the BAA.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit sale of PHI and marketing uses without proper authorization, and prohibit re-identification of de-identified data unless expressly permitted. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The DPA must at minimum require the processor to:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Process personal data only on documented instructions from {{COMPANY}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Implement appropriate technical and organizational measures (TOMs).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure confidentiality and train personnel.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Obtain prior written authorization for subprocessors and flow down equivalent obligations.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assist {{COMPANY}} in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assist with security, breach notification, and DPIAs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Return or securely delete personal data at contract termination.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Make available all information necessary to demonstrate compliance and allow audits.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify {{COMPANY}} without undue delay of any personal data breach.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Ongoing Monitoring", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review Critical/High-risk vendors’ attestations or questionnaires annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track security-breach news; initiate assessment if incident reported.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Cadence: Critical reviewed at least semiannually; High at least annually. Re-review after any material change, incident, ownership or hosting change, scope change to Restricted data, or SLA breach.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track remediation of exceptions noted in the vendor’s SOC 2 and verify you operate their CUECs each period.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "When using the carve-out method, monitor the vendor’s subservice organizations where they could affect your commitments. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Re-confirm annually that processors continue to provide comparable privacy protection; track any changes to data location or sub-processor lists.{{/if}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require BA to notify you without unreasonable delay (internal target within 5 days) and include the incident description, PHI types, number of affected individuals, timeframes, mitigation, and corrective actions. You will handle regulatory filings and individual notices per HIPAA timelines.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review BAAs annually and after material changes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Re-obtain evidence of HIPAA risk analysis updates, contingency plan tests, and access review results.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monitor vendor breach disclosures and OCR settlements affecting the vendor. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review DPAs for all processors at least annually. Maintain a review log with:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Vendor name", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date DPA signed", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date of last review", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Next review due", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monitor vendor breach disclosures, regulatory actions, and changes in subprocessors or transfer mechanisms. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Off-boarding & Data Return", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "On contract end, ensure vendor deletes or returns data; obtain written confirmation.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove integrations and access tokens within 48 h.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require certificate of destruction or written deletion confirmation and link it to the off-boarding ticket. Verify all accounts, API keys, and OAuth tokens are revoked, and keep timestamps as evidence. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}On termination, obtain certified return or secure destruction of personal information held by the vendor, and update the Personal Information Register.{{/if}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require certificate of destruction for all media containing PHI or confirm secure return. Capture timelines and format. Retrieve or request final audit logs that may be needed for accounting of disclosures.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confirm termination of all BA subcontractors that handled your PHI. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require certificate of destruction or confirmation of secure deletion of all personal data, unless retention is required by law. Capture timelines and format. Confirm termination of all subprocessors handling {{COMPANY}}’s personal data. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 1, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100 % High-risk vendors have up-to-date due-diligence evidence; inventory reconciled quarterly.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of Critical and High vendors have a current SOC 2 Type 2 review or approved alternate assurance with a time-bound plan, plus bridge letters covering any gaps.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of CUECs from Critical and High vendors are mapped and evidenced as operated.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of subservice organizations show method recorded (carve-out or inclusive) and monitoring documented.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Evidence is retained for at least the full SOC 2 Type 2 period and 12 months beyond. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA and Subcontractor BA vendors have an executed BAA before PHI exchange.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA vendors have a current HIPAA risk analysis and risk management plan on file.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA vendors provide breach reporting within the internal time box.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA vendors documented with PHI data map and minimum-necessary justification. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of vendors processing personal data have a signed GDPR-compliant DPA on file.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of DPAs are reviewed at least annually and logged with next review date.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of cross-border transfers have a documented lawful transfer mechanism.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of vendors provide breach reporting without undue delay. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Urgent onboarding without full diligence allowed only with executive sign-off and action plan.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Allow emergency onboarding only with Security approval, a short-term risk acceptance, compensating controls, and a plan to obtain SOC 2 or equivalent assurance within a defined time box. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missing evidence or expired contracts flagged to procurement and Security for immediate action.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Streamline questionnaire, add automation, and refine tiering criteria annually.", "type": "text"}]}]}, + "createdAt": "2025-06-27 07:19:59.742", + "updatedAt": "2026-04-30 23:21:44.840" + }, { "id": "frk_pt_685e42c38c3267d391674ce3", "name": "Change & Release Management", @@ -89,16 +89,6 @@ "createdAt": "2025-06-27 07:05:38.952", "updatedAt": "2025-08-19 18:26:37.094" }, - { - "id": "frk_pt_685e405054f7c35d89ccccf2", - "name": "Policy Management & Exception Handling", - "description": "Inventories every policy, enforces version control and annual reviews, and documents, time-boxes, and sunsets any approved exceptions.", - "frequency": "yearly", - "department": "admin", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure all governance, security, and privacy policies are current, traceable, and that any deviations are formally approved, time-boxed, and documented for {{COMPANY}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All organizational policies and standards, all personnel, and all systems governed by those documents. Applies to the {{LOCATION}} workforce and systems hosted in {{CRITICAL}}; store records in {{GEO}} where residency applies.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain policy ownership, version history, review notes, and exception records for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain Security Rule policies and any related exceptions for 6 years; ensure exceptions do not weaken safeguards for ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Inventory & Ownership", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a master list of active policies, each with a named owner.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store the inventory in a shared repository accessible to all personnel, hosted in {{CRITICAL}} and retained per {{GEO}} requirements.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Include effective date and next review date in the inventory; map each policy to relevant controls where applicable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Identify HIPAA-relevant policies in the inventory and link to BAAs or procedures that reference them.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Version Control & Distribution", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep policies under version control with commit history in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include a version number and last-review date in each document.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify personnel of major updates within five business days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Preserve prior versions and change logs for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain historical versions and acknowledgements for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scheduled Review Cycle", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Owners review their policies at least once every 12 months and record “Reviewed – no change” or revisions in the change log.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Time reviews to precede planned audits.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record reviewer and date; align timing with audit windows.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Confirm HIPAA-related policies reflect current safeguards and regulatory updates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exception Request Process", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any employee may request an exception by submitting: scope, justification, risk, compensating controls, and proposed expiry.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The policy owner and senior management jointly approve or reject within ten business days; assess residual risk to {{DATA}} and impacts to systems in {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Link exceptions to the Risk Register and relevant controls; ensure expiries are time-boxed.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Assess impact on ePHI; exceptions must not bypass minimum necessary, access controls, or transmission security.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exception Register & Sunset", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record all approved exceptions in an Exception Register with owner and expiry date; host in {{CRITICAL}} and retain per {{GEO}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review the register monthly; close or renew any item reaching expiry.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track renewals and closures; keep evidence of monthly reviews.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Document HIPAA-related exceptions and closures; retain for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Inventory exists; ≥ 90% of policies show review within 12 months; no exceptions past expiry. For teams over {{EMPLOYEES}} employees, expand monthly sampling of exceptions.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Handled via the “Exception Request Process” and logged in the Exception Register, including residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missing reviews or unmanaged exceptions are escalated to senior management and corrected within 30 days.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Incorporate audit findings and user feedback at the next scheduled review; update inventory fields or workflows when {{CRITICAL}} or {{GEO}} obligations change.", "type": "text"}]}], - "createdAt": "2025-06-27 06:55:11.688", - "updatedAt": "2025-08-19 18:26:51.406" - }, { "id": "frk_pt_685e4319a5bb1d2d411975e6", "name": "Secure Software Development Lifecycle ", @@ -110,24 +100,14 @@ "updatedAt": "2025-08-19 18:27:08.892" }, { - "id": "frk_pt_685e45f736049f188c3439b4", - "name": "Sanctions & Disciplinary", - "description": "Applies a progressive, documented disciplinary framework for security or privacy violations, ensuring fair process and consistent sanctions.", - "frequency": "yearly", - "department": "hr", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Outline fair, consistent consequences for security or privacy violations at {{COMPANY}} while safeguarding access to {{CRITICAL}} and {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All workforce members, regardless of role or contract type. Applies to the {{LOCATION}} workforce, including personnel using {{DEVICES}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain a documented sanctions process, apply it consistently, and retain records for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain and enforce a sanctions policy for workforce members who fail to comply with security or privacy policies; retain related documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Disciplinary Framework", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply progressive discipline: coaching → written warning → suspension → termination, unless severity dictates immediate action.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Align severity with impact. Data breach, harassment, or unlawful acts may bypass lower steps.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Consider intent, prior history, and potential risk to customers or the organisation.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Demonstrate consistent application across similar cases; link outcomes to policy and code of conduct.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Reference the HIPAA sanctions policy for violations involving ePHI or Privacy Rule requirements.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Investigation & Due Process", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "HR and Security jointly investigate alleged violations; gather logs, interviews, and evidence (including access/log records from {{CRITICAL}} and managed {{DEVICES}}).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Preserve evidence integrity and confidentiality; limit access to need-to-know.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Offer the accused an opportunity to provide explanation before decision.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record investigation steps, decision rationale, and approvals for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Engage Privacy and Security Officers when ePHI or HIPAA rights may be affected; avoid retaliation against good-faith reporters.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Sanction Levels", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Minor: verbal coaching and retraining.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Moderate: written warning plus remedial actions.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Major: suspension, revocation of access to {{CRITICAL}}, removal of privileges to handle {{DATA}}, potential termination and legal referral.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Map remedial actions to control improvements or additional training.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply role-appropriate retraining where HIPAA requirements were breached.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Documentation & Appeals", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "File investigation report and final action in the personnel record; restrict access and store in {{GEO}} where residency applies.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide an appeal channel to senior leadership within five business days of sanction notice.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain final decision, appeal outcome, and corrective actions with dates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain sanction documentation and related HIPAA records for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "HR Integration & Awareness", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "HR maintains a sanctions log for trend analysis.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Incorporate a concise sanctions policy summary in annual awareness training, with examples relevant to {{INDUSTRY}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Review trends quarterly and feed lessons into training and process updates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Highlight examples tied to ePHI mishandling and required safeguards.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly review of the sanctions log confirms consistency and closure of corrective actions. For teams over {{EMPLOYEES}} employees, expand sampling and include checks that access to {{CRITICAL}}/{{DATA}} was revoked when required.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Executive leadership may vary sanctions only with documented rationale, including residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Failure to follow this process prompts an HR-led review and policy refresher; corrective actions are assigned and tracked to closure.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Adjust the framework based on case analytics, audit findings, and legal or regulatory changes, including {{INDUSTRY}} developments and obligations affecting {{GEO}}.", "type": "text"}]}], - "createdAt": "2025-06-27 07:19:19.425", - "updatedAt": "2025-08-19 18:27:27.779" - }, - { - "id": "frk_pt_685e410082a807a0274b4531", - "name": "Privacy & Data-Subject Rights", - "description": "Ensures personal data is processed on a lawful basis, keeps users informed, and fulfils data-subject requests within required timelines.", + "id": "frk_pt_685e46557bc14fbddea6468a", + "name": "Information Sharing & Transfer", + "description": "Restricts data transfers to approved encrypted channels, enforces NDAs and minimisation, records international safeguards, and audits transfer logs.", "frequency": "yearly", - "department": "gov", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure personal data ({{DATA}}) is processed lawfully and transparently at {{COMPANY}}, and that individuals can exercise their privacy rights across services running in {{CRITICAL}} and jurisdictions in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All personal data relating to customers, end-users, employees, contractors, or any identifiable individuals. Applies to the {{LOCATION}} workforce, systems hosted in {{CRITICAL}}, and managed {{DEVICES}} that process {{DATA}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Align practices with Security and Confidentiality criteria; retain artefacts (records of processing, notices, DSR logs) for the full Type 2 period plus 12 months; treat relevant vendors as subservice organisations where appropriate.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is involved, apply the HIPAA Privacy Rule (uses/disclosures, minimum necessary, Notice of Privacy Practices) and individual rights (access, amendment, accounting, restrictions, confidential communications). Retain required HIPAA documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Lawful Basis & Data Minimisation", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Identify and record a lawful basis (for example contract, consent, legitimate interest) for each processing activity.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Collect only data necessary for the stated purpose; review forms and APIs annually to remove unused fields, reflecting {{INDUSTRY}} practices and any {{GEO}} limits.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure lawful-basis records link to data classification, retention period, and controls.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply minimum necessary; for uses/disclosures beyond TPO, obtain written authorisation or rely on another permitted basis; validate BAA coverage for Business Associates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Transparency & Privacy Notice", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain an up-to-date public Privacy Notice describing categories of {{DATA}}, purposes, sharing, retention, rights, and international transfers (including outside {{GEO}}).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update the notice within 30 days of any significant change in processing.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Keep dated copies of prior notices and evidence of publication.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where applicable, maintain and furnish a Notice of Privacy Practices and update it upon material changes.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Data-Subject Request (DSR) Workflow", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide a visible channel (for example a privacy email or web form) for access, correction, deletion, or portability requests.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify requester identity and respond within applicable legal timelines in {{GEO}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log each request, decision, and completion date in a DSR log; restrict access.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Protect the DSR log, restrict access, and retain for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Process HIPAA individual-rights requests (access, amendment, accounting, restrictions, confidential communications) within HIPAA timelines; document decisions.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Consent & Preference Management", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Obtain explicit consent where required; store timestamp and method.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Offer easy withdrawal via self-service or support request; propagate changes across systems in {{CRITICAL}} within five business days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Propagate preference changes across integrated systems; retain consent and revocation records.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track and honour authorisations and revocations for uses/disclosures requiring authorisation; record agreed restrictions and confidential communication requests.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Record Keeping & Audit Trail", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a processing-activity record covering data categories, purposes, lawful bases, recipients, transfers, and safeguards (including residency in {{GEO}}).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain DSR logs and consent records for at least three years (or longer where required).", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Preserve change history for the processing record and DSR log.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain an accounting of disclosures (where required) and retain HIPAA-related records for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly review confirms the processing record is current, the Privacy Notice is updated as needed, and DSRs are closed on time. For teams over {{EMPLOYEES}} employees, expand sampling and include random checks of transfers in/out of {{GEO}} and processing in {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any deviation (for example extended DSR deadline) is documented with justification and regulatory allowance, including any residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missed deadlines or undocumented processing triggers incident response and notification to leadership; corrective action required.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Integrate feedback from users, audits, {{INDUSTRY}} updates, and regulatory changes affecting {{GEO}} into processes and the Privacy Notice.", "type": "text"}]}], - "createdAt": "2025-06-27 06:58:08.164", - "updatedAt": "2025-08-19 18:27:41.229" + "department": "it", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": "​", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure data moves securely between systems, parties, and jurisdictions, preserving confidentiality and integrity.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": "​", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All electronic and physical transfers of organisational or customer information.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Cover the use and disclosure of personal information to third parties; ensure each disclosure is consistent with the purpose for which the information was collected, or is supported by fresh consent or a Section 7 PIPEDA exception.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Approved Transfer Methods", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use TLS-protected channels (HTTPS, SFTP, VPN) or end-to-end encrypted messaging.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt physical media; use tracked courier services.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Encrypt personal information in transit and document each disclosure (recipient, purpose, basis) in the Personal Information Register.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "External Sharing & NDAs", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confirm recipient identity and need-to-know.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Execute NDA or contract before sharing Confidential or Restricted data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Share via least-privilege, time-bound links; disable after purpose met.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}For disclosures to processors, require written processing agreements that maintain comparable privacy protection per Principle 1 (Accountability).{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Data Minimisation & Redaction", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Share only necessary data fields; mask or anonymise where feasible.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove test or debug data from production extracts.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Disclose only the personal information necessary for the recipient's documented purpose; redact or aggregate where the recipient does not need identifiable data.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "International Transfers & Safeguards", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For personal data leaving its origin region, apply recognised safeguards (e.g., Standard Contractual Clauses).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain record of transfer bases in privacy processing log.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Document any transfer of personal information outside Canada in the privacy notice and the Personal Information Register, including the country of destination and the safeguards applied; remain accountable under PIPEDA regardless of where processing occurs.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Logging & Audit Trail", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log outbound transfers of Restricted data: date, sender, recipient, content summary, method.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain logs for at least one year.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Retain disclosure records for at least 24 months to support access requests under PIPEDA Section 8 (the right to know to whom personal information has been disclosed).{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": "​", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly sample of transfer logs shows 100 % encrypted channels and valid agreements.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "One-off unencrypted transfer allowed only for low-sensitivity data with management approval.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unauthorised or insecure transfers raise incident response; notify affected parties if required.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": "​", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Add automated redaction and secure-send tools; update safeguards with legal changes.", "type": "text"}]}]}, + "createdAt": "2025-06-27 07:20:53.290", + "updatedAt": "2026-04-30 23:24:29.015" }, { "id": "frk_pt_685e4010bde64520b9abaf1d", @@ -140,74 +120,64 @@ "updatedAt": "2025-09-01 18:25:55.923" }, { - "id": "frk_pt_685e462046667f75a50a2c3e", - "name": "Vendor & Third-Party Risk", - "description": "Inventories vendors, tiers them by data impact, conducts due diligence, embeds security clauses in contracts, and monitors attestations and incidents.", + "id": "frk_pt_685e453cad89de25e5aebf4a", + "name": "Acceptable Use & Workstation Security", + "description": "Sets responsible use rules, enforces endpoint encryption, patching, auto-lock, and restricts personal storage of company data.", "frequency": "yearly", "department": "it", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Manage risks from suppliers that access {{COMPANY}} data or impact operations.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All SaaS, cloud, consulting, and data-processing vendors.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "State that the policy aligns to SOC 2 Trust Services Criteria, at minimum Security (Common Criteria). Name any optional criteria in scope (Availability, Confidentiality, Processing Integrity, Privacy).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Clarify that the policy covers vendors and any vendors that act as “subservice organizations” to your system as defined in SOC 2. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "State that the policy applies to all vendors that create, receive, maintain, or transmit PHI, including subcontractors of Business Associates. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "State that the policy applies to all vendors (processors) that process personal data of EU/EEA data subjects on behalf of {{COMPANY}}, including subprocessors and the designated EU Representative (if applicable). ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Third parties that process or host {{DATA}} for {{COMPANY}} must demonstrate equivalent security controls, preferably NEN 7510 or ISO 27001 certification. Establish data processing agreements and periodically review supplier compliance.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Vendor Inventory & Tiering", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain central list of active vendors with owner and contact.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tier vendors by risk", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Critical = Business cannot run without it", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "High = handles customer or Restricted data", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Medium = internal tools", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Low = no data access", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Flag which vendors are subservice organizations in your SOC 2 report and record whether you use the carve-out or inclusive method for each.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Link each vendor entry to the service commitments and system requirements they support in your SOC 2 system description). ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Classify each vendor’s HIPAA role: Business Associate, Subcontractor BA, or neither.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track whether PHI is stored, processed, or transmitted, where it resides, and whether data are de-identified or a limited data set. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a list of all vendors that process personal data, including:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Vendor name", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Type of personal data processed", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Lawful basis for processing", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Whether vendor acts as processor, subprocessor, or EU Representative", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Location of processing (EU/EEA or third country with transfer mechanism)", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track Data Processing Agreements (DPAs) with:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date signed", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date of last review", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Next review due", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Security Due Diligence", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Critical/High-risk: obtain SOC 2/ISO 27001 report or complete security questionnaire before contract.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Medium-risk: basic questionnaire or public security statement review.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record findings and approval decision.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prefer SOC 2 Type 2. Record report type, period covered, criteria in scope, auditor opinion, exceptions, relevant subservice organizations, and whether carve-out or inclusive.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Obtain a bridge (gap) letter when the SOC 2 period does not cover the present date. Note that a bridge letter is a management assertion, not auditor-attested.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Extract the vendor’s Complementary User Entity Controls (CUECs). Map each CUEC to your internal controls and keep evidence that you operate them.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "If no SOC 2 is available, collect alternate assurance (for example ISO 27001 certificate with SoA, pen test summary, security questionnaire) and record a risk-based acceptance with compensating controls and a timeline to obtain SOC 2. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}} ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Add a HIPAA checklist for Critical and High vendors that handle PHI:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Evidence of a HIPAA Security Rule risk analysis and risk management plan.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Administrative safeguards: workforce training, sanction policy, access authorization, termination, contingency planning and backups, periodic evaluations.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Physical safeguards: facility access controls, device and media controls, secure disposal.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Technical safeguards: unique IDs, access controls, audit controls, integrity controls, transmission security, authentication.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Logging: the vendor must maintain and retain system activity logs for ePHI and provide extracts on request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Data minimization: confirm “minimum necessary” access design and role-based access . ", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For Critical and High vendors that process personal data:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify GDPR-compliant DPA is signed before processing begins.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confirm vendor provides appropriate technical and organizational measures (TOMs).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assess cross-border data transfers and ensure valid transfer mechanism (e.g., SCCs, adequacy decision).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record evidence of review and approval.", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Contractual Safeguards", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include confidentiality, breach-notification, right-to-audit, and data-return clauses.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For personal-data processors, execute a data-processing agreement.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require vendors in Critical or High tiers to provide a current SOC 2 Type 2 report annually and a bridge letter for any period not covered.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include obligations to notify you of material control changes, new subprocessors, or security incidents, and to cooperate with your incident investigations. Tie this to your service commitments and system requirements.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Preserve right-to-audit or, at minimum, right to obtain independent assurance (SOC report or equivalent) and remediation evidence for noted exceptions. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}} ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The BAA must at minimum require the BA to:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use and disclose PHI only as permitted by the BAA and HIPAA; apply minimum necessary.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Implement the HIPAA Security Rule safeguards and ensure subcontractors sign equivalent BAAs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Report any security incident or breach without unreasonable delay and set an internal time box (for example, within 5 calendar days) with content requirements for the notice.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Make PHI available to support individual rights: access within 30 days, amendment, and accounting of disclosures within 60 days; incorporate amendments as directed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Make internal practices, books, and records relating to PHI available to HHS upon request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Return or destroy PHI at termination and stop all uses; if infeasible, extend protections and limit uses.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Permit termination for material breach of the BAA.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit sale of PHI and marketing uses without proper authorization, and prohibit re-identification of de-identified data unless expressly permitted. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The DPA must at minimum require the processor to:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Process personal data only on documented instructions from {{COMPANY}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Implement appropriate technical and organizational measures (TOMs).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure confidentiality and train personnel.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Obtain prior written authorization for subprocessors and flow down equivalent obligations.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assist {{COMPANY}} in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assist with security, breach notification, and DPIAs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Return or securely delete personal data at contract termination.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Make available all information necessary to demonstrate compliance and allow audits.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify {{COMPANY}} without undue delay of any personal data breach.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Ongoing Monitoring", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review Critical/High-risk vendors’ attestations or questionnaires annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track security-breach news; initiate assessment if incident reported.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Cadence: Critical reviewed at least semiannually; High at least annually. Re-review after any material change, incident, ownership or hosting change, scope change to Restricted data, or SLA breach.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track remediation of exceptions noted in the vendor’s SOC 2 and verify you operate their CUECs each period.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "When using the carve-out method, monitor the vendor’s subservice organizations where they could affect your commitments. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require BA to notify you without unreasonable delay (internal target within 5 days) and include the incident description, PHI types, number of affected individuals, timeframes, mitigation, and corrective actions. You will handle regulatory filings and individual notices per HIPAA timelines.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review BAAs annually and after material changes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Re-obtain evidence of HIPAA risk analysis updates, contingency plan tests, and access review results.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monitor vendor breach disclosures and OCR settlements affecting the vendor. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review DPAs for all processors at least annually. Maintain a review log with:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Vendor name", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date DPA signed", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date of last review", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Next review due", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monitor vendor breach disclosures, regulatory actions, and changes in subprocessors or transfer mechanisms. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Off-boarding & Data Return", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "On contract end, ensure vendor deletes or returns data; obtain written confirmation.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove integrations and access tokens within 48 h.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require certificate of destruction or written deletion confirmation and link it to the off-boarding ticket. Verify all accounts, API keys, and OAuth tokens are revoked, and keep timestamps as evidence. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require certificate of destruction for all media containing PHI or confirm secure return. Capture timelines and format. Retrieve or request final audit logs that may be needed for accounting of disclosures.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confirm termination of all BA subcontractors that handled your PHI. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require certificate of destruction or confirmation of secure deletion of all personal data, unless retention is required by law. Capture timelines and format. Confirm termination of all subprocessors handling {{COMPANY}}’s personal data. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 1, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100 % High-risk vendors have up-to-date due-diligence evidence; inventory reconciled quarterly.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of Critical and High vendors have a current SOC 2 Type 2 review or approved alternate assurance with a time-bound plan, plus bridge letters covering any gaps.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of CUECs from Critical and High vendors are mapped and evidenced as operated.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of subservice organizations show method recorded (carve-out or inclusive) and monitoring documented.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Evidence is retained for at least the full SOC 2 Type 2 period and 12 months beyond. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA and Subcontractor BA vendors have an executed BAA before PHI exchange.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA vendors have a current HIPAA risk analysis and risk management plan on file.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA vendors provide breach reporting within the internal time box.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA vendors documented with PHI data map and minimum-necessary justification. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of vendors processing personal data have a signed GDPR-compliant DPA on file.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of DPAs are reviewed at least annually and logged with next review date.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of cross-border transfers have a documented lawful transfer mechanism.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of vendors provide breach reporting without undue delay. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Urgent onboarding without full diligence allowed only with executive sign-off and action plan.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Allow emergency onboarding only with Security approval, a short-term risk acceptance, compensating controls, and a plan to obtain SOC 2 or equivalent assurance within a defined time box. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missing evidence or expired contracts flagged to procurement and Security for immediate action.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Streamline questionnaire, add automation, and refine tiering criteria annually.", "type": "text"}]}], - "createdAt": "2025-06-27 07:19:59.742", - "updatedAt": "2025-10-05 01:57:26.869" - }, - { - "id": "frk_pt_685e3f7b4ebcb27b60c51434", - "name": "Information Security & Privacy Governance", - "description": "Assigns clear ownership and management accountability for security and privacy, keeps policies current, and measures compliance through regular reviews.", - "frequency": "yearly", - "department": "admin", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define clear ownership for security and privacy at {{COMPANY}} and ensure decisions are documented.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "This policy also establishes the framework for. information security in accordance with ", "type": "text"}, {"text": "NEN 7510 - Information Security in Healthcare", "type": "text", "marks": [{"type": "bold"}]}, {"text": ", ensuring the confidentiality, integrity, and availability (CIA) of health and personal information processed by {{COMPANY}}", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All personnel, contractors, information systems, SaaS/IaaS services hosted in {{CRITICAL}}, and company-managed {{DEVICES}}. Applies to the {{LOCATION}} workforce.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain governance to identify applicable requirements, assign ownership, and retain artifacts for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is involved, document responsibilities under the Security Rule and retain related documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where health or patient information (personal data within the meaning of the GDPR/AVG) is processed, document responsibilities, ensure secure handling, and maintain records of processing in accordance with Dutch healthcare regulations.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Security Governance Roles", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Designate a Security & Privacy Owner (SPO) and a documented backup. Ensure coverage across {{LOCATION}} time zones.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record names in the Comp AI platform.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Re-confirm role assignments at least annually and after role changes.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Document the SPO’s scope, authority, and reporting line; keep a dated record of annual role reconfirmation.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Name a Security Official responsible for developing and implementing policies (164.308(a)(2)).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Assign accountability for implementing and maintaining NEN 7510 controls, including risk management, access security, training, and compliance with Dutch legal obligations.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Management Accountability", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "SPO presents a concise security status during scheduled management reviews.", "type": "text"}, {"type": "hardBreak"}, {"text": "For teams over {{EMPLOYEES}} employees, hold reviews at least quarterly.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Senior management signs an annual statement acknowledging ultimate responsibility for security and privacy.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Allocate at least one measurable security improvement task per sprint or work cycle, prioritized to protect {{DATA}} in {{CRITICAL}} and stored in {{GEO}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record management reviews, decisions, and assigned actions with due dates in Comp AI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure management oversight of Security Rule activities and document sanctions, if applied, per policy.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Conduct annual management reviews that address the outcomes of risk assessments, incidents, and improvement actions required by NEN 7510. Risk registers, relevant metrics, and mitigation decisions must be recorded and tracked to completion.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Management", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store all policies in Comp AI; the SPO verifies access and link integrity annually. Note storage and retention locations in {{GEO}} where applicable.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain version control with change logs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Merge or retire overlapping policies to keep each document brief.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track effective dates and owners; preserve prior versions for audit sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain policy documents and revisions for 6 years (164.316(b)(2)(i)).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure all NEN 7519-relevant documents (policies, risk assessments, incident records, and management reviews) are retained for the defined retention period and remain traceable for internal and external audits.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Security Awareness", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "New personnel read this policy set and electronically acknowledge before receiving system access to {{CRITICAL}} from {{DEVICES}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Distribute security awareness training annually, tailored to {{INDUSTRY}} risks and the handling of {{DATA}}; record completion for the {{LOCATION}} workforce.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track completion status and follow up on overdue training within defined timelines.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Provide Security Rule awareness and periodic updates for workforce with ePHI access (164.308(a)(5)).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Deliver role-based awareness and training covering information security in healthcare, including protection of patient data, secure system use, and staff responsibilities under NEN 7510. Reassess training needs annually and after significant changes in technology or regulation.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Annual check that policies exist, the SPO and backup are documented, annual sign-off is filed, and the awareness log is current for the {{EMPLOYEES}} workforce.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain compliance with the ", "type": "text"}, {"text": "General Data Protection Regulation (GDPR/AVG)", "type": "text", "marks": [{"type": "bold"}]}, {"text": ", the ", "type": "text"}, {"text": "Dutch Medical Treatment Contracts Act (WGBO)", "type": "text", "marks": [{"type": "bold"}]}, {"text": ", and the ", "type": "text"}, {"text": "NEN 7510 suite", "type": "text", "marks": [{"type": "bold"}]}, {"text": ", including ", "type": "text"}, {"text": "NEN7512", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (secure data transmission) and ", "type": "text"}, {"text": "NEN 7513", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (logging and audit trail requirements).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document deviations in a “Security-Decisions” log with reason and expiry, including any residual risk to {{DATA}} and compensating controls in {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missing logs or overdue actions are corrected within two weeks or escalated at the next management review.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Audit and incident lessons feed into the next scheduled policy refresh. Update roles and training focus when {{GEO}} or {{INDUSTRY}} obligations change.", "type": "text"}]}], - "createdAt": "2025-06-27 06:51:38.574", - "updatedAt": "2025-10-05 01:48:08.435" + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": "​", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define responsible use of company systems and secure configuration of endpoints.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": "​", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All users and devices accessing company networks or data.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Cover the handling of personal information on workstations and removable media; require staff to follow {{COMPANY}}'s privacy policies when accessing or processing personal information.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Acceptable Use Rules", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use company assets for authorized business activities; limited personal use allowed if it doesn’t create risk.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit illegal, harassing, or copyright-infringing activities.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Prohibit collection, use, or disclosure of personal information for purposes not documented in the Personal Information Register; report any incident involving personal information to the Privacy Officer.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Workstation Configuration & Updates", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enable full-disk encryption, host firewall, and automatic OS patches.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Auto-lock after 10 minutes idle and require password/PIN to resume.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Encrypt all workstations that may hold personal information; auto-lock after a brief period of inactivity.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Internet, Email & Messaging", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Users must not forward company data to personal email.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use approved messaging tools for business discussions.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Encrypt outbound communications containing personal information; verify the recipient before sending sensitive personal information.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Removable Media & Printing", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Collect printed sensitive docs immediately; shred when done.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Restrict storage of personal information on removable media; require encryption and secure destruction. Retrieve printed personal information promptly to avoid unauthorized disclosure.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Personal Devices & Local Storage", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "BYOD must meet endpoint-security requirements (PIN, encryption, patching) and register with IT.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store company data only in approved, encrypted containers or apps.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Prohibit local storage of personal information on personal devices unless approved and managed under the BYOD policy; require remote-wipe capability.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": "​", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly workstation audit checks encryption, lock settings, and patch status.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": "​", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Temporary deviation (e.g., lab testing) requires documented approval and time limit.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Policy breaches result in access suspension until remediation; severe cases escalate to HR.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": "​", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update rules with new collaboration tools and emerging endpoint threats.", "type": "text"}]}]}, + "createdAt": "2025-06-27 07:16:12.366", + "updatedAt": "2026-05-01 00:00:07.272" }, { - "id": "frk_pt_685e458a49e1eff0af54e3d2", - "name": "Security & Privacy Awareness Training", - "description": "Delivers onboarding and annual refresher training, role-based modules, simulated phishing, and tracks completion metrics.", + "id": "frk_pt_685e45c938ad29ad775a2344", + "name": "Background Screening & On/Off-boarding", + "description": "Screens new hires, provisions least-privilege access, disables accounts and recovers assets at exit, and archives records securely.", "frequency": "yearly", - "department": "it", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Equip personnel at {{COMPANY}} to recognize and respond to security and privacy risks, with emphasis on protecting {{DATA}} accessed via {{CRITICAL}} and handled on {{DEVICES}} across {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All employees, contractors, interns, and third-party staff with system access. Applies to the {{LOCATION}} workforce.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain training governance and artifacts to support auditor sampling for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Provide Security Rule awareness and periodic updates for workforce with ePHI access; retain related documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pci}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Provide Security training for New Hires and at least once every 12 months.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Training Curriculum", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Core topics: data classification, phishing, password/MFA, incident reporting, privacy basics related to {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include scenarios relevant to {{INDUSTRY}} and usage of {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Include content aligned to in-scope Trust Services Criteria.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Cover minimum necessary, ePHI handling, and reporting obligations.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pci}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Training includes awareness of ", "type": "text"}, {"text": "threats and vulnerabilities that may impact the security of cardholder data (CHD) and sensitive authentication data (SAD)", "type": "text", "marks": [{"type": "bold"}]}, {"text": ". This includes, but is not limited to: phishing, spear-phishing, business email compromise, social engineering (phone, chat, in-person pretexting), malware delivery vectors, and insider threats.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Onboarding Training", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Complete baseline training within the first week of access.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Sign electronic acknowledgement; system access to {{CRITICAL}} or {{DATA}} is suspended until completed.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record completion date and acknowledgement in HR/LMS.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure workforce with ePHI access completes Security Rule training before ePHI access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pci}}", "type": "text"}, {"type": "hardBreak"}, {"text": "The awareness training program will be ", "type": "text"}, {"text": "reviewed at least annually", "type": "text", "marks": [{"type": "bold"}]}, {"text": " and updated as needed to address emerging threats, vulnerabilities, or changes in PCI DSS or {{INDUSTRY}} regulations. Updates will be logged, version-controlled, and communicated to employees using multiple channels (e.g., LMS, email, intranet).", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Ongoing & Role-Based Training", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide refresher micro-modules or lunch-and-learns at least annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Deliver specialised modules for engineers (secure coding), support (PII/{{DATA}} handling), and other roles as needed in {{LOCATION}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track overdue items and follow up within defined timelines.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Provide periodic updates relevant to systems processing ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pci}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Security reminders and education will be delivered via multiple communication methods such as classroom sessions, online training, email bulletins, posters, intranet content, and phishing simulation platforms. All personnel must ", "type": "text"}, {"text": "acknowledge at least once every 12 months", "type": "text", "marks": [{"type": "bold"}]}, {"text": " that they have read and understood {{COMPANY}}’s Information Security Policy and associated procedures. Electronic signatures or LMS acknowledgments are acceptable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Phishing & Social-Engineering Exercises", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct simulated phishing tests quarterly.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Users who fall for a phish complete remedial training within five business days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Report aggregate outcomes to management and incorporate lessons into content.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Emphasise verification of identity and secure communication when ePHI may be involved.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Training Records & Metrics", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track completion in an HR or LMS system; retain logs three years and store in {{GEO}} where residency applies.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Report completion rate and phishing-failure rate to management quarterly.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Preserve sampling evidence (rosters, timestamps, content versions).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain HIPAA-related training records for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "≥ 95% training completion before due date; phishing failure rate trending downward. For teams over {{EMPLOYEES}} employees, expand sampling and target coaching for repeat failures.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Short-term deferral allowed for leave of absence; complete training within two weeks of return.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Access restrictions or HR action for repeated failures or missed deadlines.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Revise curriculum based on incident trends, employee feedback, threat landscape changes, {{INDUSTRY}} developments, and {{GEO}} obligations.", "type": "text"}]}], - "createdAt": "2025-06-27 07:17:30.077", - "updatedAt": "2025-09-10 19:43:20.239" + "department": "hr", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify workforce integrity for {{COMPANY}}, grant the right access to {{CRITICAL}} and {{DATA}} at start, and promptly revoke it at end of engagement.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All employees, contractors, interns, and temporary staff. Applies to the {{LOCATION}} workforce, including remote personnel using {{DEVICES}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain records of screenings, provisioning, and deprovisioning to support auditor sampling during the Type 2 period.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is involved, implement Workforce Security, Workforce Clearance, and Termination Procedures, and retain Security Rule documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Apply screening, onboarding, and off-boarding controls to staff who will have access to personal information; align role authorization to the purposes documented in the Personal Information Register.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Pre-Employment Background Screening", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct identity verification and right-to-work checks for all hires.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Perform criminal or reference checks proportional to role sensitivity, prioritizing roles with access to {{CRITICAL}} or {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Complete screening before system access is granted; document outcomes.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record screening scope and completion date in the personnel file.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply workforce clearance procedures for roles with ePHI access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Apply screening commensurate with the sensitivity of the personal information the role will access; document the basis for screening decisions.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Onboarding Provisioning", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Manager submits an access request ticket listing required systems and role.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Create individual accounts only; no shared credentials.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide security training and policy acknowledgement within the first week, before granting access to {{CRITICAL}} or {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Only managed {{DEVICES}} may be used to access {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Grant access based on least privilege and role; record approvals in the ticketing system.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Require Security Rule awareness for any role that accesses ePHI prior to granting such access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Require completion of privacy training (covering the 10 Fair Information Principles) before granting access to personal information.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Off-boarding & Exit Procedures", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "HR or manager notifies IT of termination date at least 24 hours in advance.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable accounts and remove access to {{CRITICAL}} by close of last working day; revoke remote access on {{DEVICES}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Collect badges and credentials; schedule exit interview to remind departing staff of confidentiality obligations related to {{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Capture disablement timestamps and confirm removal from all groups and SSO apps.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply termination procedures for ePHI access, including revoking authentication credentials and remote access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Revoke access to personal information immediately on termination; recover any personal information held on personal or assigned devices.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Access Reconciliation & Asset Return", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Recover all company-owned {{DEVICES}}; verify data wipe before reuse.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Compare recovered asset list against inventory; investigate discrepancies.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove access from identity provider groups and cloud services within 24 hours.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Reconcile identity provider groups and tokens; document completion in the off-boarding checklist.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure devices that held ePHI are wiped or sanitized per policy before reassignment.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Confirm sanitization of devices that may hold personal information before reassignment; document the chain of custody.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Record Retention", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store screening results and off-boarding checklists in a secure HR system for seven years or legal minimum; where residency applies, store records in {{GEO}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain provisioning and deprovisioning evidence for at least the audit period plus the organization’s standard buffer.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain HIPAA-related workforce documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Retain provisioning and deprovisioning records for personnel with personal information access for at least 24 months.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monthly audit confirms 100% of terminated accounts are disabled and all assets are returned. For teams over {{EMPLOYEES}} employees, expand the sample size and include checks of {{CRITICAL}} access removal.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any skipped screening step requires executive approval and a documented risk note in the personnel file, including any residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missing background checks or lagging account disablement is escalated to HR and Security for remediation within five business days.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review screening vendors, checklist effectiveness, and timing metrics annually, considering {{INDUSTRY}} requirements and any changes to {{GEO}}.", "type": "text"}]}]}, + "createdAt": "2025-06-27 07:18:33.152", + "updatedAt": "2026-04-30 23:21:55.975" }, { - "id": "frk_pt_685e4508d8c0d14ae873e644", - "name": "Physical Security & Environmental", - "description": "Controls facility and server-room access, manages visitors, safeguards against fire, flood, or climate risks, and audits logs and walk-throughs.", + "id": "frk_pt_685e45f736049f188c3439b4", + "name": "Sanctions & Disciplinary", + "description": "Applies a progressive, documented disciplinary framework for security or privacy violations, ensuring fair process and consistent sanctions.", "frequency": "yearly", - "department": "it", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Protect {{COMPANY}} personnel, equipment, and information from unauthorized physical access or environmental damage.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{LOCATION}} and any site hosting {{COMPANY}} assets.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Align to SOC 2 Trust Services Criteria in scope for the audit (Security at minimum; add Availability/Confidentiality if applicable). Treat building/data-centre operators as relevant subservice organizations. ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Applies where ePHI is created, received, maintained, or transmitted (including subcontractors of Business Associates). ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Facility Access Control", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All controlled doors use badges or keys; disable badges immediately at termination.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Segregate secure areas (for example, server/network closets) with locked doors; limit keys to authorized staff only.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep doors closed; prevent tailgating and prohibit propping doors open.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly review of badge/key lists to reconfirm access need.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain access-control records and document quarterly access reviews during the Type 2 period.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain facility access procedures for areas where ePHI may be present.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Visitor Management", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require sign-in, government-issued ID check, and a visible visitor badge.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Host escorts visitor at all times.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain visitor logs for at least 12 months.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Spot-check visitor logs against host approvals as part of periodic reviews.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Restrict visitor access to any area where ePHI may be visible or discussed.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Environmental Protections", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain HVAC within manufacturer-recommended temperature and humidity; continuous monitoring for server areas.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide smoke detection and automatic fire suppression for server rooms, or use fire-rated cabinets where suppression is unavailable.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide UPS for critical equipment and test at least annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Elevate equipment or install leak sensors in flood-prone areas.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain maintenance and test records (for example HVAC/UPS) to support Availability when in scope.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Link facility and environmental events with contingency and emergency-mode operations.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Equipment Protection & Disposal", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Lock server racks; use cable locks for laptops in shared/co-working spaces.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain asset inventory with physical location and owner.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Sanitize or destroy storage media prior to disposal or reuse using NIST SP 800-88 methods; record disposal event and, where applicable, obtain a certificate of destruction.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Satisfies Device and Media Controls: disposal, media reuse, accountability.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Physical Security Monitoring & Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review access-control and (where deployed) CCTV logs monthly for anomalies; investigate and record outcomes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct an annual walk-through to verify door states, signage, camera coverage, alarms, leak sensors, and rack locks.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record incidents such as tailgating or propped-open doors and track corrective actions.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain review artifacts for at least the full Type 2 period plus 12 months.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain Security Rule documentation for 6 years.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Access controls in use at 100% of controlled doors; monthly log reviews completed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of visitors signed in, badged, and escorted; logs retained 12 months.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Annual environmental tests (for example UPS) and annual physical walk-through completed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of media disposal or reuse events recorded with NIST SP 800-88 method.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Temporary use of an unsecured space requires manager approval, an end date, and compensating controls (for example lockable cabinet).", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tailgating, propped-open doors, missing visitor badges, or unlogged visitors are recorded as incidents; corrective action within one week.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enhance controls based on incident trends, audit findings, and facility changes; review this policy at least annually.", "type": "text"}]}], - "createdAt": "2025-06-27 07:15:20.007", - "updatedAt": "2025-08-19 18:23:15.448" + "department": "hr", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Outline fair, consistent consequences for security or privacy violations at {{COMPANY}} while safeguarding access to {{CRITICAL}} and {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All workforce members, regardless of role or contract type. Applies to the {{LOCATION}} workforce, including personnel using {{DEVICES}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain a documented sanctions process, apply it consistently, and retain records for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain and enforce a sanctions policy for workforce members who fail to comply with security or privacy policies; retain related documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Apply consistent sanctions to staff who breach {{COMPANY}}'s privacy policies or PIPEDA obligations; retain sanction records for at least 24 months.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Disciplinary Framework", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply progressive discipline: coaching → written warning → suspension → termination, unless severity dictates immediate action.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Align severity with impact. Data breach, harassment, or unlawful acts may bypass lower steps.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Consider intent, prior history, and potential risk to customers or the organisation.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Demonstrate consistent application across similar cases; link outcomes to policy and code of conduct.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Reference the HIPAA sanctions policy for violations involving ePHI or Privacy Rule requirements.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Reference {{COMPANY}}'s privacy policies and the 10 Fair Information Principles as the basis for sanctions related to personal information mishandling.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Investigation & Due Process", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "HR and Security jointly investigate alleged violations; gather logs, interviews, and evidence (including access/log records from {{CRITICAL}} and managed {{DEVICES}}).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Preserve evidence integrity and confidentiality; limit access to need-to-know.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Offer the accused an opportunity to provide explanation before decision.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record investigation steps, decision rationale, and approvals for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Engage Privacy and Security Officers when ePHI or HIPAA rights may be affected; avoid retaliation against good-faith reporters.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Engage the Privacy Officer when an investigation may involve personal information; avoid retaliation against good-faith reporters of privacy concerns.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Sanction Levels", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Minor: verbal coaching and retraining.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Moderate: written warning plus remedial actions.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Major: suspension, revocation of access to {{CRITICAL}}, removal of privileges to handle {{DATA}}, potential termination and legal referral.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Map remedial actions to control improvements or additional training.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply role-appropriate retraining where HIPAA requirements were breached.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Calibrate sanctions to the sensitivity of the personal information involved and the impact on individuals.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Documentation & Appeals", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "File investigation report and final action in the personnel record; restrict access and store in {{GEO}} where residency applies.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide an appeal channel to senior leadership within five business days of sanction notice.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain final decision, appeal outcome, and corrective actions with dates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain sanction documentation and related HIPAA records for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Retain final decision, appeal outcome, and corrective actions for at least 24 months.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "HR Integration & Awareness", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "HR maintains a sanctions log for trend analysis.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Incorporate a concise sanctions policy summary in annual awareness training, with examples relevant to {{INDUSTRY}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Review trends quarterly and feed lessons into training and process updates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Highlight examples tied to ePHI mishandling and required safeguards.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Include examples tied to personal information mishandling in awareness materials; refresh after every substantiated privacy complaint.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly review of the sanctions log confirms consistency and closure of corrective actions. For teams over {{EMPLOYEES}} employees, expand sampling and include checks that access to {{CRITICAL}}/{{DATA}} was revoked when required.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Executive leadership may vary sanctions only with documented rationale, including residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Failure to follow this process prompts an HR-led review and policy refresher; corrective actions are assigned and tracked to closure.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Adjust the framework based on case analytics, audit findings, and legal or regulatory changes, including {{INDUSTRY}} developments and obligations affecting {{GEO}}.", "type": "text"}]}]}, + "createdAt": "2025-06-27 07:19:19.425", + "updatedAt": "2026-04-30 23:21:56.836" }, { - "id": "frk_pt_685e4177d5da489e7c5e1b1b", - "name": "Encryption & Crypto Controls", - "description": "Mandates strong encryption for data in transit and at rest, governs key generation, storage, rotation, and audits for weak configurations.", + "id": "frk_pt_685e40d46e7b1123022bf3e8", + "name": "Data Classification & Handling", + "description": "Uses a four-tier classification scheme to label data and prescribes access, encryption, sharing, and disposal rules for each level.", "frequency": "yearly", "department": "it", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Protect the confidentiality and integrity of {{DATA}} at {{COMPANY}} with strong, well-managed cryptography across services in {{CRITICAL}} and jurisdictions in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All systems, applications, databases, backups, and communications handling sensitive or confidential {{DATA}}. Applies to the {{LOCATION}} workforce; only managed {{DEVICES}} may access keys or configure crypto on production systems in {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain encryption configuration baselines, certificate inventories, key inventories, rotation records, and access logs for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "For ePHI, apply Security Rule safeguards for transmission security, integrity, access control, and device/media handling. Retain related documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Encryption in Transit", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enforce TLS 1.2+ for web, APIs, email relay, and admin channels to and from {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable weak ciphers and protocols; enable HSTS where supported.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prefer mutual TLS (mTLS) or equivalent for service-to-service traffic handling Restricted {{DATA}}; avoid split tunnelling when accessing sensitive {{DATA}} across {{GEO}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Document cipher suites and minimum protocol versions; monitor for downgrade or plaintext paths.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Encrypt ePHI in transit; avoid split tunnelling while accessing ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Encryption at Rest", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enable provider-level encryption for cloud storage, volumes, and managed databases in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require full-disk encryption on {{DEVICES}} (including removable drives).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure encrypted backups and snapshots inherit key policies; record storage residency in {{GEO}} where applicable.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Protect encryption keys and configuration from unauthorised change; log key usage.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Encrypt ePHI at rest where feasible and document the decision and safeguards.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Key Generation & Storage", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Generate keys using approved crypto libraries or cloud KMS in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store keys in a managed vault or KMS; never hard-code keys in source control.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Limit vault access to least-privilege service roles; enable detailed auditing and store logs per {{GEO}} requirements.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Keep key lifecycle records (creation, distribution, use, rotation, retirement) and alert on unusual access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Restrict and audit access to keys protecting ePHI repositories.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Key Rotation & Retirement", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Rotate platform and database master keys at least annually or upon suspected compromise.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Revoke and destroy retired keys; document rotation events, impacted assets, and validation that old keys cannot decrypt new data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update dependent secrets and configurations as part of the rotation change.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record approvals and evidence of rotation; preserve artefacts for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure timely rotation for keys protecting ePHI and update risk analysis if a compromise is suspected.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monthly scan verifies 100% TLS coverage and encryption-at-rest flags; vault audit shows no orphaned keys. For teams over {{EMPLOYEES}} employees, expand sampling to include random checks of services in {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any legacy system lacking encryption must be isolated and tracked with a mitigation plan, noting any {{GEO}} residency constraints and residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Plaintext storage or transmission of sensitive {{DATA}} triggers immediate incident response and remediation.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review algorithms and configurations annually; upgrade when industry guidance deprecates current standards, and reflect {{INDUSTRY}} or {{GEO}} changes where relevant.", "type": "text"}]}], - "createdAt": "2025-06-27 07:00:06.600", - "updatedAt": "2025-08-19 18:27:59.049" + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Protect information proportionately by assigning sensitivity levels and prescribing handling requirements for {{COMPANY}}. Emphasis on {{DATA}} processed in {{CRITICAL}} and stored or retained in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All data created, received, processed, or stored by the organisation, regardless of medium or location. Applies to the {{LOCATION}} workforce and any {{DEVICES}} that access {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain a documented scheme; ensure labelling, storage, access, transmission, and disposal practices align to Security and Confidentiality criteria; retain artefacts for the Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is involved, apply the Minimum Necessary standard and Security Rule safeguards for access control, audit controls, integrity, transmission security, and device/media handling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Apply data classification to personal information categories in the Personal Information Register; ensure handling rules meet the safeguards required by Principle 7 of PIPEDA Schedule 1.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Classification Scheme", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Adopt four levels: Public, Internal, Confidential, Restricted.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define examples and default level (Internal) in a quick-reference guide, reflecting {{INDUSTRY}} data types and {{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure classification drives access control, encryption, monitoring, and retention requirements across {{CRITICAL}} and backups in {{GEO}}.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Treat ePHI as Restricted unless formally de-identified per policy.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Treat personal information as Confidential at minimum; classify sensitive personal information (health, financial, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, sex life or sexual orientation) as Restricted.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Labelling & Identification", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Label documents and data stores at creation using headers, metadata tags, or clear folder names.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use automated tagging where supported; otherwise manual labels are required for Confidential and Restricted data.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Keep labels consistent across repositories and automate propagation where feasible in {{CRITICAL}}.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Mark repositories containing ePHI; prevent removal of labels during export.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Mark repositories holding sensitive personal information; preserve labels through export and replication across {{CRITICAL}}.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Access & Storage Controls", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Grant access on a least-privilege basis aligned to classification level.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt Confidential and Restricted data at rest in {{CRITICAL}} and in backups stored in {{GEO}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log administrative access to Restricted data.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Review access rights on a defined cadence and protect encryption keys.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enable audit logging for ePHI access; restrict admin access and review regularly.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Limit access to personal information to staff who need it for the purposes documented in the Personal Information Register; record any cross-border storage in the register.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Transmission & Sharing Rules", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use encrypted channels (for example TLS, SFTP) for Confidential or Restricted data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit public-cloud file links without access control when data is above Internal.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "External sharing of Restricted data requires management approval and an NDA or contract.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Disable insecure protocols and enforce MFA for privileged transfers.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Encrypt ePHI in transit and use Business Associate Agreements where applicable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Encrypt personal information in transit; document each disclosure to a third party in the Personal Information Register and confirm contractual coverage.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Retention & Disposal Alignment", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply retention periods from the Data Retention Policy to each classification, considering {{GEO}} obligations.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Destroy media holding Confidential or Restricted data using secure wipe or certified shredding.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure destruction is logged and, where used, certificates of destruction are filed.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Follow Device and Media Controls for ePHI and maintain documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Align retention to the documented purpose; destroy or anonymize personal information once the purpose is fulfilled, retaining disposal evidence for at least 24 months.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly sample confirms correct labels, encryption, and access rights; ≥ 95% accuracy target. Scale the sample size proportionally for teams over {{EMPLOYEES}} employees.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Must document risk and compensating controls; senior management approval required. Note any residual risk to {{DATA}} and how it is mitigated in {{CRITICAL}} or through {{DEVICES}} controls.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Mislabelled or mishandled data triggers incident response and mandatory refresher training.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update examples and tooling as new {{INDUSTRY}} data types or regulations emerge, including changes affecting {{GEO}}.", "type": "text"}]}]}, + "createdAt": "2025-06-27 06:57:24.052", + "updatedAt": "2026-05-01 00:01:07.724" }, { - "id": "frk_pt_685e414029124c24387beff0", - "name": "Retention & Secure Disposal", - "description": "Sets record-specific retention periods, runs periodic purge reviews, and requires cryptographic or physical destruction of outdated data.", + "id": "frk_pt_685e458a49e1eff0af54e3d2", + "name": "Security & Privacy Awareness Training", + "description": "Delivers onboarding and annual refresher training, role-based modules, simulated phishing, and tracks completion metrics.", "frequency": "yearly", "department": "it", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep {{DATA}} only as long as needed and dispose of it so it cannot be recovered by unauthorized parties at {{COMPANY}}, including data stored in {{CRITICAL}} and subject to {{GEO}} residency.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All electronic and physical records, backups, and media created or held by the organization. Applies to the {{LOCATION}} workforce, systems in {{CRITICAL}}, and managed {{DEVICES}} that store or cache {{DATA}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain the retention schedule, review records, and disposal logs for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "For ePHI, apply the HIPAA Security Rule Device and Media Controls and retain required documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Retention Schedule", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a table listing record types, retention period, owner, and primary storage (e.g., repository in {{CRITICAL}}) with {{GEO}} residency where applicable.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review the schedule at least annually and when new {{INDUSTRY}} data types arise.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure each record type references its storage location and protection requirements.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Map ePHI record types to required retention periods and safeguard expectations.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Periodic Data Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Owners run an automated or manual review at least quarterly to identify data beyond its retention period in {{CRITICAL}}, collaboration repositories, and on managed {{DEVICES}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Records flagged for deletion are queued for disposal within 30 days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Log review dates and outcomes; track queued deletions to completion.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Verify reviews include systems and media that may contain ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Secure Disposal Methods", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Electronic data: use secure-wipe utilities or crypto-erasure by destroying keys; confirm for cloud stores in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Physical media: use cross-cut shredding or a certified destruction vendor.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document each disposal event with date, data category, method, and location; store records in {{GEO}} where required.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Store certificates or logs of destruction where used and restrict access to disposal records.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply Device and Media Controls for ePHI, including sanitisation and accountability.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Backup & Archive Controls", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply the same retention timelines to backups and archives.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt backups; verify they age out on schedule or are re-encrypted when keys rotate; note backup residency in {{GEO}} and storage in {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Periodically test backup expiry and restoration; protect keys and access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure backup processes for ePHI maintain required safeguards during storage and restoration.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly check shows ≤ 5% of records past retention and disposal logs are complete. For teams over {{EMPLOYEES}} employees, expand sampling and include random checks across {{CRITICAL}} and managed {{DEVICES}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Legal hold or contract may override the schedule; document the reason and review date, including any impact on {{DATA}} residency in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Over-retained or improperly disposed records are escalated to senior management and remediated within 30 days.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update the schedule and tooling after audits, incidents, or regulatory change, reflecting {{INDUSTRY}} requirements and any updates to {{GEO}} obligations.", "type": "text"}]}], - "createdAt": "2025-06-27 06:59:11.886", - "updatedAt": "2025-08-19 18:28:10.629" + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Equip personnel at {{COMPANY}} to recognize and respond to security and privacy risks, with emphasis on protecting {{DATA}} accessed via {{CRITICAL}} and handled on {{DEVICES}} across {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All employees, contractors, interns, and third-party staff with system access. Applies to the {{LOCATION}} workforce.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain training governance and artifacts to support auditor sampling for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Provide Security Rule awareness and periodic updates for workforce with ePHI access; retain related documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pci}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Provide Security training for New Hires and at least once every 12 months.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Training Curriculum", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Core topics: data classification, phishing, password/MFA, incident reporting, privacy basics related to {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include scenarios relevant to {{INDUSTRY}} and usage of {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Include content aligned to in-scope Trust Services Criteria.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Cover minimum necessary, ePHI handling, and reporting obligations.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pci}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Training includes awareness of ", "type": "text"}, {"text": "threats and vulnerabilities that may impact the security of cardholder data (CHD) and sensitive authentication data (SAD)", "type": "text", "marks": [{"type": "bold"}]}, {"text": ". This includes, but is not limited to: phishing, spear-phishing, business email compromise, social engineering (phone, chat, in-person pretexting), malware delivery vectors, and insider threats.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Onboarding Training", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Complete baseline training within the first week of access.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Sign electronic acknowledgement; system access to {{CRITICAL}} or {{DATA}} is suspended until completed.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record completion date and acknowledgement in HR/LMS.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure workforce with ePHI access completes Security Rule training before ePHI access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pci}}", "type": "text"}, {"type": "hardBreak"}, {"text": "The awareness training program will be ", "type": "text"}, {"text": "reviewed at least annually", "type": "text", "marks": [{"type": "bold"}]}, {"text": " and updated as needed to address emerging threats, vulnerabilities, or changes in PCI DSS or {{INDUSTRY}} regulations. Updates will be logged, version-controlled, and communicated to employees using multiple channels (e.g., LMS, email, intranet).", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Ongoing & Role-Based Training", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide refresher micro-modules or lunch-and-learns at least annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Deliver specialised modules for engineers (secure coding), support (PII/{{DATA}} handling), and other roles as needed in {{LOCATION}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track overdue items and follow up within defined timelines.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Provide periodic updates relevant to systems processing ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pci}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Security reminders and education will be delivered via multiple communication methods such as classroom sessions, online training, email bulletins, posters, intranet content, and phishing simulation platforms. All personnel must ", "type": "text"}, {"text": "acknowledge at least once every 12 months", "type": "text", "marks": [{"type": "bold"}]}, {"text": " that they have read and understood {{COMPANY}}’s Information Security Policy and associated procedures. Electronic signatures or LMS acknowledgments are acceptable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Phishing & Social-Engineering Exercises", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct simulated phishing tests quarterly.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Users who fall for a phish complete remedial training within five business days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Report aggregate outcomes to management and incorporate lessons into content.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Emphasise verification of identity and secure communication when ePHI may be involved.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Training Records & Metrics", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track completion in an HR or LMS system; retain logs three years and store in {{GEO}} where residency applies.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Report completion rate and phishing-failure rate to management quarterly.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Preserve sampling evidence (rosters, timestamps, content versions).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain HIPAA-related training records for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "≥ 95% training completion before due date; phishing failure rate trending downward. For teams over {{EMPLOYEES}} employees, expand sampling and target coaching for repeat failures.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Short-term deferral allowed for leave of absence; complete training within two weeks of return.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Access restrictions or HR action for repeated failures or missed deadlines.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Revise curriculum based on incident trends, employee feedback, threat landscape changes, {{INDUSTRY}} developments, and {{GEO}} obligations.", "type": "text"}]}], + "createdAt": "2025-06-27 07:17:30.077", + "updatedAt": "2025-09-10 19:43:20.239" }, { - "id": "frk_pt_685e42188e2df1c285cca159", - "name": "Access Control & Least Privilege", - "description": "Implements a Joiner-Mover-Leaver workflow, role-based access control, quarterly reviews, and strict approval for elevated privileges.", + "id": "frk_pt_685e42445c99797321ef051a", + "name": "Authentication & Password", + "description": "Defines robust password rules, enforces MFA on sensitive systems, secures credential storage, and locks or resets risky accounts.", "frequency": "yearly", "department": "it", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure users at {{COMPANY}} receive only the minimum access necessary and that access adjusts promptly with role changes, protecting {{DATA}} on workloads in {{CRITICAL}} and across {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All workforce accounts, service accounts, and system roles across SaaS, IaaS, and on-prem resources used by the {{LOCATION}} workforce. Only managed {{DEVICES}} may access production resources in {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Align to logical access controls (authentication, authorization, provisioning/deprovisioning) and retain artifacts for the Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply workforce security and information access management with unique IDs and authentication for systems handling ePHI (164.308(a)(3)-(4), 164.312(a), 164.312(d)).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Joiner-Mover-Leaver (JML) Process", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provision access via ticket with manager approval and defined role.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Modify privileges within 48 hours of role change.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable or delete accounts by end of final workday; collect tokens/keys/badges and revoke access on {{DEVICES}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tie SSO/IdP accounts to HR status; block sign-in on termination and immediately remove access to {{CRITICAL}}/{{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record approvals, timestamps, and completion in the ticket/IdP; no ad-hoc provisioning.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Remove ePHI access immediately on termination; document termination procedures.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Role-Based Access Control (RBAC)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define standard roles per system (e.g., Admin, Power User, Read-Only).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assign users to roles or groups; avoid direct entitlements.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain role definitions with least-privilege permissions and named owners.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Service accounts have an owner, documented purpose, restricted scopes, and no interactive login.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Review role definitions at least annually; protect high-risk permissions with MFA.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Limit ePHI access to the minimum necessary; segregate admin from clinical/support roles where applicable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Privilege Elevation & Approval", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Temporary admin rights require documented business justification and auto-expire ≤ 24 hours.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Permanent admin assignments require senior-management approval.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use just-in-time elevation where available; log all elevated actions on systems in {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain elevation requests/approvals and session logs for sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure elevated sessions on ePHI systems use strong authentication and are auditable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Periodic Access Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "System owners review user lists at least quarterly; remove stale or excessive rights.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reconcile IdP groups, SaaS roles, and resource policies affecting {{CRITICAL}} and {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document review date, reviewers, findings, and actions; store evidence in {{GEO}} where residency applies.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track findings to closure; verify orphaned accounts and excess privileges are remediated.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Include verification of ePHI repository access and logging of adjustments.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly review shows ≤ 2% orphaned accounts; all admin rights have an approval record. For teams over {{EMPLOYEES}} employees, expand sampling and include random checks of privileged access to {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Emergency access allowed for a maximum of 8 hours; log reason, scope, and approver, and close in the next review. Note any residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unapproved elevated access or dormant accounts > 30 days are escalated to management and remediated within one week.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Incorporate review findings to refine role definitions and automate provisioning/deprovisioning, considering {{INDUSTRY}} needs and obligations in {{GEO}}.", "type": "text"}]}], - "createdAt": "2025-06-27 07:02:47.730", - "updatedAt": "2025-08-19 18:28:25.062" + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide strong, user-friendly authentication at {{COMPANY}} that resists brute-force and credential-stuffing attacks, protecting access to {{CRITICAL}} and {{DATA}} across {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All human and service accounts accessing organizational applications, {{DEVICES}}, and infrastructure. Applies to the {{LOCATION}} workforce; only managed {{DEVICES}} may administer identity systems or production auth settings in {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain authentication configurations and audit evidence for the full Type 2 period plus 12 months; treat relevant IdP and SaaS providers as subservice organizations.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "For systems handling ePHI, apply technical safeguards for access control, authentication, and transmission security and retain documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Require unique identification and authentication for any user accessing personal information; retain authentication evidence for at least 24 months.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Password Requirements", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Minimum 8 characters or a passphrase; prohibit commonly breached strings.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "No forced periodic rotation unless compromise is suspected.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unique password per system; store passwords in an approved password manager.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Do not reuse passwords across work and personal accounts.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enforce length and reuse rules in IdP/directory policies and document settings.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Require unique user identification and person or entity authentication for ePHI systems.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Apply password requirements that meet or exceed industry baselines for systems holding personal information.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Multi-Factor Authentication (MFA)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enforce MFA for admin accounts, remote access, and any system holding Confidential or Restricted {{DATA}} or running in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prefer authenticator apps or hardware tokens; SMS only as a fallback.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply step-up MFA for sensitive actions (e.g., policy changes, key access) where supported.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track MFA coverage for in-scope systems; remediate gaps promptly and retain evidence.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Use MFA for remote access to ePHI and for privileged accounts on ePHI systems.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Require MFA for remote access to systems holding personal information and for all privileged accounts.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Credential Storage & Transmission", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Hash user passwords with bcrypt or Argon2 using per-user salt (minimum cost factor 10 for bcrypt).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Transmit login data only over TLS; block plaintext logins to {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Never embed secrets in code repositories; store application secrets in an approved vault or KMS in {{CRITICAL}} with audit logs retained per {{GEO}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Version-control authentication settings and monitor for plaintext secrets.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Protect authentication credentials for ePHI systems and encrypt any credential exchange.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Protect credentials that grant access to personal information; treat credential compromise on such systems as a privacy incident.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Account Lockout & Recovery", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Lock accounts after 5 failed attempts within 15 minutes; auto-unlock after 30 minutes or by admin reset.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify user identity before password reset; issue time-limited reset links.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable inactive accounts per the Access Control policy; remove stale sessions for {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Log lockouts, resets, and administrator actions; review anomalies monthly.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure authentication and reset processes preserve the confidentiality of ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Verify identity before resetting credentials on accounts with access to personal information; document the verification.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Service Accounts & Keys", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit interactive login; use least-privilege scopes and short-lived credentials.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Rotate credentials at least annually and on suspected compromise; store only in vault/KMS.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log all programmatic auth to {{CRITICAL}} and review for anomalies.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain inventory, owners, and rotation evidence for sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Restrict and audit service credentials that can reach ePHI repositories.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Inventory service accounts that can reach personal information repositories; rotate credentials on a documented cadence.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Automated scans ensure MFA is enabled on 100% of target systems; random password audit shows compliance with length policy. For teams over {{EMPLOYEES}} employees, expand quarterly sampling across {{CRITICAL}} tiers.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Systems lacking MFA require documented risk acceptance and compensating controls (e.g., IP allowlist) with an expiry date; note any residual risk to {{DATA}} and {{GEO}} constraints.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Weak or reused passwords, plaintext secrets, or disabled MFA trigger immediate reset or access suspension and user retraining.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review emerging passwordless options and adopt stronger methods when widely supported, aligning with {{INDUSTRY}} practices and any obligations affecting {{GEO}}.", "type": "text"}]}]}, + "createdAt": "2025-06-27 07:03:31.937", + "updatedAt": "2026-04-30 23:21:53.162" }, { "id": "frk_pt_683d2cbc12b93dc5c8fe3a7d", @@ -230,14 +200,14 @@ "updatedAt": "2025-08-19 18:28:48.022" }, { - "id": "frk_pt_685e42445c99797321ef051a", - "name": "Authentication & Password", - "description": "Defines robust password rules, enforces MFA on sensitive systems, secures credential storage, and locks or resets risky accounts.", + "id": "frk_pt_685e43997555c7ab39983c21", + "name": "Logging, Monitoring & Audit", + "description": "Centralises and protects logs, sets real-time alerting for critical events, retains audit trails, and reviews metrics and samples monthly.", "frequency": "yearly", "department": "it", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide strong, user-friendly authentication at {{COMPANY}} that resists brute-force and credential-stuffing attacks, protecting access to {{CRITICAL}} and {{DATA}} across {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All human and service accounts accessing organizational applications, {{DEVICES}}, and infrastructure. Applies to the {{LOCATION}} workforce; only managed {{DEVICES}} may administer identity systems or production auth settings in {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain authentication configurations and audit evidence for the full Type 2 period plus 12 months; treat relevant IdP and SaaS providers as subservice organizations.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "For systems handling ePHI, apply technical safeguards for access control, authentication, and transmission security and retain documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Password Requirements", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Minimum 12 characters or a passphrase; prohibit commonly breached strings.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "No forced periodic rotation unless compromise is suspected.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unique password per system; store passwords in an approved password manager.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Do not reuse passwords across work and personal accounts.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enforce length and reuse rules in IdP/directory policies and document settings.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Require unique user identification and person or entity authentication for ePHI systems.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Multi-Factor Authentication (MFA)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enforce MFA for admin accounts, remote access, and any system holding Confidential or Restricted {{DATA}} or running in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prefer authenticator apps or hardware tokens; SMS only as a fallback.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply step-up MFA for sensitive actions (e.g., policy changes, key access) where supported.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track MFA coverage for in-scope systems; remediate gaps promptly and retain evidence.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Use MFA for remote access to ePHI and for privileged accounts on ePHI systems.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Credential Storage & Transmission", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Hash user passwords with bcrypt or Argon2 using per-user salt (minimum cost factor 10 for bcrypt).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Transmit login data only over TLS; block plaintext logins to {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Never embed secrets in code repositories; store application secrets in an approved vault or KMS in {{CRITICAL}} with audit logs retained per {{GEO}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Version-control authentication settings and monitor for plaintext secrets.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Protect authentication credentials for ePHI systems and encrypt any credential exchange.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Account Lockout & Recovery", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Lock accounts after 5 failed attempts within 15 minutes; auto-unlock after 30 minutes or by admin reset.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify user identity before password reset; issue time-limited reset links.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable inactive accounts per the Access Control policy; remove stale sessions for {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Log lockouts, resets, and administrator actions; review anomalies monthly.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure authentication and reset processes preserve the confidentiality of ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Service Accounts & Keys", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit interactive login; use least-privilege scopes and short-lived credentials.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Rotate credentials at least annually and on suspected compromise; store only in vault/KMS.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log all programmatic auth to {{CRITICAL}} and review for anomalies.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain inventory, owners, and rotation evidence for sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Restrict and audit service credentials that can reach ePHI repositories.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Automated scans ensure MFA is enabled on 100% of target systems; random password audit shows compliance with length policy. For teams over {{EMPLOYEES}} employees, expand quarterly sampling across {{CRITICAL}} tiers.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Systems lacking MFA require documented risk acceptance and compensating controls (e.g., IP allowlist) with an expiry date; note any residual risk to {{DATA}} and {{GEO}} constraints.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Weak or reused passwords, plaintext secrets, or disabled MFA trigger immediate reset or access suspension and user retraining.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review emerging passwordless options and adopt stronger methods when widely supported, aligning with {{INDUSTRY}} practices and any obligations affecting {{GEO}}.", "type": "text"}]}], - "createdAt": "2025-06-27 07:03:31.937", - "updatedAt": "2025-08-19 18:29:18.519" + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide trustworthy evidence for security, troubleshooting, and compliance at {{COMPANY}} by collecting and analysing relevant logs from {{CRITICAL}} systems and services that handle {{DATA}} across {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Application, system, network, authentication, and cloud-provider logs across all environments. Applies to the {{LOCATION}} workforce; only managed {{DEVICES}} may access central logging tools.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Operate centralised logging and alerting for in-scope systems and retain configurations, alerts, reports, and tickets for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enable audit controls for systems handling ePHI, protect log integrity and access, and retain required HIPAA documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Operate logging and monitoring for systems holding personal information; retain logs for at least 24 months to support access requests and breach investigations.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Log Collection & Centralisation", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Forward logs to a central, access-controlled SIEM or log service hosted in {{CRITICAL}}; archive per {{GEO}} residency where applicable.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include timestamp, user, event type, and source IP for security-relevant events.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tag events with environment and application identifiers.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure all in-scope systems forward logs; keep forwarding and parser configurations under version control.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enable and retain audit logs on systems accessing ePHI; restrict who can view ePHI-related logs (managed {{DEVICES}} only).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Forward logs from systems holding personal information to a centralized, access-controlled repository; protect logs from tampering.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Log Retention & Protection", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain security logs at least 90 days online and 1 year in archive; store archives in {{GEO}} when required.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Restrict write access to the logging system; prohibit log tampering or deletion.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Protect archived logs with access controls and integrity checks.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Store archived logs in access-controlled repositories; preserve integrity for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain audit records for ePHI systems per policy and retain HIPAA Security Rule documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Retain access logs for systems holding personal information for at least 24 months; restrict log access to security and the Privacy Officer.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Real-Time Alerting", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Create alerts for key events: failed admin logins, privilege escalations, critical errors, and anomalous access to {{CRITICAL}}/{{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Send alerts to the on-call channel and maintain documented runbooks.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Define alert SLAs and escalation paths; track acknowledgement and resolution in tickets.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Alert on anomalous access patterns involving ePHI and unsuccessful logins on ePHI systems.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Alert on anomalous access to personal information (volume spikes, unusual hours, failed authentication patterns) and on attempts to disable logging.{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "All personnel report security or privacy incidents immediately to the SPO. Maintain logs of user access to healthcare systems in accordance with NEN 7513. Conduct incident reviews and feed lessons learned into the continual improvement cycle.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Audit & Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review alert metrics and random log samples monthly; include sources tied to {{CRITICAL}} and {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Produce a quarterly audit report summarizing anomalies and actions.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain review notes, reports, and remediation tickets for sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Document investigations and outcomes for events affecting ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Review high-risk personal information access events at least monthly; investigate confirmed anomalies under the breach response procedure.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Clock Synchronization", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Sync all servers and {{DEVICES}} to a trusted NTP source; alert on drift greater than 5 s.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}} ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record NTP configuration and drift monitoring in system baselines.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Maintain accurate timestamps on all systems holding personal information to support access-request timelines and breach forensics.{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure timestamps are accurate for ePHI audit trails.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Central platform receives ≥ 95% of target logs; alert queue triaged within SLA. For teams over {{EMPLOYEES}} employees, expand quarterly sampling across {{CRITICAL}} tiers.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Systems unable to forward logs must export daily and upload; document in the asset list, noting any {{GEO}} constraints.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Logging gaps greater than 24 h or unreviewed alerts are escalated to incident response.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Add new log sources and refine alert logic based on incident learnings, {{INDUSTRY}} risks, and any residency or transfer changes affecting {{GEO}}.", "type": "text"}]}]}, + "createdAt": "2025-06-27 07:09:12.690", + "updatedAt": "2026-04-30 23:21:54.083" }, { "id": "frk_pt_691e4baaef306f1e73d8596b", @@ -249,16 +219,6 @@ "createdAt": "2025-11-19 22:58:50.475", "updatedAt": "2025-11-24 23:02:34.550" }, - { - "id": "frk_pt_685e43e23b78127274355980", - "name": "Incident Response & Breach Notification", - "description": "Defines detection, triage, containment, communication, legal notification, and post-incident lessons with clear team roles.", - "frequency": "yearly", - "department": "it", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure security and privacy incidents are identified, contained, reported, and resolved quickly, and that required notifications are issued on time.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All information assets, personnel, third-party services, and physical locations.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain documented procedures, incident tickets, evidence, notifications, and post-incident reviews for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Implement Security Incident Procedures (164.308(a)(6)) and the Breach Notification Rule (45 CFR 164.400–414). Retain HIPAA documentation for 6 years; Business Associates notify Covered Entities without unreasonable delay and no later than 60 days of discovery.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Detection & Reporting", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Security tools forward real-time alerts to an incident channel.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Anyone discovering suspicious activity must report to security within one hour.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log every alert or report in the incident tracker with date/time.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure alerting integrates with on-call; track acknowledgement and response times in tickets.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Flag incidents involving ePHI and begin breach-risk assessment per policy.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Incident Response Team & Roles", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assign Incident Commander, Technical Lead, Communications Lead, and Scribe; publish roster with 24 × 7 contacts.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain runbooks for malware, data breach, DDoS, and cloud compromise scenarios.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Keep current on-call rosters and role handoffs in the ticket.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Engage Privacy/Security Officers for suspected ePHI incidents and coordinate with affected Business Associates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Containment & Eradication", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Isolate affected systems within 30 minutes of confirmation.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Capture forensics where feasible; patch, clean, or rebuild before re-connect.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document actions and timestamps in the tracker.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Preserve logs and evidence; record containment start/stop and recovery steps.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Limit access to ePHI during containment; document safeguards applied.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Breach Notification & Communications", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify management immediately for incidents involving personal or regulated data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Draft customer/regulator notices within applicable legal timeframes (for example, GDPR 72 hours to authorities; HIPAA notifications without unreasonable delay and no later than 60 days).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Route all external statements through Communications Lead and legal counsel.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Archive notifications, approvals, and distribution lists with the incident record.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Perform breach-risk assessment, determine reportability, and document notifications to individuals, HHS, and (if applicable) media.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Post-Incident Review & Lessons Learned", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct a root-cause post-mortem within 10 business days.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record corrective actions, owners, and due dates; track to closure.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Attach the post-incident review and remediation evidence to the ticket; verify control improvements.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Update risk analysis and any affected procedures that impact ePHI safeguards.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track mean time to detect (MTTD), mean time to contain (MTTC), and breach-notification deadlines; review quarterly.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Process deviations allowed only if required to protect life, safety, or critical systems; document afterward.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unreported or mishandled incidents escalate to executive review and may trigger disciplinary action.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update runbooks and tooling after each post-mortem or external audit finding.", "type": "text"}]}], - "createdAt": "2025-06-27 07:10:25.721", - "updatedAt": "2025-08-19 18:29:33.133" - }, { "id": "frk_pt_691e4bbbdf8825258102dae6", "name": "Document Control Procedure", @@ -270,14 +230,34 @@ "updatedAt": "2025-11-24 23:05:42.576" }, { - "id": "frk_pt_685e43997555c7ab39983c21", - "name": "Logging, Monitoring & Audit", - "description": "Centralises and protects logs, sets real-time alerting for critical events, retains audit trails, and reviews metrics and samples monthly.", + "id": "frk_pt_685e43e23b78127274355980", + "name": "Incident Response & Breach Notification", + "description": "Defines detection, triage, containment, communication, legal notification, and post-incident lessons with clear team roles.", "frequency": "yearly", "department": "it", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide trustworthy evidence for security, troubleshooting, and compliance at {{COMPANY}} by collecting and analysing relevant logs from {{CRITICAL}} systems and services that handle {{DATA}} across {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Application, system, network, authentication, and cloud-provider logs across all environments. Applies to the {{LOCATION}} workforce; only managed {{DEVICES}} may access central logging tools.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Operate centralised logging and alerting for in-scope systems and retain configurations, alerts, reports, and tickets for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enable audit controls for systems handling ePHI, protect log integrity and access, and retain required HIPAA documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Log Collection & Centralisation", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Forward logs to a central, access-controlled SIEM or log service hosted in {{CRITICAL}}; archive per {{GEO}} residency where applicable.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include timestamp, user, event type, and source IP for security-relevant events.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tag events with environment and application identifiers.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure all in-scope systems forward logs; keep forwarding and parser configurations under version control.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enable and retain audit logs on systems accessing ePHI; restrict who can view ePHI-related logs (managed {{DEVICES}} only).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Log Retention & Protection", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain security logs at least 90 days online and 1 year in archive; store archives in {{GEO}} when required.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Restrict write access to the logging system; prohibit log tampering or deletion.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Protect archived logs with access controls and integrity checks.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Store archived logs in access-controlled repositories; preserve integrity for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain audit records for ePHI systems per policy and retain HIPAA Security Rule documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Real-Time Alerting", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Create alerts for key events: failed admin logins, privilege escalations, critical errors, and anomalous access to {{CRITICAL}}/{{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Send alerts to the on-call channel and maintain documented runbooks.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Define alert SLAs and escalation paths; track acknowledgement and resolution in tickets.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Alert on anomalous access patterns involving ePHI and unsuccessful logins on ePHI systems.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if nen7510}}", "type": "text"}, {"type": "hardBreak"}, {"text": "All personnel report security or privacy incidents immediately to the SPO. Maintain logs of user access to healthcare systems in accordance with NEN 7513. Conduct incident reviews and feed lessons learned into the continual improvement cycle.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Audit & Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review alert metrics and random log samples monthly; include sources tied to {{CRITICAL}} and {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Produce a quarterly audit report summarizing anomalies and actions.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain review notes, reports, and remediation tickets for sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Document investigations and outcomes for events affecting ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Clock Synchronization", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Sync all servers and {{DEVICES}} to a trusted NTP source; alert on drift greater than 5 s.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}} ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record NTP configuration and drift monitoring in system baselines.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure timestamps are accurate for ePHI audit trails.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Central platform receives ≥ 95% of target logs; alert queue triaged within SLA. For teams over {{EMPLOYEES}} employees, expand quarterly sampling across {{CRITICAL}} tiers.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Systems unable to forward logs must export daily and upload; document in the asset list, noting any {{GEO}} constraints.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Logging gaps greater than 24 h or unreviewed alerts are escalated to incident response.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Add new log sources and refine alert logic based on incident learnings, {{INDUSTRY}} risks, and any residency or transfer changes affecting {{GEO}}.", "type": "text"}]}], - "createdAt": "2025-06-27 07:09:12.690", - "updatedAt": "2025-10-05 01:55:26.246" + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure security and privacy incidents are identified, contained, reported, and resolved quickly, and that required notifications are issued on time.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All information assets, personnel, third-party services, and physical locations.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain documented procedures, incident tickets, evidence, notifications, and post-incident reviews for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Implement Security Incident Procedures (164.308(a)(6)) and the Breach Notification Rule (45 CFR 164.400–414). Retain HIPAA documentation for 6 years; Business Associates notify Covered Entities without unreasonable delay and no later than 60 days of discovery.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Apply this policy to any incident involving personal information held by {{COMPANY}}; meet PIPEDA breach-of-security-safeguards obligations including reporting to the OPC and notifying affected individuals where there is a real risk of significant harm (RROSH).{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Detection & Reporting", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Security tools forward real-time alerts to an incident channel.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Anyone discovering suspicious activity must report to security within one hour.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log every alert or report in the incident tracker with date/time.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure alerting integrates with on-call; track acknowledgement and response times in tickets.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Flag incidents involving ePHI and begin breach-risk assessment per policy.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Flag incidents involving personal information and begin a Real Risk of Significant Harm (RROSH) assessment per Section 10.1 of PIPEDA.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Incident Response Team & Roles", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assign Incident Commander, Technical Lead, Communications Lead, and Scribe; publish roster with 24 × 7 contacts.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain runbooks for malware, data breach, DDoS, and cloud compromise scenarios.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Keep current on-call rosters and role handoffs in the ticket.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Engage Privacy/Security Officers for suspected ePHI incidents and coordinate with affected Business Associates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Engage the Privacy Officer at the start of any suspected privacy incident; coordinate with affected processors operating in {{CRITICAL}} or across {{GEO}}.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Containment & Eradication", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Isolate affected systems within 30 minutes of confirmation.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Capture forensics where feasible; patch, clean, or rebuild before re-connect.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document actions and timestamps in the tracker.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Preserve logs and evidence; record containment start/stop and recovery steps.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Limit access to ePHI during containment; document safeguards applied.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Limit access to affected personal information during containment and document the safeguards applied.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Breach Notification & Communications", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify management immediately for incidents involving personal or regulated data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Draft customer/regulator notices within applicable legal timeframes (for example, GDPR 72 hours to authorities; HIPAA notifications without unreasonable delay and no later than 60 days).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Route all external statements through Communications Lead and legal counsel.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Archive notifications, approvals, and distribution lists with the incident record.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Perform breach-risk assessment, determine reportability, and document notifications to individuals, HHS, and (if applicable) media.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Where the RROSH threshold is met, notify the affected individuals as soon as feasible and report to the OPC in the prescribed form. Notify any organization or government institution that may be able to reduce the risk of harm. Maintain a breach record for at least 24 months in line with PIPEDA's record-keeping requirement.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Post-Incident Review & Lessons Learned", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct a root-cause post-mortem within 10 business days.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record corrective actions, owners, and due dates; track to closure.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Attach the post-incident review and remediation evidence to the ticket; verify control improvements.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Update risk analysis and any affected procedures that impact ePHI safeguards.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Update the Personal Information Register, privacy notice, and affected control documentation; report aggregate breach metrics to leadership annually.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track mean time to detect (MTTD), mean time to contain (MTTC), and breach-notification deadlines; review quarterly.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Process deviations allowed only if required to protect life, safety, or critical systems; document afterward.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unreported or mishandled incidents escalate to executive review and may trigger disciplinary action.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update runbooks and tooling after each post-mortem or external audit finding.", "type": "text"}]}]}, + "createdAt": "2025-06-27 07:10:25.721", + "updatedAt": "2026-04-30 23:21:58.607" + }, + { + "id": "frk_pt_685e4177d5da489e7c5e1b1b", + "name": "Encryption & Crypto Controls", + "description": "Mandates strong encryption for data in transit and at rest, governs key generation, storage, rotation, and audits for weak configurations.", + "frequency": "yearly", + "department": "it", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Protect the confidentiality and integrity of {{DATA}} at {{COMPANY}} with strong, well-managed cryptography across services in {{CRITICAL}} and jurisdictions in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All systems, applications, databases, backups, and communications handling sensitive or confidential {{DATA}}. Applies to the {{LOCATION}} workforce; only managed {{DEVICES}} may access keys or configure crypto on production systems in {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain encryption configuration baselines, certificate inventories, key inventories, rotation records, and access logs for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "For ePHI, apply Security Rule safeguards for transmission security, integrity, access control, and device/media handling. Retain related documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Apply encryption commensurate with the sensitivity of personal information; document encryption decisions and any residual risk.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Encryption in Transit", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enforce TLS 1.2+ for web, APIs, email relay, and admin channels to and from {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable weak ciphers and protocols; enable HSTS where supported.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prefer mutual TLS (mTLS) or equivalent for service-to-service traffic handling Restricted {{DATA}}; avoid split tunnelling when accessing sensitive {{DATA}} across {{GEO}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Document cipher suites and minimum protocol versions; monitor for downgrade or plaintext paths.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Encrypt ePHI in transit; avoid split tunnelling while accessing ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Encrypt personal information in transit, including transfers to processors and across borders; document the controls protecting cross-border transfers.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Encryption at Rest", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enable provider-level encryption for cloud storage, volumes, and managed databases in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require full-disk encryption on {{DEVICES}} (including removable drives).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure encrypted backups and snapshots inherit key policies; record storage residency in {{GEO}} where applicable.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Protect encryption keys and configuration from unauthorised change; log key usage.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Encrypt ePHI at rest where feasible and document the decision and safeguards.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Encrypt sensitive personal information at rest in {{CRITICAL}}; document compensating controls where encryption is not feasible.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Key Generation & Storage", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Generate keys using approved crypto libraries or cloud KMS in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store keys in a managed vault or KMS; never hard-code keys in source control.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Limit vault access to least-privilege service roles; enable detailed auditing and store logs per {{GEO}} requirements.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Keep key lifecycle records (creation, distribution, use, rotation, retirement) and alert on unusual access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Restrict and audit access to keys protecting ePHI repositories.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Restrict and audit access to keys protecting personal information; revoke key access promptly on role change.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Key Rotation & Retirement", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Rotate platform and database master keys at least annually or upon suspected compromise.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Revoke and destroy retired keys; document rotation events, impacted assets, and validation that old keys cannot decrypt new data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update dependent secrets and configurations as part of the rotation change.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record approvals and evidence of rotation; preserve artefacts for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure timely rotation for keys protecting ePHI and update risk analysis if a compromise is suspected.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Rotate keys protecting personal information on a documented schedule; treat compromise of a key protecting personal information as a privacy incident.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monthly scan verifies 100% TLS coverage and encryption-at-rest flags; vault audit shows no orphaned keys. For teams over {{EMPLOYEES}} employees, expand sampling to include random checks of services in {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any legacy system lacking encryption must be isolated and tracked with a mitigation plan, noting any {{GEO}} residency constraints and residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Plaintext storage or transmission of sensitive {{DATA}} triggers immediate incident response and remediation.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review algorithms and configurations annually; upgrade when industry guidance deprecates current standards, and reflect {{INDUSTRY}} or {{GEO}} changes where relevant.", "type": "text"}]}]}, + "createdAt": "2025-06-27 07:00:06.600", + "updatedAt": "2026-04-30 23:24:59.718" + }, + { + "id": "frk_pt_68e3f39e77b0a823add09bf5", + "name": "Code of Business Conduct", + "description": "The Code of Business Conduct outlines the ethical standards and professional behaviors expected of all employees. It serves as a guide to ensure integrity, compliance, and responsibility in all business activities and interactions.", + "frequency": "yearly", + "department": "hr", + "content": [{"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Set clear expectations for ethical behavior, professionalism, and compliance across all {{COMPANY}} activities.", "type": "text"}, {"type": "hardBreak"}, {"text": "Protect trust with customers, partners, regulators, and one another while upholding {{INDUSTRY}} standards.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Applies to all {{COMPANY}} employees, contractors, and third parties operating on behalf of {{COMPANY}} in {{GEO}}.", "type": "text"}, {"type": "hardBreak"}, {"text": "Covers conduct, data protection, decision-making, and use of company systems and resources.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Our Principles", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Act with integrity", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Be honest, fair, and transparent in all interactions with customers, partners, regulators, and colleagues.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Protect trust", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Safeguard all customer PII, financial records, property data, credit-bureau information, and compliance documentation.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Customer first", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure that decisions improve the accuracy, speed, and fairness of lending and service outcomes—not just short-term performance.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Comply with the law", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Follow applicable financial-services, data-protection, anti-bribery, anti-money-laundering, competition, and employment laws.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "No retaliation", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Speaking up about ethical or compliance concerns is encouraged and protected from retaliation.", "type": "text"}]}]}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Professional Conduct", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Respect and inclusion", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Harassment, discrimination, or bullying of any kind is strictly prohibited—promote an inclusive and respectful workplace.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conflicts of interest", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disclose any outside employment, investments, family relationships, or gifts that could influence business decisions.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Fair dealing", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Never misrepresent {{COMPANY}} or competitors, or engage in unfair or deceptive business practices.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Communications and social media", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Only authorized representatives may speak publicly on behalf of {{COMPANY}}.", "type": "text"}, {"type": "hardBreak"}, {"text": "Never disclose confidential or customer information in public or social-media channels.", "type": "text"}]}]}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Data Protection & Security", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Access control", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use company-managed accounts with SSO and MFA.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply least-privilege access and review access quarterly.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Shared or generic accounts are prohibited.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Device security", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Devices must enable disk encryption, auto-lock, strong passcodes, and current OS/patches.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Install company MDM/endpoint protection when required.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store customer data only in approved, encrypted applications; never on local drives unless explicitly authorized and encrypted.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Data handling", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Collect only the minimum data required for business needs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Classify and label sensitive data appropriately.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use anonymized or synthetic data for development and testing whenever possible.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Incident response", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Immediately report any suspected data loss, breach, or unauthorized access.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The Security Lead coordinates containment, notification, and post-incident review per regulatory requirements.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retention and deletion", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain data only as long as legally or contractually required.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Securely delete data when no longer needed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Respond promptly to data-subject requests (access, correction, deletion).", "type": "text"}]}]}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Reporting Concerns", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Raise ethical or conduct concerns with your manager or compliance contact.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Anonymous reporting options are available upon request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "No retaliation will occur for good-faith reports or participation in investigations.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Enforcement", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Violations may result in access restrictions, disciplinary action (including termination), and, where required, reporting to regulatory authorities.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "This Code is reviewed at least annually; all updates will be communicated in writing.", "type": "text"}]}]}]}], + "createdAt": "2025-10-06 16:51:41.945", + "updatedAt": "2025-10-06 17:09:34.333" }, { "id": "frk_pt_68cc576eab0b1748940253fa", @@ -285,9 +265,9 @@ "description": "The AI Policy Control Framework establishes principles, roles, and processes to ensure the responsible development, use, and oversight of AI systems, aligning them with organizational policies, regulatory obligations, and ethical standards.", "frequency": "yearly", "department": "it", - "content": [{"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The purpose of this policy is to establish a consistent governance framework for the responsible development, deployment, and use of Artificial Intelligence (AI) systems. It ensures that AI is aligned with the organization’s strategic objectives, complies with applicable laws and standards, and upholds ethical principles such as fairness, accountability, transparency, and respect for individual and societal impacts.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "This policy applies to all employees, contractors, partners, and third parties who are involved in the design, acquisition, development, deployment, monitoring, or use of AI systems on behalf of the organization. It covers AI systems developed in-house, procured from vendors, or integrated into existing business processes, and extends across the entire AI system life cycle, from design and training data acquisition through deployment, monitoring, maintenance, and decommissioning.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "1. ", "type": "text"}, {"text": "AI Governance & Policy", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Policy", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.2.2, A.2.3, A.2.4)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Documented overarching AI policy (objectives, principles, scope of AI use, governance framework).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Alignment with existing policies (security, privacy, compliance, risk).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Formal review cycle (annual + ad hoc).", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "2. ", "type": "text"}, {"text": "AI Roles, Responsibility & Accountability", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Governance Roles & Committees", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.3.2)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assign AI roles: AI Owner, AI Risk Officer, Model Developers, AI Ethics/Review Committee.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Clear accountability for AI lifecycle stages.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Concern Reporting & Whistleblowing", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (Extension of ", "type": "text"}, {"text": "Sanctions & Disciplinary", "type": "text", "marks": [{"type": "italic"}]}, {"text": " + ", "type": "text"}, {"text": "Awareness Training", "type": "text", "marks": [{"type": "italic"}]}, {"text": ")", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Safe channels for employees to report AI-related risks, ethical concerns, or unintended harms.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Part of training & awareness modules.", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "3. ", "type": "text"}, {"text": "AI Resources & Competency", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Resource Management", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.4.2–A.4.6)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document ", "type": "text"}, {"text": "data, tooling, compute, and human resources", "type": "text", "marks": [{"type": "bold"}]}, {"text": " relevant to AI.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain inventory of AI system dependencies/frameworks (TensorFlow, PyTorch, APIs).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define ", "type": "text"}, {"text": "competency requirements", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (skills/training) for AI staff.", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "4. ", "type": "text"}, {"text": "AI Risk & Impact Assessments", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Risk & Impact Assessment Policy", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.5.2–A.5.5)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Process for assessing individual, societal, and organizational impacts of AI systems.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain findings as part of enterprise ", "type": "text"}, {"text": "risk register", "type": "text", "marks": [{"type": "bold"}]}, {"text": ".", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Required for new AI systems, major updates, and periodic reviews.", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "5. ", "type": "text"}, {"text": "AI Lifecycle Management", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Development & Design Policy", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (Expansion of ", "type": "text"}, {"text": "Secure SDLC", "type": "text", "marks": [{"type": "italic"}]}, {"text": ", ", "type": "text"}, {"text": "Change & Release Management", "type": "text", "marks": [{"type": "italic"}]}, {"text": ")", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define ", "type": "text"}, {"text": "responsible AI objectives", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (fairness, transparency, explainability, robustness).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Lifecycle processes: design → development → validation → deployment → monitoring → decommissioning.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verification & validation of AI models (bias, accuracy, robustness testing).", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Deployment & Operations", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (Expansion of ", "type": "text"}, {"text": "Logging, Monitoring & Audit", "type": "text", "marks": [{"type": "italic"}]}, {"text": " + ", "type": "text"}, {"text": "Incident Response", "type": "text", "marks": [{"type": "italic"}]}, {"text": ")", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Model performance monitoring, drift detection, bias monitoring.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Event logging for AI actions/decisions.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Rollback/retraining protocols.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI System Documentation", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.6.2.7)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Documentation prepared for stakeholders: purpose, design, limitations, and risks.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tailored for regulators, customers, users.", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "6. ", "type": "text"}, {"text": "AI Data Governance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Data Governance Policy", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.7.2–A.7.6)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Data requirements defined: quality, provenance, preparation, retention, lawful basis.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Dataset acquisition vetting (bias, representativeness, licensing).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Continuous validation of dataset integrity & relevance.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Links to ", "type": "text"}, {"text": "Data Classification & Handling", "type": "text", "marks": [{"type": "italic"}]}, {"text": " and ", "type": "text"}, {"text": "Privacy & Data Subject Rights", "type": "text", "marks": [{"type": "italic"}]}, {"text": ".", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "7. ", "type": "text"}, {"text": "AI Transparency & Stakeholder Communications", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Transparency & Communications", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.8.2–A.8.5)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "User-facing documentation: explanation of AI system purpose, limitations, intended use.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Stakeholder reporting: regulatory disclosures, public summaries, accountability dashboards.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI incident communication: tailored protocols for affected users & regulatory bodies.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Channels for external stakeholders to report adverse impacts.", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "8. ", "type": "text"}, {"text": "Responsible Use of AI", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Responsible AI Use Policy", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.9.2–A.9.4)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define acceptable vs prohibited AI uses (alignment with ethics principles).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Establish “intended use” framework tied to AI model documentation.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct user education on ethical/responsible AI use.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Embed into ", "type": "text"}, {"text": "Acceptable Use Policy (AUP)", "type": "text", "marks": [{"type": "italic"}]}, {"text": ".", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "9. ", "type": "text"}, {"text": "Third-Party AI Governance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Vendor & Third-Party Risk", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (Expansion of ", "type": "text"}, {"text": "Vendor & Third-Party Risk", "type": "text", "marks": [{"type": "italic"}]}, {"text": ", ", "type": "text"}, {"text": "Third-Party Processor", "type": "text", "marks": [{"type": "italic"}]}, {"text": ")", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI-specific clauses in contracts (responsible AI dev/use, explainability, performance guarantees).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require supplier AI transparency (model cards/evaluation reports).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI accountability mapping: shared responsibilities between org ↔ vendor ↔ customer.", "type": "text"}]}]}]}]}]}], + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The purpose of this policy is to establish a consistent governance framework for the responsible development, deployment, and use of Artificial Intelligence (AI) systems. It ensures that AI is aligned with the organization’s strategic objectives, complies with applicable laws and standards, and upholds ethical principles such as fairness, accountability, transparency, and respect for individual and societal impacts.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "This policy applies to all employees, contractors, partners, and third parties who are involved in the design, acquisition, development, deployment, monitoring, or use of AI systems on behalf of the organization. It covers AI systems developed in-house, procured from vendors, or integrated into existing business processes, and extends across the entire AI system life cycle, from design and training data acquisition through deployment, monitoring, maintenance, and decommissioning.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "1. ", "type": "text"}, {"text": "AI Governance & Policy", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Policy", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.2.2, A.2.3, A.2.4)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Documented overarching AI policy (objectives, principles, scope of AI use, governance framework).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Alignment with existing policies (security, privacy, compliance, risk).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Formal review cycle (annual + ad hoc).", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "2. ", "type": "text"}, {"text": "AI Roles, Responsibility & Accountability", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Governance Roles & Committees", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.3.2)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assign AI roles: AI Owner, AI Risk Officer, Model Developers, AI Ethics/Review Committee.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Clear accountability for AI lifecycle stages.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Concern Reporting & Whistleblowing", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (Extension of ", "type": "text"}, {"text": "Sanctions & Disciplinary", "type": "text", "marks": [{"type": "italic"}]}, {"text": " + ", "type": "text"}, {"text": "Awareness Training", "type": "text", "marks": [{"type": "italic"}]}, {"text": ")", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Safe channels for employees to report AI-related risks, ethical concerns, or unintended harms.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Part of training & awareness modules.", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "3. ", "type": "text"}, {"text": "AI Resources & Competency", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Resource Management", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.4.2–A.4.6)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document ", "type": "text"}, {"text": "data, tooling, compute, and human resources", "type": "text", "marks": [{"type": "bold"}]}, {"text": " relevant to AI.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain inventory of AI system dependencies/frameworks (TensorFlow, PyTorch, APIs).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define ", "type": "text"}, {"text": "competency requirements", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (skills/training) for AI staff.", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "4. ", "type": "text"}, {"text": "AI Risk & Impact Assessments", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Risk & Impact Assessment Policy", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.5.2–A.5.5)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Process for assessing individual, societal, and organizational impacts of AI systems.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain findings as part of enterprise ", "type": "text"}, {"text": "risk register", "type": "text", "marks": [{"type": "bold"}]}, {"text": ".", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Required for new AI systems, major updates, and periodic reviews.", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "5. ", "type": "text"}, {"text": "AI Lifecycle Management", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Development & Design Policy", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (Expansion of ", "type": "text"}, {"text": "Secure SDLC", "type": "text", "marks": [{"type": "italic"}]}, {"text": ", ", "type": "text"}, {"text": "Change & Release Management", "type": "text", "marks": [{"type": "italic"}]}, {"text": ")", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define ", "type": "text"}, {"text": "responsible AI objectives", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (fairness, transparency, explainability, robustness).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Lifecycle processes: design → development → validation → deployment → monitoring → decommissioning.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verification & validation of AI models (bias, accuracy, robustness testing).", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Deployment & Operations", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (Expansion of ", "type": "text"}, {"text": "Logging, Monitoring & Audit", "type": "text", "marks": [{"type": "italic"}]}, {"text": " + ", "type": "text"}, {"text": "Incident Response", "type": "text", "marks": [{"type": "italic"}]}, {"text": ")", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Model performance monitoring, drift detection, bias monitoring.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Event logging for AI actions/decisions.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Rollback/retraining protocols.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI System Documentation", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.6.2.7)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Documentation prepared for stakeholders: purpose, design, limitations, and risks.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tailored for regulators, customers, users.", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "6. ", "type": "text"}, {"text": "AI Data Governance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Data Governance Policy", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.7.2–A.7.6)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Data requirements defined: quality, provenance, preparation, retention, lawful basis.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Dataset acquisition vetting (bias, representativeness, licensing).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Continuous validation of dataset integrity & relevance.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Links to ", "type": "text"}, {"text": "Data Classification & Handling", "type": "text", "marks": [{"type": "italic"}]}, {"text": " and ", "type": "text"}, {"text": "Privacy & Data Subject Rights", "type": "text", "marks": [{"type": "italic"}]}, {"text": ".", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "7. ", "type": "text"}, {"text": "AI Transparency & Stakeholder Communications", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Transparency & Communications", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.8.2–A.8.5)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "User-facing documentation: explanation of AI system purpose, limitations, intended use.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Stakeholder reporting: regulatory disclosures, public summaries, accountability dashboards.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI incident communication: tailored protocols for affected users & regulatory bodies.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Channels for external stakeholders to report adverse impacts.", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "8. ", "type": "text"}, {"text": "Responsible Use of AI", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Responsible AI Use Policy", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (NEW – Covers A.9.2–A.9.4)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define acceptable vs prohibited AI uses (alignment with ethics principles).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Establish “intended use” framework tied to AI model documentation.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct user education on ethical/responsible AI use.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Embed into ", "type": "text"}, {"text": "Acceptable Use Policy (AUP)", "type": "text", "marks": [{"type": "italic"}]}, {"text": ".", "type": "text"}]}]}]}]}]}, {"type": "horizontalRule"}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "9. ", "type": "text"}, {"text": "Third-Party AI Governance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI Vendor & Third-Party Risk", "type": "text", "marks": [{"type": "bold"}]}, {"text": " (Expansion of ", "type": "text"}, {"text": "Vendor & Third-Party Risk", "type": "text", "marks": [{"type": "italic"}]}, {"text": ", ", "type": "text"}, {"text": "Third-Party Processor", "type": "text", "marks": [{"type": "italic"}]}, {"text": ")", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI-specific clauses in contracts (responsible AI dev/use, explainability, performance guarantees).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require supplier AI transparency (model cards/evaluation reports).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "AI accountability mapping: shared responsibilities between org ↔ vendor ↔ customer.", "type": "text"}]}]}]}]}]}]}, "createdAt": "2025-09-18 19:03:10.246", - "updatedAt": "2025-09-18 19:06:12.956" + "updatedAt": "2026-04-25 19:34:58.394" }, { "id": "frk_pt_68bb155d6b8eaafd14904188", @@ -295,19 +275,19 @@ "description": "Ensures all third-party vendors adhere to sign GDPR Data Processing Agreements", "frequency": "yearly", "department": "admin", - "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Manage risks from suppliers that access {{COMPANY}} data or impact operations.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All SaaS, cloud, consulting, and data-processing vendors.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "State that the policy aligns to SOC 2 Trust Services Criteria, at minimum Security (Common Criteria). Name any optional criteria in scope (Availability, Confidentiality, Processing Integrity, Privacy).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Clarify that the policy covers vendors and any vendors that act as “subservice organizations” to your system as defined in SOC 2. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "State that the policy applies to all vendors that create, receive, maintain, or transmit PHI, including subcontractors of Business Associates. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "State that the policy applies to all vendors (processors) that process personal data of EU/EEA data subjects on behalf of {{COMPANY}}, including subprocessors and the designated EU Representative (if applicable). ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Vendor Inventory & Tiering", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain central list of active vendors with owner and contact.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tier vendors by risk", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Critical = Business cannot run without it", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "High = handles customer or Restricted data", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Medium = internal tools", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Low = no data access", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Flag which vendors are subservice organizations in your SOC 2 report and record whether you use the carve-out or inclusive method for each.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Link each vendor entry to the service commitments and system requirements they support in your SOC 2 system description). ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Classify each vendor’s HIPAA role: Business Associate, Subcontractor BA, or neither.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track whether PHI is stored, processed, or transmitted, where it resides, and whether data are de-identified or a limited data set. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a list of all vendors that process personal data, including:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Vendor name", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Type of personal data processed", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Lawful basis for processing", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Whether vendor acts as processor, subprocessor, or EU Representative", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Location of processing (EU/EEA or third country with transfer mechanism)", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track Data Processing Agreements (DPAs) with:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date signed", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date of last review", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Next review due", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Security Due Diligence", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Critical/High-risk: obtain SOC 2/ISO 27001 report or complete security questionnaire before contract.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Medium-risk: basic questionnaire or public security statement review.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record findings and approval decision.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prefer SOC 2 Type 2. Record report type, period covered, criteria in scope, auditor opinion, exceptions, relevant subservice organizations, and whether carve-out or inclusive.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Obtain a bridge (gap) letter when the SOC 2 period does not cover the present date. Note that a bridge letter is a management assertion, not auditor-attested.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Extract the vendor’s Complementary User Entity Controls (CUECs). Map each CUEC to your internal controls and keep evidence that you operate them.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "If no SOC 2 is available, collect alternate assurance (for example ISO 27001 certificate with SoA, pen test summary, security questionnaire) and record a risk-based acceptance with compensating controls and a timeline to obtain SOC 2. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}} ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Add a HIPAA checklist for Critical and High vendors that handle PHI:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Evidence of a HIPAA Security Rule risk analysis and risk management plan.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Administrative safeguards: workforce training, sanction policy, access authorization, termination, contingency planning and backups, periodic evaluations.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Physical safeguards: facility access controls, device and media controls, secure disposal.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Technical safeguards: unique IDs, access controls, audit controls, integrity controls, transmission security, authentication.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Logging: the vendor must maintain and retain system activity logs for ePHI and provide extracts on request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Data minimization: confirm “minimum necessary” access design and role-based access . ", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For Critical and High vendors that process personal data:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify GDPR-compliant DPA is signed before processing begins.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confirm vendor provides appropriate technical and organizational measures (TOMs).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assess cross-border data transfers and ensure valid transfer mechanism (e.g., SCCs, adequacy decision).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record evidence of review and approval.", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Contractual Safeguards", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include confidentiality, breach-notification, right-to-audit, and data-return clauses.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For personal-data processors, execute a data-processing agreement.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require vendors in Critical or High tiers to provide a current SOC 2 Type 2 report annually and a bridge letter for any period not covered.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include obligations to notify you of material control changes, new subprocessors, or security incidents, and to cooperate with your incident investigations. Tie this to your service commitments and system requirements.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Preserve right-to-audit or, at minimum, right to obtain independent assurance (SOC report or equivalent) and remediation evidence for noted exceptions. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}} ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The BAA must at minimum require the BA to:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use and disclose PHI only as permitted by the BAA and HIPAA; apply minimum necessary.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Implement the HIPAA Security Rule safeguards and ensure subcontractors sign equivalent BAAs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Report any security incident or breach without unreasonable delay and set an internal time box (for example, within 5 calendar days) with content requirements for the notice.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Make PHI available to support individual rights: access within 30 days, amendment, and accounting of disclosures within 60 days; incorporate amendments as directed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Make internal practices, books, and records relating to PHI available to HHS upon request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Return or destroy PHI at termination and stop all uses; if infeasible, extend protections and limit uses.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Permit termination for material breach of the BAA.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit sale of PHI and marketing uses without proper authorization, and prohibit re-identification of de-identified data unless expressly permitted. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The DPA must at minimum require the processor to:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Process personal data only on documented instructions from {{COMPANY}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Implement appropriate technical and organizational measures (TOMs).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure confidentiality and train personnel.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Obtain prior written authorization for subprocessors and flow down equivalent obligations.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assist {{COMPANY}} in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assist with security, breach notification, and DPIAs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Return or securely delete personal data at contract termination.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Make available all information necessary to demonstrate compliance and allow audits.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify {{COMPANY}} without undue delay of any personal data breach.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Ongoing Monitoring", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review Critical/High-risk vendors’ attestations or questionnaires annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track security-breach news; initiate assessment if incident reported.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Cadence: Critical reviewed at least semiannually; High at least annually. Re-review after any material change, incident, ownership or hosting change, scope change to Restricted data, or SLA breach.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track remediation of exceptions noted in the vendor’s SOC 2 and verify you operate their CUECs each period.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "When using the carve-out method, monitor the vendor’s subservice organizations where they could affect your commitments. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require BA to notify you without unreasonable delay (internal target within 5 days) and include the incident description, PHI types, number of affected individuals, timeframes, mitigation, and corrective actions. You will handle regulatory filings and individual notices per HIPAA timelines.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review BAAs annually and after material changes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Re-obtain evidence of HIPAA risk analysis updates, contingency plan tests, and access review results.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monitor vendor breach disclosures and OCR settlements affecting the vendor. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review DPAs for all processors at least annually. Maintain a review log with:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Vendor name", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date DPA signed", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date of last review", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Next review due", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monitor vendor breach disclosures, regulatory actions, and changes in subprocessors or transfer mechanisms. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Off-boarding & Data Return", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "On contract end, ensure vendor deletes or returns data; obtain written confirmation.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove integrations and access tokens within 48 h.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require certificate of destruction or written deletion confirmation and link it to the off-boarding ticket. Verify all accounts, API keys, and OAuth tokens are revoked, and keep timestamps as evidence. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require certificate of destruction for all media containing PHI or confirm secure return. Capture timelines and format. Retrieve or request final audit logs that may be needed for accounting of disclosures.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confirm termination of all BA subcontractors that handled your PHI. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require certificate of destruction or confirmation of secure deletion of all personal data, unless retention is required by law. Capture timelines and format. Confirm termination of all subprocessors handling {{COMPANY}}’s personal data. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 1, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100 % High-risk vendors have up-to-date due-diligence evidence; inventory reconciled quarterly.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of Critical and High vendors have a current SOC 2 Type 2 review or approved alternate assurance with a time-bound plan, plus bridge letters covering any gaps.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of CUECs from Critical and High vendors are mapped and evidenced as operated.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of subservice organizations show method recorded (carve-out or inclusive) and monitoring documented.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Evidence is retained for at least the full SOC 2 Type 2 period and 12 months beyond. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA and Subcontractor BA vendors have an executed BAA before PHI exchange.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA vendors have a current HIPAA risk analysis and risk management plan on file.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA vendors provide breach reporting within the internal time box.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA vendors documented with PHI data map and minimum-necessary justification. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of vendors processing personal data have a signed GDPR-compliant DPA on file.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of DPAs are reviewed at least annually and logged with next review date.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of cross-border transfers have a documented lawful transfer mechanism.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of vendors provide breach reporting without undue delay. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Urgent onboarding without full diligence allowed only with executive sign-off and action plan.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Allow emergency onboarding only with Security approval, a short-term risk acceptance, compensating controls, and a plan to obtain SOC 2 or equivalent assurance within a defined time box. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missing evidence or expired contracts flagged to procurement and Security for immediate action.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Streamline questionnaire, add automation, and refine tiering criteria annually.", "type": "text"}]}], + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Manage risks from suppliers that access {{COMPANY}} data or impact operations.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All SaaS, cloud, consulting, and data-processing vendors.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "State that the policy aligns to SOC 2 Trust Services Criteria, at minimum Security (Common Criteria). Name any optional criteria in scope (Availability, Confidentiality, Processing Integrity, Privacy).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Clarify that the policy covers vendors and any vendors that act as “subservice organizations” to your system as defined in SOC 2. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Use written contracts to ensure third parties processing personal information on behalf of {{COMPANY}} provide a comparable level of privacy protection. Maintain accountability for personal information transferred to vendors regardless of where they operate in {{GEO}}.{{/if}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "State that the policy applies to all vendors that create, receive, maintain, or transmit PHI, including subcontractors of Business Associates. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "State that the policy applies to all vendors (processors) that process personal data of EU/EEA data subjects on behalf of {{COMPANY}}, including subprocessors and the designated EU Representative (if applicable). ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Vendor Inventory & Tiering", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain central list of active vendors with owner and contact.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tier vendors by risk", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Critical = Business cannot run without it", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "High = handles customer or Restricted data", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Medium = internal tools", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Low = no data access", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Flag which vendors are subservice organizations in your SOC 2 report and record whether you use the carve-out or inclusive method for each.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Link each vendor entry to the service commitments and system requirements they support in your SOC 2 system description). ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Tag vendors that process personal information; record whether the data leaves Canada and the safeguards applied to those cross-border transfers.{{/if}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Classify each vendor’s HIPAA role: Business Associate, Subcontractor BA, or neither.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track whether PHI is stored, processed, or transmitted, where it resides, and whether data are de-identified or a limited data set. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a list of all vendors that process personal data, including:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Vendor name", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Type of personal data processed", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Lawful basis for processing", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Whether vendor acts as processor, subprocessor, or EU Representative", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Location of processing (EU/EEA or third country with transfer mechanism)", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track Data Processing Agreements (DPAs) with:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date signed", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date of last review", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Next review due", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Security Due Diligence", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Critical/High-risk: obtain SOC 2/ISO 27001 report or complete security questionnaire before contract.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Medium-risk: basic questionnaire or public security statement review.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record findings and approval decision.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prefer SOC 2 Type 2. Record report type, period covered, criteria in scope, auditor opinion, exceptions, relevant subservice organizations, and whether carve-out or inclusive.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Obtain a bridge (gap) letter when the SOC 2 period does not cover the present date. Note that a bridge letter is a management assertion, not auditor-attested.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Extract the vendor’s Complementary User Entity Controls (CUECs). Map each CUEC to your internal controls and keep evidence that you operate them.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "If no SOC 2 is available, collect alternate assurance (for example ISO 27001 certificate with SoA, pen test summary, security questionnaire) and record a risk-based acceptance with compensating controls and a timeline to obtain SOC 2. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}} ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Confirm the vendor can support {{COMPANY}}'s obligations: access-request fulfilment within 30 days, breach notification, and compliance with the 10 Fair Information Principles.{{/if}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Add a HIPAA checklist for Critical and High vendors that handle PHI:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Evidence of a HIPAA Security Rule risk analysis and risk management plan.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Administrative safeguards: workforce training, sanction policy, access authorization, termination, contingency planning and backups, periodic evaluations.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Physical safeguards: facility access controls, device and media controls, secure disposal.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Technical safeguards: unique IDs, access controls, audit controls, integrity controls, transmission security, authentication.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Logging: the vendor must maintain and retain system activity logs for ePHI and provide extracts on request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Data minimization: confirm “minimum necessary” access design and role-based access . ", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For Critical and High vendors that process personal data:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify GDPR-compliant DPA is signed before processing begins.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confirm vendor provides appropriate technical and organizational measures (TOMs).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assess cross-border data transfers and ensure valid transfer mechanism (e.g., SCCs, adequacy decision).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record evidence of review and approval.", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Contractual Safeguards", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include confidentiality, breach-notification, right-to-audit, and data-return clauses.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For personal-data processors, execute a data-processing agreement.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require vendors in Critical or High tiers to provide a current SOC 2 Type 2 report annually and a bridge letter for any period not covered.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include obligations to notify you of material control changes, new subprocessors, or security incidents, and to cooperate with your incident investigations. Tie this to your service commitments and system requirements.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Preserve right-to-audit or, at minimum, right to obtain independent assurance (SOC report or equivalent) and remediation evidence for noted exceptions. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}} ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Require contractual commitments to: limit processing to documented purposes, return or securely destroy personal information on termination, notify {{COMPANY}} of any privacy breach without undue delay, and submit to {{COMPANY}}'s direction on access requests.{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The BAA must at minimum require the BA to:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use and disclose PHI only as permitted by the BAA and HIPAA; apply minimum necessary.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Implement the HIPAA Security Rule safeguards and ensure subcontractors sign equivalent BAAs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Report any security incident or breach without unreasonable delay and set an internal time box (for example, within 5 calendar days) with content requirements for the notice.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Make PHI available to support individual rights: access within 30 days, amendment, and accounting of disclosures within 60 days; incorporate amendments as directed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Make internal practices, books, and records relating to PHI available to HHS upon request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Return or destroy PHI at termination and stop all uses; if infeasible, extend protections and limit uses.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Permit termination for material breach of the BAA.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit sale of PHI and marketing uses without proper authorization, and prohibit re-identification of de-identified data unless expressly permitted. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The DPA must at minimum require the processor to:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Process personal data only on documented instructions from {{COMPANY}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Implement appropriate technical and organizational measures (TOMs).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure confidentiality and train personnel.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Obtain prior written authorization for subprocessors and flow down equivalent obligations.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assist {{COMPANY}} in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assist with security, breach notification, and DPIAs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Return or securely delete personal data at contract termination.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Make available all information necessary to demonstrate compliance and allow audits.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify {{COMPANY}} without undue delay of any personal data breach.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Ongoing Monitoring", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review Critical/High-risk vendors’ attestations or questionnaires annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track security-breach news; initiate assessment if incident reported.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Cadence: Critical reviewed at least semiannually; High at least annually. Re-review after any material change, incident, ownership or hosting change, scope change to Restricted data, or SLA breach.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track remediation of exceptions noted in the vendor’s SOC 2 and verify you operate their CUECs each period.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "When using the carve-out method, monitor the vendor’s subservice organizations where they could affect your commitments. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Re-confirm annually that processors continue to provide comparable privacy protection; track any changes to data location or sub-processor lists.{{/if}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require BA to notify you without unreasonable delay (internal target within 5 days) and include the incident description, PHI types, number of affected individuals, timeframes, mitigation, and corrective actions. You will handle regulatory filings and individual notices per HIPAA timelines.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review BAAs annually and after material changes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Re-obtain evidence of HIPAA risk analysis updates, contingency plan tests, and access review results.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monitor vendor breach disclosures and OCR settlements affecting the vendor. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review DPAs for all processors at least annually. Maintain a review log with:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Vendor name", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date DPA signed", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Date of last review", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Next review due", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monitor vendor breach disclosures, regulatory actions, and changes in subprocessors or transfer mechanisms. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Off-boarding & Data Return", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "On contract end, ensure vendor deletes or returns data; obtain written confirmation.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove integrations and access tokens within 48 h.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require certificate of destruction or written deletion confirmation and link it to the off-boarding ticket. Verify all accounts, API keys, and OAuth tokens are revoked, and keep timestamps as evidence. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}On termination, obtain certified return or secure destruction of personal information held by the vendor, and update the Personal Information Register.{{/if}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require certificate of destruction for all media containing PHI or confirm secure return. Capture timelines and format. Retrieve or request final audit logs that may be needed for accounting of disclosures.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confirm termination of all BA subcontractors that handled your PHI. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require certificate of destruction or confirmation of secure deletion of all personal data, unless retention is required by law. Capture timelines and format. Confirm termination of all subprocessors handling {{COMPANY}}’s personal data. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 1, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100 % High-risk vendors have up-to-date due-diligence evidence; inventory reconciled quarterly.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of Critical and High vendors have a current SOC 2 Type 2 review or approved alternate assurance with a time-bound plan, plus bridge letters covering any gaps.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of CUECs from Critical and High vendors are mapped and evidenced as operated.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of subservice organizations show method recorded (carve-out or inclusive) and monitoring documented.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Evidence is retained for at least the full SOC 2 Type 2 period and 12 months beyond. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA and Subcontractor BA vendors have an executed BAA before PHI exchange.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA vendors have a current HIPAA risk analysis and risk management plan on file.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA vendors provide breach reporting within the internal time box.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA vendors documented with PHI data map and minimum-necessary justification. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if gdpr}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of vendors processing personal data have a signed GDPR-compliant DPA on file.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of DPAs are reviewed at least annually and logged with next review date.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of cross-border transfers have a documented lawful transfer mechanism.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of vendors provide breach reporting without undue delay. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Urgent onboarding without full diligence allowed only with executive sign-off and action plan.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Allow emergency onboarding only with Security approval, a short-term risk acceptance, compensating controls, and a plan to obtain SOC 2 or equivalent assurance within a defined time box. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missing evidence or expired contracts flagged to procurement and Security for immediate action.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Streamline questionnaire, add automation, and refine tiering criteria annually.", "type": "text"}]}]}, "createdAt": "2025-09-05 16:52:44.802", - "updatedAt": "2025-09-05 17:17:12.446" + "updatedAt": "2026-04-30 23:21:45.896" }, { - "id": "frk_pt_68e3f39e77b0a823add09bf5", - "name": "Code of Business Conduct", - "description": "The Code of Business Conduct outlines the ethical standards and professional behaviors expected of all employees. It serves as a guide to ensure integrity, compliance, and responsibility in all business activities and interactions.", + "id": "frk_pt_685e414029124c24387beff0", + "name": "Retention & Secure Disposal", + "description": "Sets record-specific retention periods, runs periodic purge reviews, and requires cryptographic or physical destruction of outdated data.", "frequency": "yearly", - "department": "hr", - "content": [{"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Set clear expectations for ethical behavior, professionalism, and compliance across all {{COMPANY}} activities.", "type": "text"}, {"type": "hardBreak"}, {"text": "Protect trust with customers, partners, regulators, and one another while upholding {{INDUSTRY}} standards.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Applies to all {{COMPANY}} employees, contractors, and third parties operating on behalf of {{COMPANY}} in {{GEO}}.", "type": "text"}, {"type": "hardBreak"}, {"text": "Covers conduct, data protection, decision-making, and use of company systems and resources.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Our Principles", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Act with integrity", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Be honest, fair, and transparent in all interactions with customers, partners, regulators, and colleagues.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Protect trust", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Safeguard all customer PII, financial records, property data, credit-bureau information, and compliance documentation.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Customer first", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure that decisions improve the accuracy, speed, and fairness of lending and service outcomes—not just short-term performance.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Comply with the law", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Follow applicable financial-services, data-protection, anti-bribery, anti-money-laundering, competition, and employment laws.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "No retaliation", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Speaking up about ethical or compliance concerns is encouraged and protected from retaliation.", "type": "text"}]}]}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Professional Conduct", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Respect and inclusion", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Harassment, discrimination, or bullying of any kind is strictly prohibited—promote an inclusive and respectful workplace.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conflicts of interest", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disclose any outside employment, investments, family relationships, or gifts that could influence business decisions.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Fair dealing", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Never misrepresent {{COMPANY}} or competitors, or engage in unfair or deceptive business practices.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Communications and social media", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Only authorized representatives may speak publicly on behalf of {{COMPANY}}.", "type": "text"}, {"type": "hardBreak"}, {"text": "Never disclose confidential or customer information in public or social-media channels.", "type": "text"}]}]}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Data Protection & Security", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Access control", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use company-managed accounts with SSO and MFA.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply least-privilege access and review access quarterly.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Shared or generic accounts are prohibited.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Device security", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Devices must enable disk encryption, auto-lock, strong passcodes, and current OS/patches.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Install company MDM/endpoint protection when required.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store customer data only in approved, encrypted applications; never on local drives unless explicitly authorized and encrypted.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Data handling", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Collect only the minimum data required for business needs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Classify and label sensitive data appropriately.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use anonymized or synthetic data for development and testing whenever possible.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Incident response", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Immediately report any suspected data loss, breach, or unauthorized access.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The Security Lead coordinates containment, notification, and post-incident review per regulatory requirements.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retention and deletion", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain data only as long as legally or contractually required.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Securely delete data when no longer needed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Respond promptly to data-subject requests (access, correction, deletion).", "type": "text"}]}]}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Reporting Concerns", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Raise ethical or conduct concerns with your manager or compliance contact.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Anonymous reporting options are available upon request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "No retaliation will occur for good-faith reports or participation in investigations.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Enforcement", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Violations may result in access restrictions, disciplinary action (including termination), and, where required, reporting to regulatory authorities.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "This Code is reviewed at least annually; all updates will be communicated in writing.", "type": "text"}]}]}]}], - "createdAt": "2025-10-06 16:51:41.945", - "updatedAt": "2025-10-06 17:09:34.333" + "department": "it", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep {{DATA}} only as long as needed and dispose of it so it cannot be recovered by unauthorized parties at {{COMPANY}}, including data stored in {{CRITICAL}} and subject to {{GEO}} residency.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All electronic and physical records, backups, and media created or held by the organization. Applies to the {{LOCATION}} workforce, systems in {{CRITICAL}}, and managed {{DEVICES}} that store or cache {{DATA}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain the retention schedule, review records, and disposal logs for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "For ePHI, apply the HIPAA Security Rule Device and Media Controls and retain required documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Retain personal information only as long as necessary to fulfill the purposes documented in the Personal Information Register; retain information used to make decisions about an individual long enough for the individual to access it under PIPEDA Section 8.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Retention Schedule", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a table listing record types, retention period, owner, and primary storage (e.g., repository in {{CRITICAL}}) with {{GEO}} residency where applicable.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review the schedule at least annually and when new {{INDUSTRY}} data types arise.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure each record type references its storage location and protection requirements.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Map ePHI record types to required retention periods and safeguard expectations.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Map each personal information category to a minimum and maximum retention period; align with the documented collection purpose under Principle 5.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Periodic Data Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Owners run an automated or manual review at least quarterly to identify data beyond its retention period in {{CRITICAL}}, collaboration repositories, and on managed {{DEVICES}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Records flagged for deletion are queued for disposal within 30 days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Log review dates and outcomes; track queued deletions to completion.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Verify reviews include systems and media that may contain ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Identify personal information no longer required and queue it for destruction or anonymization; document outcomes for at least 24 months.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Secure Disposal Methods", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Electronic data: use secure-wipe utilities or crypto-erasure by destroying keys; confirm for cloud stores in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Physical media: use cross-cut shredding or a certified destruction vendor.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document each disposal event with date, data category, method, and location; store records in {{GEO}} where required.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Store certificates or logs of destruction where used and restrict access to disposal records.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply Device and Media Controls for ePHI, including sanitisation and accountability.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Apply destruction methods that prevent recovery of personal information; obtain certificates of destruction from contractors handling disposal.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Backup & Archive Controls", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply the same retention timelines to backups and archives.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt backups; verify they age out on schedule or are re-encrypted when keys rotate; note backup residency in {{GEO}} and storage in {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Periodically test backup expiry and restoration; protect keys and access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure backup processes for ePHI maintain required safeguards during storage and restoration.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Apply the same safeguards to personal information held in backups as in production; document the backup retention period in the Personal Information Register.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly check shows ≤ 5% of records past retention and disposal logs are complete. For teams over {{EMPLOYEES}} employees, expand sampling and include random checks across {{CRITICAL}} and managed {{DEVICES}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Legal hold or contract may override the schedule; document the reason and review date, including any impact on {{DATA}} residency in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Over-retained or improperly disposed records are escalated to senior management and remediated within 30 days.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update the schedule and tooling after audits, incidents, or regulatory change, reflecting {{INDUSTRY}} requirements and any updates to {{GEO}} obligations.", "type": "text"}]}]}, + "createdAt": "2025-06-27 06:59:11.886", + "updatedAt": "2026-04-30 23:21:48.511" }, { "id": "frk_pt_691e4b93beca9362759c4cbe", @@ -349,6 +329,26 @@ "createdAt": "2025-11-19 22:57:21.987", "updatedAt": "2025-11-24 23:04:45.954" }, + { + "id": "frk_pt_685e4508d8c0d14ae873e644", + "name": "Physical Security & Environmental", + "description": "Controls facility and server-room access, manages visitors, safeguards against fire, flood, or climate risks, and audits logs and walk-throughs.", + "frequency": "yearly", + "department": "it", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Protect {{COMPANY}} personnel, equipment, and information from unauthorized physical access or environmental damage.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{LOCATION}} and any site hosting {{COMPANY}} assets.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Align to SOC 2 Trust Services Criteria in scope for the audit (Security at minimum; add Availability/Confidentiality if applicable). Treat building/data-centre operators as relevant subservice organizations. ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Apply physical safeguards to areas where personal information is stored or processed, regardless of format (paper, electronic, removable media), per Principle 7 of PIPEDA Schedule 1.{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Applies where ePHI is created, received, maintained, or transmitted (including subcontractors of Business Associates). ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Facility Access Control", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All controlled doors use badges or keys; disable badges immediately at termination.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Segregate secure areas (for example, server/network closets) with locked doors; limit keys to authorized staff only.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep doors closed; prevent tailgating and prohibit propping doors open.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly review of badge/key lists to reconfirm access need.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain access-control records and document quarterly access reviews during the Type 2 period.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Restrict access to areas housing personal information to authorized staff; log physical access to areas storing sensitive personal information.{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain facility access procedures for areas where ePHI may be present.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Visitor Management", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require sign-in, government-issued ID check, and a visible visitor badge.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Host escorts visitor at all times.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain visitor logs for at least 12 months.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Spot-check visitor logs against host approvals as part of periodic reviews.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Escort visitors in areas where personal information is processed; record visitor access for at least one year.{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Restrict visitor access to any area where ePHI may be visible or discussed.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Environmental Protections", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain HVAC within manufacturer-recommended temperature and humidity; continuous monitoring for server areas.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide smoke detection and automatic fire suppression for server rooms, or use fire-rated cabinets where suppression is unavailable.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide UPS for critical equipment and test at least annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Elevate equipment or install leak sensors in flood-prone areas.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain maintenance and test records (for example HVAC/UPS) to support Availability when in scope.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Protect personal information from environmental loss (fire, flood, power loss) commensurate with sensitivity; document recovery procedures.{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Link facility and environmental events with contingency and emergency-mode operations.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Equipment Protection & Disposal", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Lock server racks; use cable locks for laptops in shared/co-working spaces.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain asset inventory with physical location and owner.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Sanitize or destroy storage media prior to disposal or reuse using NIST SP 800-88 methods; record disposal event and, where applicable, obtain a certificate of destruction.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Sanitize storage media holding personal information before reassignment or disposal; retain destruction certificates for at least 24 months.{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Satisfies Device and Media Controls: disposal, media reuse, accountability.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Physical Security Monitoring & Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review access-control and (where deployed) CCTV logs monthly for anomalies; investigate and record outcomes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct an annual walk-through to verify door states, signage, camera coverage, alarms, leak sensors, and rack locks.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record incidents such as tailgating or propped-open doors and track corrective actions.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain review artifacts for at least the full Type 2 period plus 12 months.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Review physical safeguards annually for areas housing personal information; document corrective actions.{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain Security Rule documentation for 6 years.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Access controls in use at 100% of controlled doors; monthly log reviews completed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of visitors signed in, badged, and escorted; logs retained 12 months.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Annual environmental tests (for example UPS) and annual physical walk-through completed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of media disposal or reuse events recorded with NIST SP 800-88 method.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Temporary use of an unsecured space requires manager approval, an end date, and compensating controls (for example lockable cabinet).", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tailgating, propped-open doors, missing visitor badges, or unlogged visitors are recorded as incidents; corrective action within one week.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enhance controls based on incident trends, audit findings, and facility changes; review this policy at least annually.", "type": "text"}]}]}, + "createdAt": "2025-06-27 07:15:20.007", + "updatedAt": "2026-04-30 23:21:50.266" + }, + { + "id": "frk_pt_685e42188e2df1c285cca159", + "name": "Access Control & Least Privilege", + "description": "Implements a Joiner-Mover-Leaver workflow, role-based access control, quarterly reviews, and strict approval for elevated privileges.", + "frequency": "yearly", + "department": "it", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure users at {{COMPANY}} receive only the minimum access necessary and that access adjusts promptly with role changes, protecting {{DATA}} on workloads in {{CRITICAL}} and across {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All workforce accounts, service accounts, and system roles across SaaS, IaaS, and on-prem resources used by the {{LOCATION}} workforce. Only managed {{DEVICES}} may access production resources in {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Align to logical access controls (authentication, authorization, provisioning/deprovisioning) and retain artifacts for the Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply workforce security and information access management with unique IDs and authentication for systems handling ePHI (164.308(a)(3)-(4), 164.312(a), 164.312(d)).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Restrict access to personal information to the minimum necessary for the purposes documented in the Personal Information Register, in accordance with Principle 7 of PIPEDA Schedule 1.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Joiner-Mover-Leaver (JML) Process", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provision access via ticket with manager approval and defined role.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Modify privileges within 48 hours of role change.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable or delete accounts by end of final workday; collect tokens/keys/badges and revoke access on {{DEVICES}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tie SSO/IdP accounts to HR status; block sign-in on termination and immediately remove access to {{CRITICAL}}/{{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record approvals, timestamps, and completion in the ticket/IdP; no ad-hoc provisioning.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Remove ePHI access immediately on termination; document termination procedures.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Adjust access to personal information promptly on role change; revoke access on termination within one business day.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Role-Based Access Control (RBAC)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define standard roles per system (e.g., Admin, Power User, Read-Only).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assign users to roles or groups; avoid direct entitlements.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain role definitions with least-privilege permissions and named owners.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Service accounts have an owner, documented purpose, restricted scopes, and no interactive login.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Review role definitions at least annually; protect high-risk permissions with MFA.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Limit ePHI access to the minimum necessary; segregate admin from clinical/support roles where applicable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Define roles based on the purpose for which personal information is processed; segregate duties between collection, use, and disclosure where the volume or sensitivity warrants it.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Privilege Elevation & Approval", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Temporary admin rights require documented business justification and auto-expire ≤ 24 hours.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Permanent admin assignments require senior-management approval.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use just-in-time elevation where available; log all elevated actions on systems in {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain elevation requests/approvals and session logs for sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure elevated sessions on ePHI systems use strong authentication and are auditable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Require documented approval and time-bound elevation for access to sensitive personal information; log elevation events.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Periodic Access Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "System owners review user lists at least quarterly; remove stale or excessive rights.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reconcile IdP groups, SaaS roles, and resource policies affecting {{CRITICAL}} and {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document review date, reviewers, findings, and actions; store evidence in {{GEO}} where residency applies.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track findings to closure; verify orphaned accounts and excess privileges are remediated.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Include verification of ePHI repository access and logging of adjustments.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Review access to personal information at least annually; close any access not aligned to a documented purpose and record the outcome.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly review shows ≤ 2% orphaned accounts; all admin rights have an approval record. For teams over {{EMPLOYEES}} employees, expand sampling and include random checks of privileged access to {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Emergency access allowed for a maximum of 8 hours; log reason, scope, and approver, and close in the next review. Note any residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unapproved elevated access or dormant accounts > 30 days are escalated to management and remediated within one week.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Incorporate review findings to refine role definitions and automate provisioning/deprovisioning, considering {{INDUSTRY}} needs and obligations in {{GEO}}.", "type": "text"}]}]}, + "createdAt": "2025-06-27 07:02:47.730", + "updatedAt": "2026-04-30 23:21:51.182" + }, { "id": "frk_pt_6944560ec419232763bbac2c", "name": "Service Provider Acknowledgement", @@ -359,6 +359,116 @@ "createdAt": "2025-12-18 19:29:17.533", "updatedAt": "2025-12-18 19:31:04.846" }, + { + "id": "frk_pt_69f3de9f7e48fbcc7752a946", + "name": "PIPEDA Privacy Notice Policy", + "description": "Defines the content, publication, and update process for the public-facing PIPEDA privacy notice provided at or before collection of personal information — supporting Principles 2, 3, 4, and 8.", + "frequency": "yearly", + "department": "gov", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure that individuals interacting with {{COMPANY}} ({{COMPANYINFO}}) are informed about the personal information ({{DATA}}) being collected, why it is being collected, how it will be used and disclosed, and how they can exercise their rights under the Personal Information Protection and Electronic Documents Act (PIPEDA).", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The public-facing PIPEDA privacy notice published by {{COMPANY}} on its websites, mobile apps, contracts, and any other interface where personal information is collected. Applies to the {{LOCATION}} workforce and processors operating in {{CRITICAL}} and across {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Required Content", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Identity and contact details of {{COMPANY}} and the designated Privacy Officer accountable for PIPEDA compliance.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Categories of {{DATA}} collected, sources, and the purposes for which they are collected, used, and disclosed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Categories of recipients (including service providers and processors in {{CRITICAL}}) with which {{DATA}} is shared.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Whether {{DATA}} is transferred outside Canada and the safeguards applied to those transfers.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retention periods for each category and the criteria used to determine them.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The rights individuals have under PIPEDA, including access, correction, and challenging compliance.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The procedure for submitting access requests and complaints, and the consequences of withholding consent.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "A statement on how {{COMPANY}} obtains consent (express vs. implied) and how it can be withdrawn.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Notification at Collection", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide the privacy notice or a meaningful link to it at or before every collection point, including web forms, account creation, in-person collection, and indirect collection by {{SOFTWARE}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Train employees who collect personal information by phone or in person to explain purposes using approved scripts.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Where notification at the time of collection is impracticable, notify the individual before the personal information is used or disclosed.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Updates & Versioning", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update the privacy notice within 30 days of any material change to collection, use, disclosure, or retention practices.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a public version history with the effective date of each version, and retain prior versions for at least seven years.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Re-notify affected individuals where the change is material to existing relationships.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Records & Retention", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain dated copies of every published version, evidence of publication, and the change log.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain training records for staff who deliver verbal collection notices.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly content review confirms that all collection points reference the current notice and that no purposes are processed beyond those described.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any temporary deviation (for example, emergency public-health collection without prior notice) requires documented authorization and post-collection notification as soon as practicable.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Identified gaps trigger immediate notice update and review of any data collected during the gap.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Incorporate guidance from the Office of the Privacy Commissioner of Canada (OPC) and {{INDUSTRY}} norms into each annual revision.", "type": "text"}]}]}, + "createdAt": "2026-04-30 22:58:39.443", + "updatedAt": "2026-04-30 22:58:39.832" + }, + { + "id": "frk_pt_69efd9cfa8d70d31297f025e", + "name": "Children's and Minors' Data Policy", + "description": "Governs collection, use, sale, and sharing of personal information of minors. Requires affirmative opt-in consent for sale or sharing of personal information of consumers under 16, and verifiable parental consent for those under 13.", + "frequency": "yearly", + "department": "gov", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define how {{COMPANY}} ({{COMPANYINFO}}) collects, uses, sells, and shares the personal information of minors under California's CCPA/CPRA, ensuring that consumers under 16 are protected by additional consent requirements and that consumers under 13 receive verifiable parental consent before any sale or sharing of their personal information.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All {{DATA}} that may belong to a California consumer under the age of 16, regardless of where the data is collected, processed in {{CRITICAL}}, or stored across {{GEO}}. Applies to all employees, contractors, and service providers acting on behalf of {{COMPANY}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Age Determination", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{COMPANY}} does not knowingly sell or share the personal information of consumers under 16 without affirmative authorization (\"opt-in to sale\").", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Where age is unknown, services or features that may attract minors will apply default protections (no sale or sharing) until age is established.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Age signals captured via {{SOFTWARE}} (e.g. account profile, consent prompts) are treated as the source of truth and re-evaluated on material profile changes.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Consumers Aged 13 to 15 — Affirmative Opt-In", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Obtain the consumer's own affirmative, informed opt-in before selling or sharing their personal information.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Present the opt-in in plain language describing what data is sold or shared, with whom, and for what purpose.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Default to \"no sale, no sharing\" until the opt-in is captured and recorded.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Consumers Under 13 — Verifiable Parental Consent", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Obtain verifiable parental consent (consistent with COPPA-aligned methods) before selling or sharing personal information of any consumer under 13.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Acceptable verification methods include signed consent form, government-ID verification, payment-method verification, or another method reasonably calculated in light of available technology.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain the parental consent record alongside the child's account or processing record.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Withdrawing Consent and Opt-Out", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide a clear method for the minor (13–15) or parent/guardian (under 13) to withdraw consent or opt out of sale or sharing at any time.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Honor withdrawal within 15 business days and propagate the change to all relevant downstream service providers and contractors.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Recordkeeping", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain records of consent (affirmative opt-in or parental consent), withdrawal, and verification method for at least 24 months.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Records are stored in {{CRITICAL}} and are retrievable for audits, regulator inquiries, and consumer rights requests.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Service Providers and Third Parties", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Service providers, contractors, and downstream third parties processing minors' personal information must contractually agree to the same age-gating, consent, and opt-out obligations.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Selling or sharing minors' personal information with parties not bound by these terms is prohibited.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Roles and Responsibilities", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Privacy Officer — owns this policy, monitors regulatory updates, and approves consent flow changes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Engineering and Product — implement age gating, consent capture, withdrawal flows, and downstream propagation in {{SOFTWARE}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Customer Support — handle consent withdrawal and parental requests using documented procedures.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Enforcement", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Violations may result in disciplinary action up to termination, contract termination for service providers, and legal action where required. Suspected non-compliance must be reported to the Privacy Officer immediately.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reviewed at least annually by the Privacy Officer and updated upon material change in {{COMPANY}}'s product, processing activities, or applicable law.", "type": "text"}]}]}, + "createdAt": "2026-04-27 21:49:02.939", + "updatedAt": "2026-04-27 23:03:46.219" + }, + { + "id": "frk_pt_69f3dea01f1406bc00bc3d92", + "name": "PIPEDA Consent Management Policy", + "description": "Defines how the organization obtains, records, and manages knowledge and consent for the collection, use, and disclosure of personal information under PIPEDA, including consent withdrawal and express consent for sensitive information — supporting Principle 3.", + "frequency": "yearly", + "department": "gov", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Establish the standard by which {{COMPANY}} ({{COMPANYINFO}}) obtains meaningful consent from individuals for the collection, use, and disclosure of their personal information ({{DATA}}), in line with PIPEDA Schedule 1, Principle 3.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All collection, use, and disclosure of personal information by {{COMPANY}}, including data processed by {{SOFTWARE}} and stored in {{CRITICAL}}, regardless of whether the individual is a customer, prospect, employee, or contractor in {{GEO}} or {{LOCATION}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Forms of Consent", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Default to express, opt-in consent at the point of collection, recorded with timestamp, method, and the version of the privacy notice presented.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Implied consent is acceptable only where the information is non-sensitive, the use is consistent with the reasonable expectations of the individual, and the use is clearly described in the privacy notice.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Express, opt-in consent is required for sensitive personal information, including health information, financial account information, biometric data, genetic data, racial or ethnic origin, political opinions, religious or philosophical beliefs, and information about sex life or sexual orientation.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Knowledge Requirement", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "State the purposes for which consent is sought clearly, specifically, and in plain language so the individual can reasonably understand how the information will be used and disclosed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Train staff who interact with individuals to explain purposes consistently and to direct them to the privacy notice for further detail.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Conditions on Consent", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{COMPANY}} must not require, as a condition of providing a product or service, consent to collection, use, or disclosure beyond what is necessary to fulfill the explicitly specified and legitimate purposes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Consent must not be obtained through deception, misleading statements, pre-checked boxes for non-essential collection, or by burying material terms.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Withdrawal of Consent", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide a clear, accessible mechanism for individuals to withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "On receipt of a withdrawal request, inform the individual of the consequences (for example, service degradation), confirm the request in writing, and propagate the change across {{CRITICAL}} and {{SOFTWARE}} within five business days.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a withdrawal log including request date, propagation date, and any consequence communicated.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "New Purposes", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any new purpose not identified at the time of original collection requires fresh consent before the new use begins, or reliance on a documented PIPEDA Section 7 exception.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document the basis for the new processing in the Personal Information Register and retain evidence of fresh consent.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Records & Retention", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain consent records, withdrawal records, and the consent text presented for a minimum of seven years following the most recent processing event.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Restrict access to the consent log to the privacy officer and approved auditors.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly sampling of consent records validates timestamp, method, scope, and propagation of withdrawals.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Section 7 statutory exceptions (for example, legal investigation, or emergency to life or health) must be invoked in writing by the privacy officer with documented basis.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any processing without valid consent or a documented exception is treated as a privacy incident.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Integrate findings from complaints, OPC guidance, and {{INDUSTRY}} consent norms into each annual review.", "type": "text"}]}]}, + "createdAt": "2026-04-30 22:58:40.240", + "updatedAt": "2026-04-30 22:58:40.619" + }, + { + "id": "frk_pt_69efd9c4a9d86fd3bdc08de1", + "name": "Information Security Policy", + "description": "Establishes the technical and organizational security safeguards (access control, encryption, logging, vulnerability management, secure development) used to protect personal information against unauthorized access, destruction, modification, or disclosure.", + "frequency": "yearly", + "department": "it", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Establish the technical and organizational safeguards {{COMPANY}} ({{COMPANYINFO}}) uses to protect {{DATA}} against unauthorized access, destruction, modification, or disclosure, in line with the CCPA/CPRA \"reasonable security\" standard.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All systems, services, and {{DEVICES}} used by the {{LOCATION}} workforce of {{EMPLOYEES}} to access or process personal information, including infrastructure in {{CRITICAL}} and data stored across {{GEO}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Apply security safeguards to all personal information held by {{COMPANY}}, calibrated to its sensitivity, in accordance with Principle 7 of PIPEDA Schedule 1. Coverage includes physical, organizational, and technological safeguards across {{CRITICAL}} and {{DEVICES}}.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Access Control", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enforce least-privilege access; access to personal information is granted on a documented business need.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require SSO and MFA for all {{SOFTWARE}} that handles personal information.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review user access at least quarterly; revoke access within one business day of role change or termination.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Restrict access to personal information to staff who need it for documented purposes; revoke access promptly on role change or termination.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Encryption", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt personal information in transit using TLS 1.2 or higher.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt personal information at rest in {{CRITICAL}} using industry-standard algorithms (e.g. AES-256).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Manage cryptographic keys with rotation, separation of duties, and audit logging.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Encrypt sensitive personal information at rest and in transit; document the safeguards applied to personal information transferred outside Canada.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Logging and Monitoring", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Centralize security-relevant logs from {{CRITICAL}} and {{SOFTWARE}}; retain at least 12 months.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Alert on anomalous authentication, privilege escalation, and data access events.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Maintain access logs for systems holding personal information for at least 24 months to support access requests, breach investigations, and OPC inquiries.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Vulnerability and Patch Management", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Run continuous vulnerability scanning across {{CRITICAL}} and {{DEVICES}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remediate critical vulnerabilities within 14 days, high within 30 days.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct an external penetration test at least annually and after material architectural change.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Secure Development", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require code review and automated security testing (SAST/SCA) on all changes that touch personal information.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Separate production from non-production data; never use real personal information in development or test environments without controls.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Endpoint Security", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All managed {{DEVICES}} must run full-disk encryption, endpoint protection, automatic patching, and screen lock.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Personal information must not be stored on personal/unmanaged endpoints.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Enforce encryption and remote-wipe on {{DEVICES}} that may hold personal information; prohibit unencrypted local storage on personal devices.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Roles and Responsibilities", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Security Lead — owns this policy and the security control roadmap.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "IT — operates identity, endpoint, and patching programs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Engineering — implements encryption, secure development, and infrastructure hardening.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Enforcement", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Violations may result in disciplinary action up to termination, contract termination for service providers, and may be reported to regulators where required.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reviewed at least annually and after any material change in {{COMPANY}}'s technology stack, threat landscape, or applicable law.", "type": "text"}]}]}, + "createdAt": "2026-04-27 21:48:52.467", + "updatedAt": "2026-04-30 23:21:49.394" + }, + { + "id": "frk_pt_69efd9bf92ab808ec559b766", + "name": "Data Retention and Disposal Policy", + "description": "Defines retention periods for personal information by category, secure disposal procedures, and recordkeeping requirements for consumer requests (minimum 24 months under CCPA/CPRA).", + "frequency": "yearly", + "department": "gov", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define how long {{COMPANY}} ({{COMPANYINFO}}) retains {{DATA}} and how it is securely disposed of, ensuring compliance with the CCPA/CPRA, applicable {{INDUSTRY}} obligations, and {{COMPANY}}'s contractual commitments.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All personal information processed by {{COMPANY}} in {{CRITICAL}} or stored in {{GEO}}, including production systems, backups, archives, and copies held by service providers and contractors.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Retention Principle", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain personal information only for as long as necessary to fulfill the disclosed purpose, comply with legal obligations, resolve disputes, or enforce agreements.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define and document a retention period for each category of personal information; do not collect data without an associated retention period.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Retention by Category", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Customer account records — duration of the account plus the period required by tax/contract law.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Billing and payment records — at least 7 years (or as required by tax law).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Marketing data — until opt-out or 2 years of inactivity, whichever is shorter.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Application and security logs — 12 months minimum, longer where required by contract or regulation.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Consumer Request Records", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain records of CCPA/CPRA consumer rights requests and {{COMPANY}}'s responses for at least 24 months.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Records must capture date of receipt, request type, verification method, response, and date of response.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Backups and Archives", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Backup retention is documented separately from primary retention. Personal information deleted in production is purged from backups by the next full backup cycle, or remains in cold storage with no read access.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Archived data must be tagged with its retention category to support automated disposal.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Secure Disposal", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Electronic media — cryptographic erasure or NIST 800-88 wipe.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Paper records — cross-cut shredding or certified destruction service.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Destruction must be logged with date, method, and responsible party.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Service Provider Coordination", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Service providers and contractors must apply equivalent retention and disposal controls. Termination of a vendor engagement triggers return or certified destruction of all personal information held on {{COMPANY}}'s behalf.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Roles and Responsibilities", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Privacy Officer — owns retention schedule and reviews annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Engineering — implements automated retention and deletion in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Vendor Manager — confirms service-provider retention obligations during onboarding and at contract renewal.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Enforcement", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Failure to follow retention or disposal requirements may result in disciplinary action, contract termination for vendors, and corrective action up to formal incident handling.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reviewed at least annually and after any material change in regulatory, contractual, or business retention requirements.", "type": "text"}]}]}, + "createdAt": "2026-04-27 21:48:46.540", + "updatedAt": "2026-04-27 23:14:12.855" + }, + { + "id": "frk_pt_69f3dea1ba102e2350be4f9b", + "name": "PIPEDA Data Accuracy Policy", + "description": "Defines accuracy, completeness, and currency standards for personal information, the procedure for individuals to challenge accuracy, and propagation of corrections to third parties — supporting Principle 6.", + "frequency": "yearly", + "department": "gov", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure that personal information ({{DATA}}) held by {{COMPANY}} ({{COMPANYINFO}}) is as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used, in line with PIPEDA Schedule 1, Principle 6.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All personal information used to make decisions about individuals or shared with third parties, including data processed by {{SOFTWARE}} and stored in {{CRITICAL}}, across {{GEO}} and the {{LOCATION}} workforce.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Accuracy Standards by Use", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Categorize each data element by use (decision-making, analytics, contact-only) and define the level of accuracy and currency required for each.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Routinely update only where necessary for the identified purpose; avoid unnecessary updating that itself creates risk.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For data used to make decisions affecting an individual (for example, service eligibility), require positive confirmation of accuracy before the decision is taken.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Source & Update Tracking", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record the source of each personal information element and the date it was last collected, verified, or updated.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Where information is collected from a third party, retain the date and channel of that collection.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Amendment Procedure", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide individuals a clear channel to challenge the accuracy or completeness of their personal information.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "On receipt of a substantiated challenge, amend the record without undue delay; where unable to amend, record the disagreement as a note on the record.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Communicate amendments to third parties to whom the original (incorrect) information was disclosed within 30 days of the amendment.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Periodic Verification", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct a documented accuracy review at least annually for high-impact data sets (for example, customer profiles used for billing, employee records used for compensation).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Where an automated source of truth exists in {{SOFTWARE}}, document the synchronization frequency.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Records & Retention", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain accuracy challenges, decisions, and amendment evidence for at least seven years.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep evidence of downstream propagation to third-party recipients.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Annual accuracy review confirms sampling rate and corrective action; KPI tracks median time from challenge to amendment.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Where amendment would conflict with another legal obligation (for example, tax or anti-money-laundering retention), document the conflict and the residual risk.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Repeated unresolved challenges trigger root-cause review and process change.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use access-request and complaint trends to identify accuracy hotspots and adjust the verification cadence.", "type": "text"}]}]}, + "createdAt": "2026-04-30 22:58:41.031", + "updatedAt": "2026-04-30 22:58:41.395" + }, + { + "id": "frk_pt_69efd9c800ed19d26d6175f4", + "name": "Incident Response and Breach Notification Policy", + "description": "Defines the process for identifying, containing, investigating, and notifying affected consumers and regulators of data breaches in compliance with California Civil Code § 1798.82 and CCPA/CPRA obligations.", + "frequency": "yearly", + "department": "it", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define how {{COMPANY}} ({{COMPANYINFO}}) detects, contains, investigates, and notifies affected consumers and regulators of personal information security incidents, in compliance with California Civil Code § 1798.82 and the CCPA/CPRA.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any actual or suspected unauthorized access, acquisition, use, modification, destruction, or disclosure of {{DATA}} processed in {{CRITICAL}} or stored across {{GEO}}. Applies to incidents detected by {{COMPANY}} or reported by service providers, contractors, or third parties.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Detection and Reporting", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Employees and contractors must report any suspected incident to the Security Lead immediately, using the designated channel in {{SOFTWARE}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Service providers and contractors must notify {{COMPANY}} of any incident affecting personal information without unreasonable delay and no later than 48 hours after discovery.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Triage and Containment", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Severity (S1–S4) and containment objectives are assigned within the first response window.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Preserve evidence (logs, system snapshots, chat transcripts) before remediating wherever possible.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Investigation", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Determine root cause, scope of personal information impacted, and time window of exposure.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document findings, decisions, and remediation actions in a single incident record.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Consumer Notification", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "When unauthorized acquisition of personal information is confirmed, notify affected California residents in the most expedient time possible and without unreasonable delay (Cal. Civ. Code § 1798.82).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notice content must include the categories of personal information involved, what happened, what {{COMPANY}} is doing in response, and what consumers can do to protect themselves.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Regulator Notification", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Where notification is required to more than 500 California residents, submit the notice to the California Attorney General as required by law. Coordinate with Legal on any additional notifications under {{INDUSTRY}} regulations or contractual obligations.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Post-Incident Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct a blameless post-incident review within 10 business days of containment.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track corrective actions to closure and update controls, training, and runbooks accordingly.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Tabletop Exercises", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Run an annual tabletop exercise based on a personal information breach scenario; capture lessons learned and feed them into the IR playbook.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Roles and Responsibilities", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Security Lead — Incident Commander; owns the response process.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Privacy Officer — leads consumer notification scope and language.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Legal — owns regulator notifications and external counsel coordination.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Engineering / IT — execute containment, eradication, and recovery.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Enforcement", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Failure to report or follow IR procedures may result in disciplinary action up to termination, vendor contract termination, and is itself a reportable compliance event.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reviewed at least annually and after every material incident or significant change in {{COMPANY}}'s architecture or service portfolio.", "type": "text"}]}]}, + "createdAt": "2026-04-27 21:48:55.629", + "updatedAt": "2026-04-27 23:14:15.543" + }, + { + "id": "frk_pt_69efd9ca0c5691e9ec1b1241", + "name": "Vendor and Third-Party Management Policy", + "description": "Governs due diligence, contracting, and ongoing oversight of service providers, contractors, and third parties that process personal information on the business's behalf, including required CCPA/CPRA contract terms.", + "frequency": "yearly", + "department": "gov", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Govern how {{COMPANY}} ({{COMPANYINFO}}) selects, contracts with, and oversees service providers, contractors, and third parties that process {{DATA}} on its behalf, ensuring they meet the requirements of the CCPA/CPRA.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any external party {{COMPANY}} engages that may receive, store, transmit, or otherwise process personal information, including hosting in {{CRITICAL}}, {{SOFTWARE}} integrations, and processors located in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Classification", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Classify each third party as Service Provider, Contractor, or Third Party under the CCPA/CPRA.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Selling or sharing personal information with a Third Party requires consumer notice and opt-out support.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Due Diligence", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct privacy and security due diligence proportional to the sensitivity and volume of personal information involved (questionnaire, certifications, audit reports).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document residual risks and any compensating controls before signing.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Contract Requirements", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Limit use of personal information to the specified business purpose.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit sale or sharing outside of {{COMPANY}}'s instructions, and prohibit combining personal information with other sources for unrelated use.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require cooperation with consumer rights requests (Know, Delete, Correct, Opt-Out, Limit) within {{COMPANY}}'s response timelines.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require equivalent technical and organizational safeguards, breach notification within 48 hours, and audit/inspection rights.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require deletion or return of personal information at end of engagement.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Sub-Processors", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Service Providers must obtain prior approval before engaging sub-processors that will access personal information and must flow down equivalent terms in their sub-processor agreements.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Ongoing Oversight", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reassess vendors annually based on risk tier, including review of certifications, breach history, and material changes in service.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a current vendor inventory tracking data shared, classification, contract status, and risk rating.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Termination", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "On termination, confirm in writing that the vendor has returned or securely destroyed all personal information, including copies in backups.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Roles and Responsibilities", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Vendor Manager — owns lifecycle, due diligence, and reassessment.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Privacy Officer — approves CCPA/CPRA contract terms and any new sub-processors.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Security Lead — reviews technical safeguards and breach handling.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Business Owner — accountable for vendor performance and remediation.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Enforcement", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Engaging a vendor without required diligence or contract terms is a policy violation; existing engagements found out of compliance must be remediated or terminated.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reviewed at least annually and on material change in regulatory or contractual requirements affecting {{COMPANY}}.", "type": "text"}]}]}, + "createdAt": "2026-04-27 21:48:57.624", + "updatedAt": "2026-04-27 23:14:17.039" + }, + { + "id": "frk_pt_69efd9cd0541d8cdb4cae9d1", + "name": "Data Classification and Inventory Policy", + "description": "Defines how personal information categories (including sensitive personal information) are identified, classified, inventoried, and tracked across systems and data flows.", + "frequency": "yearly", + "department": "gov", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define how {{COMPANY}} ({{COMPANYINFO}}) identifies, classifies, and inventories the personal information it processes, supporting accurate disclosures, consumer rights handling, and security controls under the CCPA/CPRA.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All {{DATA}} collected, used, sold, shared, stored, or transmitted by {{COMPANY}}, regardless of where it lives — including {{CRITICAL}}, {{SOFTWARE}}, and storage in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Classification Tiers", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Public — information intended for public disclosure (e.g. marketing site).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Internal — non-public business information not subject to special handling.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confidential — personal information and other data requiring access controls and encryption.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Restricted — sensitive personal information (CPRA), payment card data, government IDs, health, biometrics.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "CCPA Personal Information Categories", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track each category collected (Identifiers, Customer Records, Protected Classifications, Commercial, Internet Activity, Geolocation, Sensory, Professional, Education, Inferences, Sensitive Personal Information).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For each category, document sources, business purposes, recipients, retention period, and whether it is sold or shared.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Inventory Maintenance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a single, authoritative personal information inventory in {{SOFTWARE}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Re-validate the inventory at least annually and on any material change in product, processing, or vendor.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Data Flow Mapping", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Map how personal information flows between {{COMPANY}}, its workforce, {{CRITICAL}}, and external parties — including transfers to {{GEO}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tie each data flow to its associated lawful basis or business purpose, and to the receiving service provider, contractor, or third party.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Handling Requirements", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confidential and Restricted data must be encrypted in transit and at rest, access-controlled, and logged.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Restricted (sensitive personal information) requires additional handling: minimization, separate access, and restricted use unless the consumer has explicitly authorized otherwise.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Public and Internal data follow {{COMPANY}}'s standard handling rules.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Roles and Responsibilities", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Privacy Officer — owns classification scheme and inventory accuracy.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Data Stewards (per system) — keep their system's data inventory up to date.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Engineering — implements technical handling controls per classification tier.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Enforcement", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Mishandling of classified data — including failure to apply the correct handling controls — is a policy violation and is investigated under the IR process.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reviewed at least annually and on any material change in {{COMPANY}}'s product, customer base, or applicable law.", "type": "text"}]}]}, + "createdAt": "2026-04-27 21:49:00.955", + "updatedAt": "2026-04-27 23:14:20.041" + }, + { + "id": "frk_pt_69efd9b6276adc8d2eb7844c", + "name": "Consumer Rights Request Policy", + "description": "Internal policy governing how the business receives, verifies, processes, and responds to consumer rights requests under the CCPA/CPRA, including timelines, escalation, and authorized agent handling.", + "frequency": "yearly", + "department": "gov", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define how {{COMPANY}} ({{COMPANYINFO}}) intakes, verifies, processes, and responds to consumer rights requests under the CCPA/CPRA, ensuring timely and consistent handling across the business.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All employees and contractors of {{COMPANY}} who handle, route, or fulfill consumer rights requests touching {{DATA}} processed in {{CRITICAL}} or stored in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Intake Channels", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide at least two designated channels (web form and email) for consumers to submit rights requests.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Route all incoming requests into a single tracked queue managed in {{SOFTWARE}} and acknowledge receipt within 10 business days.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Identity Verification", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use risk-based verification: lower bar for non-sensitive Right to Know, higher bar for Right to Delete or sensitive personal information.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Match data points the consumer provides to data already on file. Never use new sensitive data solely for verification beyond what is necessary.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Authorized Agents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require written authorization signed by the consumer (or proof of power of attorney) before acting on an agent-submitted request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify the agent's identity and may directly verify the consumer where reasonable.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Right Handling", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Right to Know — return categories and specific pieces of personal information for the prior 12 months (or longer if requested where data is available).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Right to Delete — delete personal information from production, backups (per retention rules), and propagate to service providers and contractors.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Right to Correct — correct inaccurate personal information using commercially reasonable efforts.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Right to Opt-Out — disable sale/sharing flags and propagate to ad-tech and analytics partners; honor GPC signals.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Right to Limit — restrict the use of sensitive personal information to permitted business purposes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document any statutory exemption used to deny or partially fulfill a request.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Response Timelines", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Acknowledge receipt within 10 business days.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Substantively respond within 45 calendar days, with one 45-day extension where reasonably necessary and the consumer is notified.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Non-Discrimination", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{COMPANY}} does not discriminate against consumers who exercise their CCPA/CPRA rights. Differential pricing or service tiers are permitted only where reasonably related to the value of the data.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Roles and Responsibilities", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Privacy Officer — owns the program, monitors SLA performance, and approves exceptions.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Customer Support — first responder; performs intake and verification.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Engineering — builds and maintains automated fulfillment paths and audit logs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Legal — handles edge-case denials, exemptions, and regulator-facing communication.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Enforcement", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Failure to follow this policy may result in disciplinary action up to termination, contract termination for service providers, and reportable compliance findings.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reviewed at least annually by the Privacy Officer; updated upon material change in law, intake channels, or fulfillment systems.", "type": "text"}]}]}, + "createdAt": "2026-04-27 21:48:38.357", + "updatedAt": "2026-04-27 23:16:53.315" + }, + { + "id": "frk_pt_69efd9ae049ec9c862a64982", + "name": "Privacy Policy", + "description": "External-facing privacy policy describing categories of personal information collected, sources, business and commercial purposes, recipients, retention, consumer rights under CCPA/CPRA, methods to exercise them, and contact information.", + "frequency": "yearly", + "department": "gov", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Introduction", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{COMPANY}} ({{COMPANYINFO}}) respects your privacy and is committed to handling personal information in accordance with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). This Privacy Policy explains what personal information we collect, how we use and share it, and the rights you have under California law.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Information We Collect", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Depending on how you interact with {{COMPANY}}, we may collect the following categories of {{DATA}}:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Identifiers (e.g. name, email, account ID, IP address).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Customer records (e.g. billing address, payment information).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Commercial information (e.g. products purchased, usage history).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Internet or network activity (e.g. browsing on our site, interactions with our services).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Geolocation, professional or employment-related information, and inferences drawn from the above.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "We collect this information directly from you, automatically through your use of our services, and from third-party sources such as service providers and partners.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "How We Use Personal Information", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Providing, maintaining, and improving our products and services.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Processing transactions, billing, and fulfilling contractual obligations.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Communicating with you, including service notices and support.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Securing our services, preventing fraud, and complying with legal obligations.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Analytics, product research, and marketing consistent with applicable law.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "How We Share Personal Information", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "We may disclose personal information to service providers and contractors that support our operations (e.g. hosting in {{CRITICAL}}, analytics, payment processing) under contracts that restrict their use of the data. We may also share information with affiliates, with your direction, or where required by law.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Sale or Sharing of Personal Information", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{COMPANY}} discloses the categories of personal information sold or shared in the past 12 months in this policy. You can opt out at any time using the \"Do Not Sell or Share My Personal Information\" link on our site, or by submitting a request through the channels below. We honor the Global Privacy Control (GPC) browser signal as a valid opt-out.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Sensitive Personal Information", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "We use any sensitive personal information we collect only for the purposes permitted by the CPRA. You may request that we limit the use and disclosure of your sensitive personal information at any time using the \"Limit the Use of My Sensitive Personal Information\" link.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Retention", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are defined in {{COMPANY}}'s Data Retention and Disposal Policy.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Your CCPA / CPRA Rights", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Right to Know — request the categories and specific pieces of personal information we have collected, sources, purposes, and recipients.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Right to Delete — request deletion of personal information we have collected, subject to legal exceptions.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Right to Correct — request correction of inaccurate personal information.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Right to Opt-Out — opt out of the sale or sharing of your personal information.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Right to Limit — restrict the use of sensitive personal information.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Right to Non-Discrimination — exercise these rights without discrimination in price, quality, or service.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "How to Submit a Request", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Submit a rights request through the dedicated form on our website or by emailing the address in the Contact section below. We may need to verify your identity before fulfilling your request. We will respond within 45 days, with one 45-day extension as permitted by law.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Authorized Agents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "You may use an authorized agent to submit a request on your behalf. We will require written authorization from you and may need to verify the agent's identity directly.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Minors", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "We do not knowingly sell or share personal information of consumers under 16 without affirmative opt-in. For consumers under 13, verifiable parental consent is required. See our Children's and Minors' Data Policy for details.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Changes to This Policy", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{COMPANY}} reviews and updates this Privacy Policy at least annually and upon any material change in our processing activities or applicable law. The effective date of the latest version is shown at the top of this page.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Contact Us", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Questions about this Privacy Policy or your rights under the CCPA/CPRA can be directed to {{COMPANY}}'s Privacy Officer through the contact channels listed on our website.", "type": "text"}]}]}, + "createdAt": "2026-04-27 21:48:29.829", + "updatedAt": "2026-04-27 23:23:22.355" + }, { "id": "frk_pt_6944570c25631cd097be8119", "name": "Network Security", @@ -368,5 +478,45 @@ "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "To ensure {{COMPANY}}'s network is configured to prevent unauthorized access and protect Cardholder Data (CHD).", "type": "text"}, {"type": "hardBreak"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Firewall & Network Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Default Deny:", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All inbound and outbound traffic must be blocked (\"Deny All\") unless explicitly allowed by a documented business need.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "DMZ Implementation:", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Web servers facing the internet must reside in a DMZ (Demilitarized Zone). They must never communicate directly with the database; they must use an intermediary application layer.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibited Direct Access:", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Direct public access to the Cardholder Data Environment (CDE) is strictly forbidden.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review Frequency:", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Firewall and Security Group rules must be reviewed every ", "type": "text"}, {"text": "6 months", "type": "text", "marks": [{"type": "bold"}]}, {"text": " to remove unused or unsafe rules.", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "System Configuration Standards", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Vendor Defaults:", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All vendor-supplied default passwords (e.g., \"admin/admin\") must be changed ", "type": "text"}, {"text": "before", "type": "text", "marks": [{"type": "italic"}]}, {"text": " any system is installed on the network.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "System Hardening:", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All servers must be configured according to industry-standard benchmarks (e.g., CIS Benchmarks). Unnecessary services, ports, and scripts must be disabled.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "One Function Per Server:", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Servers in the CDE must have a primary function (e.g., Web Server OR Database, not both on the same machine) to isolate risk.", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Remote Access", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypted Management:", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Non-console administrative access (SSH, RDP) must be encrypted using strong cryptography (SSHv2, TLS 1.2+). Telnet and standard HTTP management interfaces are forbidden.", "type": "text"}]}]}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remote Work:", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Access from outside the corporate network requires Multi-Factor Authentication (MFA) and a secure VPN.", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Documentation", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Network Diagrams:", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "A current network diagram showing all connections to/from the CDE must be maintained and updated upon any significant network change.", "type": "text"}]}]}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}}], "createdAt": "2025-12-18 19:33:31.814", "updatedAt": "2025-12-18 19:35:31.566" + }, + { + "id": "frk_pt_69f3de9fefdbd94ed82d7fb0", + "name": "PIPEDA Personal Information Inventory & Purpose Register Policy", + "description": "Maintains a register of every category of personal information collected, the documented purpose for each, and the retention period — supporting PIPEDA Principles 2, 4, and 5.", + "frequency": "yearly", + "department": "gov", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document the categories of personal information that {{COMPANY}} ({{COMPANYINFO}}) collects across {{CRITICAL}} and {{DEVICES}}, the specific purposes for each, and the basis on which the information is collected — so that {{COMPANY}} can demonstrate compliance with the Identifying Purposes principle of PIPEDA Schedule 1.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All personal information ({{DATA}}) collected from customers, prospects, end users, employees, and contractors — whether collected directly, from third parties, or generated by {{SOFTWARE}} — and processed in {{GEO}} or by the {{LOCATION}} workforce.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Personal Information Inventory", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a Personal Information Register cataloguing every category of {{DATA}}, including data elements, source, system of record in {{CRITICAL}}, and {{SOFTWARE}} processors.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Refresh the register at least quarterly and whenever a new collection point or data sharing arrangement is introduced.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tag each entry with the originating business unit and the responsible system owner.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose Documentation", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For each entry, record the specific purpose(s) for which the information is collected, used, and disclosed, in plain language.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Distinguish primary purposes (necessary for service delivery) from secondary purposes (e.g. analytics, marketing) and mark each accordingly.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Identify the data elements that are mandatory for each purpose vs. optional.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "New Purpose Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any new purpose for an existing data category requires documented review by the privacy officer before processing begins.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Where the new purpose was not identified at collection, obtain fresh consent or rely on a documented PIPEDA Section 7 exception.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update public notices and downstream consent records within 30 days of approval.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Records & Retention", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain the register, prior versions, and decision logs for new-purpose reviews for a minimum of seven years.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep evidence linking each register entry to its retention schedule and disposal method.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly review confirms the register is current, every entry has a documented purpose, and no purposes are in active use without an entry.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any deviation (for example, emergency use of data outside the register) requires written justification by the privacy officer and post-hoc reconciliation within 10 business days.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Undocumented collection or processing triggers privacy incident response and corrective action.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Integrate findings from access requests, complaints, OPC guidance, and {{INDUSTRY}} norms into the register and review cadence.", "type": "text"}]}]}, + "createdAt": "2026-04-30 22:58:38.505", + "updatedAt": "2026-04-30 22:58:39.000" + }, + { + "id": "frk_pt_69f3dea2fcbd4cc5934aacfa", + "name": "PIPEDA Access Request Policy", + "description": "Establishes the procedure for receiving, verifying, fulfilling, and responding to written access requests under PIPEDA — including identity verification, 30-day response, refusal handling, amendments, and propagation to third parties — supporting Principle 9.", + "frequency": "yearly", + "department": "gov", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Allow individuals to exercise their right under PIPEDA to be informed of the existence, use, and disclosure of their personal information ({{DATA}}) held by {{COMPANY}} ({{COMPANYINFO}}), and to access and challenge that information, in accordance with PIPEDA Schedule 1, Principle 9 and Section 8 of the Act.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All written access requests received by {{COMPANY}} from individuals (or their authorized representatives) regarding personal information held in {{CRITICAL}} or processed by {{SOFTWARE}}, regardless of where in {{GEO}} the individual resides.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Receiving Requests", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Publish at least one channel for submitting access requests (privacy email, web form, or postal address) in the privacy notice.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide reasonable assistance to individuals preparing a request, including helping them identify the categories of {{DATA}} they wish to access.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log every request on receipt with date, requester, channel, and assigned handler.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Identity Verification", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify identity using a method proportionate to the sensitivity of the requested information.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Request only the minimum information necessary to authenticate; do not require government-issued identifiers as a default.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For requests submitted by an authorized representative, require evidence of authorization.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Response Timelines", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Respond no later than 30 days after receipt of the request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Where a 30-day response is not possible, notify the individual in writing within the original 30-day period of an extension of up to 30 additional days, with reasons consistent with PIPEDA Section 8(4).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide the response in a generally understandable format, with explanations of any abbreviations or codes.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Fees", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Respond at minimal or no cost to the individual.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Where a cost is unavoidable (for example, extensive copying or conversion to alternative format), inform the individual of the approximate cost in advance and obtain consent before proceeding.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Content of the Response", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confirm whether {{COMPANY}} holds personal information about the individual.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide an account of how the information has been or is being used.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Identify, as specifically as possible, the third parties to whom the information has been disclosed; where a list is unavailable, provide the categories of organizations that may have received the information.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Indicate the source of the information where this can be determined.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Refusal & Recourse", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Where access is refused under a PIPEDA Section 9 exception (for example, solicitor-client privilege or third-party information), notify the individual in writing with the reason, the specific exception relied on, and the recourse available, including the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain the information that is the subject of the request long enough for the individual to exhaust any recourse.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Amendment", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Where the individual demonstrates that information is inaccurate or incomplete, amend it as appropriate.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Where amendment is not made, record the disagreement in the file.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Communicate the amendment, where appropriate, to third parties having access to the information in question.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Records & Retention", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain the access request log, identity verification artefacts, and response correspondence for a minimum of seven years.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Restrict access to access-request files to the privacy officer and the assigned handler.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monthly KPI tracks median response time, percentage responded within 30 days, and refusal rate.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Section 9 statutory exceptions are documented in each instance with supporting analysis.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missed 30-day deadlines trigger escalation to the privacy officer and root-cause review.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Integrate findings from access requests, complaints, and OPC findings into the procedure each annual cycle.", "type": "text"}]}]}, + "createdAt": "2026-04-30 22:58:41.814", + "updatedAt": "2026-04-30 22:58:42.245" + }, + { + "id": "frk_pt_69f3dea3d44e30408069e513", + "name": "PIPEDA Privacy Complaint Policy", + "description": "Establishes how the organization receives, investigates, and resolves complaints about its compliance with PIPEDA, including escalation to the Office of the Privacy Commissioner of Canada — supporting Principle 10.", + "frequency": "yearly", + "department": "gov", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide individuals with a simple, accessible procedure to challenge {{COMPANY}}'s ({{COMPANYINFO}}) compliance with PIPEDA, and ensure that complaints are investigated thoroughly and acted on promptly, in accordance with PIPEDA Schedule 1, Principle 10.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All privacy-related complaints, inquiries, and concerns received by {{COMPANY}} regarding the collection, use, disclosure, retention, accuracy, safeguarding, or accessibility of personal information ({{DATA}}), including complaints about processors operating in {{CRITICAL}} or about the {{LOCATION}} workforce.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Complaint Channels", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Publish a privacy complaint channel (privacy email, web form, postal address) in the privacy notice and on the {{COMPANY}} website.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Accept complaints in writing or verbally; for verbal complaints, transcribe and confirm in writing with the complainant.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Acknowledge receipt of every complaint within five business days.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Investigation Procedure", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assign each complaint to a competent and impartial reviewer reporting to the privacy officer.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Investigate every complaint without undue delay, gathering documents, interviewing relevant staff, and reviewing logs and records as needed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document findings, root causes, and any corrective action taken.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Outcome & Notification", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify the complainant in writing of the outcome, the reasoning, and the corrective action (if any) taken.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Where the complaint is found justified, take appropriate measures, including amending policies and practices, correcting individual records, retraining staff, or terminating non-compliant processing.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Where the complaint is not upheld, inform the complainant of the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) and provide the OPC's contact details.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Records & Retention", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a complaint register including date received, nature, parties, status, outcome, and resolution date.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain complaint files for a minimum of seven years.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide aggregate complaint metrics to executive leadership at least annually.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monthly KPI tracks median time to acknowledge, investigate, and resolve complaints; quarterly review of complaint themes drives systemic improvements.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "None; all privacy complaints must be acknowledged and investigated.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Failure to acknowledge or investigate within timelines triggers escalation to executive leadership and corrective action.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Integrate complaint trends, OPC findings, and {{INDUSTRY}} guidance into the annual review of all privacy policies and controls.", "type": "text"}]}]}, + "createdAt": "2026-04-30 22:58:42.727", + "updatedAt": "2026-04-30 22:58:43.243" + }, + { + "id": "frk_pt_69efd9cb30f8a9ef5e517812", + "name": "Privacy Awareness and Training Policy", + "description": "Requires annual privacy training for all employees handling personal information or consumer rights requests, including CCPA/CPRA requirements, internal request-handling procedures, and recordkeeping of training completion.", + "frequency": "yearly", + "department": "hr", + "content": {"type": "doc", "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure {{COMPANY}} ({{COMPANYINFO}}) staff who handle personal information understand their CCPA/CPRA responsibilities and the internal procedures used to honor consumer rights.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All {{EMPLOYEES}} and contractors of {{COMPANY}} working in a {{LOCATION}} setting who access {{DATA}} or interact with consumer rights requests.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Cover the 10 Fair Information Principles (PIPEDA Schedule 1), the Privacy Officer's role, and the access-request and complaint procedures for all staff who collect, use, or disclose personal information.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "New Hire Training", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All new hires complete privacy and security awareness training within 30 days of start date, including a CCPA/CPRA module.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Access to systems containing personal information is contingent on training completion.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Annual Refresh", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Deliver annual refresh training covering: consumer rights, identity verification, response timelines, recordkeeping, and recognizing/reporting incidents.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update content to reflect regulatory changes, internal procedure updates, and lessons from incidents or audits.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Refresh covers updates to PIPEDA, OPC guidance, and any changes to {{COMPANY}}'s privacy notice or consent practices.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Role-Based Training", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Customer Support — request intake, identity verification, escalation paths.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Engineering — privacy-by-design, secure handling of personal information, responding to delete/correct requests.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Marketing / Sales — opt-out signals, sale/share definitions, and ad-tech configuration.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Provide enhanced training for staff who handle access requests, consent collection, complaint intake, or sensitive personal information (health, financial, biometric).{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Recordkeeping", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track training completion in {{SOFTWARE}} and retain completion records for at least 24 months.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Send reminders to overdue staff; escalate non-completion to the manager and Privacy Officer.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if pipeda}}Retain training records for at least 24 months to support OPC inquiries.{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Roles and Responsibilities", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Privacy Officer — defines curriculum and approves changes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "People / HR — administers training delivery and tracks completion.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Managers — ensure their teams complete training on time.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Enforcement", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Failure to complete required training is a policy violation and may result in temporary suspension of system access until completed.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reviewed annually by the Privacy Officer in coordination with People / HR; updated whenever regulatory or process changes warrant new content.", "type": "text"}]}]}, + "createdAt": "2026-04-27 21:48:59.113", + "updatedAt": "2026-04-30 23:21:43.640" } ] \ No newline at end of file diff --git a/packages/db/prisma/seed/primitives/FrameworkEditorRequirement.json b/packages/db/prisma/seed/primitives/FrameworkEditorRequirement.json index 9492f51630..9f43dfcaa9 100644 --- a/packages/db/prisma/seed/primitives/FrameworkEditorRequirement.json +++ b/packages/db/prisma/seed/primitives/FrameworkEditorRequirement.json @@ -8,15 +8,6 @@ "createdAt": "2025-06-03 23:22:15.695", "updatedAt": "2025-06-04 21:41:09.189" }, - { - "id": "frk_rq_681ed417c678d6e4a72ecc21", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "People Controls ", - "description": "Disciplinary process", - "identifier": "A.6.4", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-06-06 05:19:59.448" - }, { "id": "frk_rq_681ec1a899a2a887571df4aa", "frameworkId": "frk_681ebae2f29f0ab08eb802ec", @@ -278,15 +269,6 @@ "createdAt": "2025-05-14 19:20:44.920", "updatedAt": "2025-05-14 19:20:44.920" }, - { - "id": "frk_rq_681ed173c4617d8242804d37", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "Organizational Controls", - "description": "Information security roles and responsibilities", - "identifier": "A.5.2", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-06-06 05:50:47.803" - }, { "id": "frk_rq_681ec1c23827a73da573301b", "frameworkId": "frk_681ebae2f29f0ab08eb802ec", @@ -324,103 +306,22 @@ "updatedAt": "2025-05-14 19:20:44.920" }, { - "id": "frk_rq_681ecca11f8e93d33110f582", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "4.1 Context of the organization", - "description": "Understanding the organization and its context", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681eccda0b0048baacc8384f", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "4.2 Context of the organization", - "description": "Needs & expectations of interested parties", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681eccf8ea16a6a8c71b2043", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "4.3 Context of the organization", - "description": "Determining the scope of the ISMS", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ecea78867657c2a877498", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "4.4 Context of the Organization", - "description": "Information security management system (establish, implement, maintain, and continually improve)", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ecec3bacaf5ec71310399", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "5.1 Leadership", - "description": "Leadership and commitment", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681eced25693b9ef01953cda", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "5.2 Leadership", - "description": "Information-security policy", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ecee267499cb4e89dd597", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "5.3 Leadership", - "description": "Organizational roles, responsibilities, and authorities", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ecf02da21ed278b8719a3", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "6.1.2 Planning", - "description": "Information-security risk assessment", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ecef18eb5fc1de4b36922", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "6.1.1 Planning", - "description": "Actions to address risks and opportunities – General", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ecf0edd81451c5d7f942e", + "id": "frk_rq_681ed173c4617d8242804d37", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "6.1.3 Planning", - "description": "Information-security risk treatment", - "identifier": "", + "name": "A.5.2 Organizational Controls", + "description": "Information security roles and responsibilities", + "identifier": "A.5.2", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:29.581" }, { - "id": "frk_rq_681ed058cb46f0ca43f4ac04", + "id": "frk_rq_681ed417c678d6e4a72ecc21", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "7.1 Support", - "description": "Resources", - "identifier": "", + "name": "A.6.4 People Controls ", + "description": "Disciplinary process", + "identifier": "A.6.4", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:29.986" }, { "id": "frk_rq_681ec056ca6c6a446a9592b5", @@ -612,967 +513,949 @@ "updatedAt": "2025-05-14 19:20:44.920" }, { - "id": "frk_rq_681ed06702eb40f21d9c3280", + "id": "frk_rq_681ecf0edd81451c5d7f942e", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "7.2 Support ", - "description": "Competence", - "identifier": "", + "name": "6.1.3 Planning", + "description": "Information-security risk treatment", + "identifier": "6.1.3 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-23 14:43:10.746" }, { - "id": "frk_rq_681ed079b20c266ed3bcae4e", + "id": "frk_rq_681ecea78867657c2a877498", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "7.3 Support", - "description": "Awareness", - "identifier": "", + "name": "4.4 Context of the Organization", + "description": "Information security management system (establish, implement, maintain, and continually improve)", + "identifier": "4.4 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:28.884" }, { - "id": "frk_rq_681ed083826218fefed135f7", + "id": "frk_rq_681ecec3bacaf5ec71310399", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "7.4 Support", - "description": "Communication", - "identifier": "", + "name": "5.1 Leadership", + "description": "Leadership and commitment", + "identifier": "5.1 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:29.283" }, { - "id": "frk_rq_681ed09f0d780a205029c6f8", + "id": "frk_rq_681ecef18eb5fc1de4b36922", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "7.5.1 Support", - "description": "Documented information – General", - "identifier": "", + "name": "6.1.1 Planning", + "description": "Actions to address risks and opportunities – General", + "identifier": "6.1.1 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-23 14:43:10.871" + }, + { + "id": "frk_rq_681eced25693b9ef01953cda", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "5.2 Leadership", + "description": "Information-security policy", + "identifier": "5.2 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:29.455" + }, + { + "id": "frk_rq_681ecf02da21ed278b8719a3", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "6.1.2 Planning", + "description": "Information-security risk assessment", + "identifier": "6.1.2 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-23 14:43:10.995" }, { "id": "frk_rq_681ed0aa105e90005119af94", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "7.5.2 Support", "description": "Documented information – Creating and updating", - "identifier": "", + "identifier": "7.5.2 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-23 14:43:11.194" + }, + { + "id": "frk_rq_681ed09f0d780a205029c6f8", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "7.5.1 Support", + "description": "Documented information – General", + "identifier": "7.5.1 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-23 14:43:11.323" + }, + { + "id": "frk_rq_681ed06702eb40f21d9c3280", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "7.2 Support ", + "description": "Competence", + "identifier": "7.2 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-23 14:43:12.075" + }, + { + "id": "frk_rq_681ed058cb46f0ca43f4ac04", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "7.1 Support", + "description": "Resources", + "identifier": "7.1 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-23 14:43:11.909" + }, + { + "id": "frk_rq_681ed079b20c266ed3bcae4e", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "7.3 Support", + "description": "Awareness", + "identifier": "7.3 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-23 14:43:11.782" + }, + { + "id": "frk_rq_681ed083826218fefed135f7", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "7.4 Support", + "description": "Communication", + "identifier": "7.4", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-23 14:43:11.590" }, { "id": "frk_rq_681ed0bfb77656558d34e07c", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "7.5.3 Support", "description": "Documented information – Control of documented information", - "identifier": "", + "identifier": "7.5.3 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-23 14:43:11.453" + }, + { + "id": "frk_rq_681ed0f93b445441d7092481", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "8.3 Operation", + "description": "Information security risk treatment (operational)", + "identifier": "8.3", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 14:59:48.552" }, { "id": "frk_rq_681ed0d7a55af6c0b644188b", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "8.1 Operation", "description": "Operational planning and control", - "identifier": "", + "identifier": "8.1", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 14:59:48.680" }, { "id": "frk_rq_681ed0e87f1d7e373d990d48", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "8.2 Operation", "description": "Information security risk assessment (operational)", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed0f93b445441d7092481", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "8.3 Operation", - "description": "Information security risk treatment (operational)", - "identifier": "", + "identifier": "8.2", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 14:59:48.795" }, { "id": "frk_rq_681ed1090eab65d82db8ba3e", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "9.1.1 Performance", "description": "Evaluation Monitoring, measurement, analysis and evaluation – General", - "identifier": "", + "identifier": "9.1.1", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 14:59:48.960" }, { "id": "frk_rq_681ed11ec29b25b1192e96f6", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "9.1.2 Performance ", + "name": "9.1.2 Performance", "description": "Evaluation Evaluation of compliance", - "identifier": "", + "identifier": "9.1.2", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 14:59:49.088" }, { "id": "frk_rq_681ed1295a639db1210e9237", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "9.2 Performance", "description": "Evaluation Internal audit", - "identifier": "", + "identifier": "9.2", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 14:59:49.227" + }, + { + "id": "frk_rq_681ed1525f18dab66c1a2203", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": " 10.2 Improvement ", + "description": "Continual improvement", + "identifier": "10.2", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:28.941" }, { "id": "frk_rq_681ed13272f6276ce54c2e23", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "9.3 Performance", "description": "Evaluation Management review", - "identifier": "", + "identifier": "9.3", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 14:59:49.431" }, { - "id": "frk_rq_681ed1433a712ae09dc7633b", + "id": "frk_rq_681ed2170cb1b15f842b6f6d", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "10.1 Improvement ", - "description": "Nonconformity and corrective action", - "identifier": "", + "name": "A.5.11 Organizational Controls ", + "description": "Return of assets", + "identifier": "A.5.11", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 14:59:49.659" }, { - "id": "frk_rq_681ed1525f18dab66c1a2203", + "id": "frk_rq_681ed2229fa221e338501d51", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "10.2 Improvement ", - "description": "Continual improvement", - "identifier": "", + "name": "A.5.12 Organizational Controls", + "description": "Classification of information", + "identifier": "A.5.12 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 14:59:49.779" }, { - "id": "frk_rq_681ed16583aa68b76c80917a", + "id": "frk_rq_681ed2314f568a3e5c3f1fbf", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.5.1 Organizational Controls ", - "description": "Policies for information security", - "identifier": "", + "name": "A.5.13 Organizational Controls", + "description": "Labelling of information", + "identifier": "A.5.13 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 14:59:49.999" }, { - "id": "frk_rq_681ed1946de8b1beb5d5b987", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.5.4 Organizational Controls", - "description": "Management responsibilities", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed17f36423e887ec130f6", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "Organizational Controls", - "description": "Segregation of duties", - "identifier": "A.5.3", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-06-06 05:51:55.783" - }, - { - "id": "frk_rq_681ed1ac19e3e7e1aef48517", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.5.5 Organizational Controls ", - "description": "Contact with authorities", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed1d5f29a33fa8735d51c", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.5.6 Organizational Controls", - "description": "Contact with special interest groups", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed1e1ad96b7f5e1659cab", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.5.7 Organizational Controls", - "description": "Threat intelligence", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed1f09741eeebee147fcb", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.5.8 Organizational Controls", - "description": "Information security in project management", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed1fe624cd14c34876ee8", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.5.9 Organizational Controls ", - "description": "Inventory of information and other associated assets", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed20a3f7335dd1ec64b6c", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.5.10 Organizational Controls", - "description": "Acceptable use of information and other associated assets", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed2170cb1b15f842b6f6d", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.5.11 Organizational Controls ", - "description": "Return of assets", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed2229fa221e338501d51", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.5.12 Organizational Controls", - "description": "Classification of information", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed2314f568a3e5c3f1fbf", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.5.13 Organizational Controls", - "description": "Labelling of information", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed23c61c97af7967b50c2", + "id": "frk_rq_681ed23c61c97af7967b50c2", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.14 Organizational Controls", "description": "Information transfer", - "identifier": "", + "identifier": "A.5.14", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 14:59:50.099" }, { "id": "frk_rq_681ed24aa0809f09c4d22256", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.15 Organizational Controls", "description": "Access control", - "identifier": "", + "identifier": "A.5.15 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 14:59:50.215" }, { "id": "frk_rq_681ed261918bb47df6590dac", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.16 Organizational Controls", "description": "Identity management", - "identifier": "", + "identifier": "A.5.16", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 14:59:50.343" }, { "id": "frk_rq_681ed277348377c5b5f81649", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.17 Organizational Controls", "description": "Authentication information", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed2893326942f0ac88d81", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.5.18 Organizational Controls", - "description": "Access rights", - "identifier": "", + "identifier": "A.5.17", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed29613b703c7f368ffdc", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.5.19 Organizational Controls ", - "description": "Information security in supplier relationships", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 14:59:50.527" }, { "id": "frk_rq_681ed2a8bda2e236fbc46492", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.20 Organizational Controls ", "description": "Addressing information security within supplier agreements\r\n", - "identifier": "", + "identifier": "A.5.20", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:30.313" }, { "id": "frk_rq_681ed2be08112d94334bd319", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.21 Organizational Controls", "description": "Managing information security in the ICT supply chain", - "identifier": "", + "identifier": "A.5.21 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:30.509" }, { "id": "frk_rq_681ed2c844494f7d1b01fa45", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.22 Organizational Controls", "description": "Monitoring, review and change management of supplier services", - "identifier": "", + "identifier": "A.5.22", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:30.654" }, { "id": "frk_rq_681ed2e32d00654588c5103f", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.23 Organizational Controls", "description": "Information security for use of cloud services", - "identifier": "", + "identifier": "A.5.23", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:30.776" }, { "id": "frk_rq_681ed2f378d4fbe2e39f5f76", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.24 Organizational Controls", "description": "Information security incident management responsibilities and procedures", - "identifier": "", + "identifier": "A.5.24 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:31.001" + }, + { + "id": "frk_rq_681ed2893326942f0ac88d81", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.5.18 Organizational Controls", + "description": "Access rights", + "identifier": "A.5.18", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:29.807" }, { "id": "frk_rq_681ed30003a95e3808397d6d", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.25 Organizational Controls", "description": "Assessment and decision on information security events", - "identifier": "", + "identifier": "A.5.25", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:31.140" }, { "id": "frk_rq_681ed3455f6b6695283a7c72", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.26 Organizational Controls ", "description": "Response to information security incidents", - "identifier": "", + "identifier": "A.5.26 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:31.351" }, { "id": "frk_rq_681ed35d6330398a089100c1", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.27 Organizational Controls", "description": "Learning from information security incidents", - "identifier": "", + "identifier": "A.5.27", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:31.560" }, { "id": "frk_rq_681ed36f9d1446b067a4990d", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.28 Organizational Controls ", "description": "Collection of evidence", - "identifier": "", + "identifier": "A.5.28", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:31.721" }, { "id": "frk_rq_681ed37df872af70c5430e7f", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.29 Organizational Controls ", "description": "Information security during disruption", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed38c0abdd2731880fa6e", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.5.30 Organizational Controls", - "description": "ICT readiness for business continuity", - "identifier": "", + "identifier": "A.5.29", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:31.881" }, { "id": "frk_rq_681ed39e1c2f759d433992a7", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.31 Organizational Controls ", "description": "Legal, statutory, regulatory and contractual requirements", - "identifier": "", + "identifier": "A.5.31 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:32.270" }, { "id": "frk_rq_681ed3ad17d5f7844774977a", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.32 Organizational Controls", "description": "Intellectual property rights", - "identifier": "", + "identifier": "A.5.32", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:32.418" }, { "id": "frk_rq_681ed3b87e88e0a249c2098a", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.33 Organizational Controls", "description": "Protection of records", - "identifier": "", + "identifier": "A.5.33 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:32.627" }, { "id": "frk_rq_681ed3c23adb2d4461dc09da", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.34 Organizational Controls", "description": "Privacy and protection of personally identifiable information (PII)", - "identifier": "", + "identifier": "A.5.34", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:32.764" }, { "id": "frk_rq_681ed3d0342b5d531935cd62", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.35 Organizational Controls ", "description": "Independent review of information security", - "identifier": "", + "identifier": "A.5.35 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:32.900" }, { "id": "frk_rq_681ed3dc1663fa62052ef548", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.36 Organizational Controls", "description": "Compliance with policies, rules and standards for information security", - "identifier": "", + "identifier": "A.5.36", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:33.101" }, { "id": "frk_rq_681ed3e78e9b73cb6b279906", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.5.37 Organizational Controls ", "description": "Documented operating procedures", - "identifier": "", + "identifier": "A.5.37", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:33.241" + }, + { + "id": "frk_rq_681ed1946de8b1beb5d5b987", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.5.4 Organizational Controls", + "description": "Management responsibilities", + "identifier": "A.5.4", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:33.378" + }, + { + "id": "frk_rq_681ed1ac19e3e7e1aef48517", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.5.5 Organizational Controls ", + "description": "Contact with authorities", + "identifier": "A.5.5 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:33.630" + }, + { + "id": "frk_rq_681ed1d5f29a33fa8735d51c", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.5.6 Organizational Controls", + "description": "Contact with special interest groups", + "identifier": "\t A.5.6 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:33.774" + }, + { + "id": "frk_rq_681ed1e1ad96b7f5e1659cab", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.5.7 Organizational Controls", + "description": "Threat intelligence", + "identifier": "A.5.7", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:33.924" + }, + { + "id": "frk_rq_681ed1f09741eeebee147fcb", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.5.8 Organizational Controls", + "description": "Information security in project management", + "identifier": "A.5.8", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:34.142" + }, + { + "id": "frk_rq_681ed1fe624cd14c34876ee8", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.5.9 Organizational Controls ", + "description": "Inventory of information and other associated assets", + "identifier": "A.5.9 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:34.302" }, { "id": "frk_rq_681ed3f78f28fba67dedc302", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.6.1 People Controls", "description": "Screening", - "identifier": "", + "identifier": "A.6.1 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:34.434" }, { "id": "frk_rq_681ed40ec3b505552b76ce5f", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.6.3 People Controls", "description": "Information security awareness, education and training", - "identifier": "", + "identifier": "A.6.3 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:24.893" }, { "id": "frk_rq_681ed423b43ec990bbd5f3b5", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.6.5 People Controls ", "description": "Responsibilities after termination or change of employment", - "identifier": "", + "identifier": "A.6.5", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:24.978" }, { "id": "frk_rq_681ed4316c72a80ff5d1fdc6", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.6.6 People Controls ", "description": "Confidentiality or nondisclosure agreements", - "identifier": "", + "identifier": "A.6.6 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:25.046" }, { "id": "frk_rq_681ed43f84399c54accb82b9", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.6.7 People Controls", "description": "Remote working", - "identifier": "", + "identifier": "A.6.7 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:25.121" }, { "id": "frk_rq_681ed448a7cfe00afd2b0a19", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.6.8 People Controls", "description": "Information security event reporting", - "identifier": "", + "identifier": "A.6.8", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:25.229" }, { "id": "frk_rq_681ed45b92c3b3f329d3858f", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.7.1 Physical Controls", "description": "Physical security perimeters", - "identifier": "", + "identifier": "A.7.1", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:25.751" }, { - "id": "frk_rq_681ed46ff23ef8614d7f3042", + "id": "frk_rq_681ed16583aa68b76c80917a", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.7.2 Physical Controls", - "description": "Physical entry", - "identifier": "", + "name": "A.5.1 Organizational Controls ", + "description": "Policies for information security", + "identifier": "A.5.1 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:30.198" }, { - "id": "frk_rq_681ed47bac3dee3588290b04", + "id": "frk_rq_681ed17f36423e887ec130f6", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.7.3 Physical Controls", - "description": "Securing offices, rooms and facilities", - "identifier": "", + "name": "A.5.3 Organizational Controls", + "description": "Segregation of duties", + "identifier": "A.5.3", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:29.689" }, { - "id": "frk_rq_681ed48f152068a490f317ac", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.7.4 Physical Controls", - "description": "Physical security monitoring", + "id": "frk_rq_681ef765ac1d9ef5ccf5d716", + "frameworkId": "frk_681ef4bb8eeb2b60d2d9d187", + "name": "1.4.1 Network connections between trusted and untrusted networks are controlled.", + "description": "1.4.1 NSCs are implemented between trusted and untrusted networks.\r\n", "identifier": "", "createdAt": "2025-05-14 19:20:44.920", "updatedAt": "2025-05-14 19:20:44.920" }, { - "id": "frk_rq_681ed61f357c7bf776300aa7", + "id": "frk_rq_681ed6afecd253fe6c3c060a", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.7.5 Physical Controls", - "description": "Protecting against physical and environmental threats", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed62a1ad145f4554d4068", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.7.6 Physical Controls", - "description": "Working in secure areas", - "identifier": "", + "name": "A.8.3 Technological Controls", + "description": "Information access restriction", + "identifier": "A.8.3 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-23 14:43:12.562" }, { - "id": "frk_rq_681ed6347b1e6eea717482ca", + "id": "frk_rq_681ed6c7eee985561d1f4d9b", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.7.7 Physical Controls", - "description": "Clear desk and clear screen", - "identifier": "", + "name": "A.8.5 Technological Controls ", + "description": "Secure authentication", + "identifier": "A.8.5 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-23 14:43:13.083" }, { - "id": "frk_rq_681ed6497c1e390fe89f0dfa", + "id": "frk_rq_681ed6dc2a941d8ed887fa01", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.7.8 Physical Controls", - "description": "Equipment siting and protection", - "identifier": "", + "name": "A.8.7 Technological Controls ", + "description": "Protection against malware\r\n", + "identifier": "A.8.7", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-23 14:43:12.855" }, { - "id": "frk_rq_681ed651d81e6c51934134bc", + "id": "frk_rq_681ed6eab8348ae42e9622d2", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.7.9 Physical Controls", - "description": "Security of assets off-premises", - "identifier": "", + "name": "A.8.8 Technological Controls", + "description": "Management of technical vulnerabilities", + "identifier": "A.8.8", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-23 14:43:12.464" }, { - "id": "frk_rq_681ed65bb490440ea4f3b552", + "id": "frk_rq_681ed6d277a609269207598d", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.7.10 Physical Controls", - "description": "Storage media", - "identifier": "", + "name": "A.8.6 Technological Controls ", + "description": "Capacity management", + "identifier": "A.8.6", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-23 14:43:12.763" }, { "id": "frk_rq_681ed663b850258024b0b236", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.7.11 Physical Controls", "description": "Supporting utilities", - "identifier": "", + "identifier": "A.7.11 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:25.382" }, { - "id": "frk_rq_681ed66d77af963d9763adeb", + "id": "frk_rq_681ed74124bbe51a72d0c154", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.7.12 Physical Controls", - "description": "Cabling security", - "identifier": "", + "name": "A.8.17 Technological Controls", + "description": "Clock synchronization", + "identifier": "A.8.17", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:26.970" }, { - "id": "frk_rq_681ed6761e8f45c900e60be3", + "id": "frk_rq_681ed80ab572359972e06ace", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.7.13 Physical Controls", - "description": "Equipment maintenance", - "identifier": "", + "name": "A.8.32 Technological Controls", + "description": "Change management", + "identifier": "A.8.32", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:28.488" }, { "id": "frk_rq_681ed686b626f985dac54c52", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.7.14 Physical Controls ", "description": " Secure disposal or reuse of equipment", - "identifier": "", + "identifier": "A.7.14 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed69ce5f84cf315240f7a", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.1 Technological Controls", - "description": "User endpoint devices", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681ed6a5d1683d54c08f7084", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.2 Technological Controls", - "description": "Privileged access rights", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:25.596" }, { - "id": "frk_rq_681ed6afecd253fe6c3c060a", + "id": "frk_rq_681ed7ce83ab2029a9dc414c", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.3 Technological Controls", - "description": "Information access restriction", - "identifier": "", + "name": "A.8.28 Technological Controls", + "description": "Secure coding", + "identifier": "A.8.28", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:28.121" }, { - "id": "frk_rq_681ed6ba79910ff5b9c7d76f", + "id": "frk_rq_681ed47bac3dee3588290b04", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.4 Technological Controls", - "description": "Access to source code", - "identifier": "", + "name": "A.7.3 Physical Controls", + "description": "Securing offices, rooms and facilities", + "identifier": "A.7.3", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:25.884" }, { - "id": "frk_rq_681ed6c7eee985561d1f4d9b", + "id": "frk_rq_681ed813388d3297b3ed3e73", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.5 Technological Controls ", - "description": "Secure authentication", - "identifier": "", + "name": "A.8.33 Technological Controls", + "description": "Test information", + "identifier": "A.8.33", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:28.548" }, { - "id": "frk_rq_681ed6d277a609269207598d", + "id": "frk_rq_681ed6a5d1683d54c08f7084", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.6 Technological Controls ", - "description": "Capacity management", - "identifier": "", + "name": "A.8.2 Technological Controls", + "description": "Privileged access rights", + "identifier": "A.8.2 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:28.233" }, { - "id": "frk_rq_681ed6dc2a941d8ed887fa01", + "id": "frk_rq_681ed6347b1e6eea717482ca", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.7 Technological Controls ", - "description": "Protection against malware\r\n", - "identifier": "", + "name": "A.7.7 Physical Controls", + "description": "Clear desk and clear screen", + "identifier": "A.7.7", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:26.167" }, { - "id": "frk_rq_681ed6eab8348ae42e9622d2", + "id": "frk_rq_681ed6497c1e390fe89f0dfa", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.8 Technological Controls", - "description": "Management of technical vulnerabilities", - "identifier": "", + "name": "A.7.8 Physical Controls", + "description": "Equipment siting and protection", + "identifier": "A.7.8", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:26.284" }, { - "id": "frk_rq_681ed6f360678a6cf25345b2", + "id": "frk_rq_681ed651d81e6c51934134bc", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.9 Technological Controls", - "description": "Configuration management", - "identifier": "", + "name": "A.7.9 Physical Controls", + "description": "Security of assets off-premises", + "identifier": "A.7.9 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:26.356" }, { - "id": "frk_rq_681ed6fbb7447647d630bfac", + "id": "frk_rq_681ed6ba79910ff5b9c7d76f", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.10 Technological Controls", - "description": "Information deletion", - "identifier": "", + "name": "A.8.4 Technological Controls", + "description": "Access to source code", + "identifier": "A.8.4 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-23 14:43:12.356" }, { "id": "frk_rq_681ed70245119fe4e1943d4a", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.8.11 Technological Controls", "description": "Data masking", - "identifier": "", + "identifier": "A.8.11", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:26.488" }, { - "id": "frk_rq_681ed70cd5e3fc570dd75770", + "id": "frk_rq_681ed7901ab04aa5a1d27890", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.12 Technological Controls", - "description": "Data leakage prevention", - "identifier": "", + "name": "A.8.24 Technological Controls", + "description": "Use of cryptography", + "identifier": "A.8.24 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:27.880" }, { "id": "frk_rq_681ed713c378baffc34d25f5", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.8.13 Technological Controls", "description": "Information backup", - "identifier": "", + "identifier": "A.8.13", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:26.626" }, { - "id": "frk_rq_681ed71f9deddd61109308dd", + "id": "frk_rq_681ed7e50f718eb161dd5605", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.14 Technological Controls", - "description": "Redundancy of information-processing facilities", - "identifier": "", + "name": "A.8.31 Technological Controls", + "description": "Separation of development, test and production environments", + "identifier": "A.8.31 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:28.435" }, { "id": "frk_rq_681ed7326db82252ea6faa67", "frameworkId": "frk_681ecc34e85064efdbb76993", "name": "A.8.15 Technological Controls ", "description": "Logging", - "identifier": "", + "identifier": "A.8.15", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:26.845" }, { - "id": "frk_rq_681ed739dc6d14f4ad5d95d2", + "id": "frk_rq_681ed7b407395dfc68ff955d", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.16 Technological Controls", - "description": "Monitoring activities", - "identifier": "", + "name": "A.8.26 Technological Controls", + "description": "Application security requirements", + "identifier": "A.8.26 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:28.009" }, { - "id": "frk_rq_681ed74124bbe51a72d0c154", + "id": "frk_rq_681ed65bb490440ea4f3b552", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.17 Technological Controls", - "description": "Clock synchronization", - "identifier": "", + "name": "A.7.10 Physical Controls", + "description": "Storage media", + "identifier": "A.7.10", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:25.309" }, { - "id": "frk_rq_681ed748dab9fd6d58f20964", + "id": "frk_rq_681ed66d77af963d9763adeb", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.18 Technological Controls", - "description": "Use of privileged utility programs", - "identifier": "", + "name": "A.7.12 Physical Controls", + "description": "Cabling security", + "identifier": "A.7.12", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:25.451" }, { - "id": "frk_rq_681ed7532959ec62c8ae815c", + "id": "frk_rq_681ed6761e8f45c900e60be3", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.19 Technological Controls ", - "description": "Installation of software on operational systems", - "identifier": "", + "name": "A.7.13 Physical Controls", + "description": "Equipment maintenance", + "identifier": "A.7.13", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:25.520" }, { - "id": "frk_rq_681ed76e19cca49a6ac49bf8", + "id": "frk_rq_681ed69ce5f84cf315240f7a", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.20 Technological Controls", - "description": "Networks security", - "identifier": "", + "name": "A.8.1 Technological Controls", + "description": "User endpoint devices", + "identifier": "A.8.1", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:27.469" }, { - "id": "frk_rq_681ed7794b363009725bab5b", + "id": "frk_rq_681ed46ff23ef8614d7f3042", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.21 Technological Controls", - "description": "Security of network services", - "identifier": "", + "name": "A.7.2 Physical Controls", + "description": "Physical entry", + "identifier": "A.7.2", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:25.815" }, { - "id": "frk_rq_681ed781b79f824466be5394", + "id": "frk_rq_681ed48f152068a490f317ac", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.22 Technological Controls", - "description": "Segregation of networks", - "identifier": "", + "name": "A.7.4 Physical Controls", + "description": "Physical security monitoring", + "identifier": "A.7.4 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:25.953" }, { - "id": "frk_rq_681ed789b359f075b12e20c0", + "id": "frk_rq_681ed62a1ad145f4554d4068", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.23 Technological Controls", - "description": "Web filtering", - "identifier": "", + "name": "A.7.6 Physical Controls", + "description": "Working in secure areas", + "identifier": "A.7.6 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:26.087" }, { - "id": "frk_rq_681ed7901ab04aa5a1d27890", + "id": "frk_rq_681ed6fbb7447647d630bfac", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.24 Technological Controls", - "description": "Use of cryptography", - "identifier": "", + "name": "A.8.10 Technological Controls", + "description": "Information deletion", + "identifier": "A.8.10", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:26.422" }, { - "id": "frk_rq_681ed799ca7b40e2d8ed55ba", + "id": "frk_rq_681ed70cd5e3fc570dd75770", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.25 Technological Controls", - "description": "Secure development life cycle", - "identifier": "", + "name": "A.8.12 Technological Controls", + "description": "Data leakage prevention", + "identifier": "A.8.12", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:26.557" }, { - "id": "frk_rq_681ed7b407395dfc68ff955d", + "id": "frk_rq_681ed71f9deddd61109308dd", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.26 Technological Controls", - "description": "Application security requirements", - "identifier": "", + "name": "A.8.14 Technological Controls", + "description": "Redundancy of information-processing facilities", + "identifier": "A.8.14", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:26.784" }, { - "id": "frk_rq_681ed7c75e421b346480e046", + "id": "frk_rq_681ed739dc6d14f4ad5d95d2", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.27 Technological Controls", - "description": "Secure system architecture and engineering principles", - "identifier": "", + "name": "A.8.16 Technological Controls", + "description": "Monitoring activities", + "identifier": "A.8.16 ", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:26.910" }, { - "id": "frk_rq_681ed7ce83ab2029a9dc414c", + "id": "frk_rq_681ed748dab9fd6d58f20964", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.28 Technological Controls", - "description": "Secure coding", - "identifier": "", + "name": "A.8.18 Technological Controls", + "description": "Use of privileged utility programs", + "identifier": "A.8.18", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:27.305" }, { - "id": "frk_rq_681ed7d719388daff946a68d", + "id": "frk_rq_681ed76e19cca49a6ac49bf8", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.29 Technological Controls", - "description": "Security testing in development and acceptance", - "identifier": "", + "name": "A.8.20 Technological Controls", + "description": "Networks security", + "identifier": "A.8.20", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:27.539" }, { - "id": "frk_rq_681ed7de305465fe226fc39d", + "id": "frk_rq_681ed781b79f824466be5394", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.30 Technological Controls", - "description": "Outsourced development", - "identifier": "", + "name": "A.8.22 Technological Controls", + "description": "Segregation of networks", + "identifier": "A.8.22", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:27.673" }, { - "id": "frk_rq_681ef765ac1d9ef5ccf5d716", - "frameworkId": "frk_681ef4bb8eeb2b60d2d9d187", - "name": "1.4.1 Network connections between trusted and untrusted networks are controlled.", - "description": "1.4.1 NSCs are implemented between trusted and untrusted networks.\r\n", - "identifier": "", + "id": "frk_rq_681ed789b359f075b12e20c0", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.8.23 Technological Controls", + "description": "Web filtering", + "identifier": "A.8.23", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:27.823" }, { - "id": "frk_rq_681ed4019aa553be924ee291", + "id": "frk_rq_681ed799ca7b40e2d8ed55ba", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "People Controls", - "description": "Terms and conditions of employment", - "identifier": "A.6.2", + "name": "A.8.25 Technological Controls", + "description": "Secure development life cycle", + "identifier": "A.8.25", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-06-06 05:52:24.793" + "updatedAt": "2026-04-20 15:04:27.950" }, { - "id": "frk_rq_681ed7e50f718eb161dd5605", + "id": "frk_rq_681ed7c75e421b346480e046", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.31 Technological Controls", - "description": "Separation of development, test and production environments", - "identifier": "", + "name": "A.8.27 Technological Controls", + "description": "Secure system architecture and engineering principles", + "identifier": "A.8.27", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:28.063" }, { - "id": "frk_rq_681ed80ab572359972e06ace", + "id": "frk_rq_681ed7d719388daff946a68d", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.32 Technological Controls", - "description": "Change management", - "identifier": "", + "name": "A.8.29 Technological Controls", + "description": "Security testing in development and acceptance", + "identifier": "A.8.29", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:28.173" }, { - "id": "frk_rq_681ed813388d3297b3ed3e73", + "id": "frk_rq_681ed7de305465fe226fc39d", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.33 Technological Controls", - "description": "Test information", - "identifier": "", + "name": "A.8.30 Technological Controls", + "description": "Outsourced development", + "identifier": "A.8.30", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:28.372" }, { - "id": "frk_rq_681ed81d5e01d43ada52ffae", + "id": "frk_rq_681ed4019aa553be924ee291", "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "A.8.34 Technological Controls ", - "description": "Protection of information systems during audit and testing", - "identifier": "", + "name": "A.6.2 People Controls", + "description": "Terms and conditions of employment", + "identifier": "A.6.2", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-20 15:04:29.796" }, { "id": "frk_rq_681edd9def88a866a327ad94", @@ -1853,15 +1736,6 @@ "createdAt": "2025-06-03 23:24:37.378", "updatedAt": "2025-06-04 21:44:53.687" }, - { - "id": "frk_rq_681fe258330b292af74be717", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "General Rules", - "description": "General requirements\r\n\r\nEnsure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.", - "identifier": "164.306(a.1)", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-06-09 01:25:18.647" - }, { "id": "frk_rq_681ef78d507099efe7aff812", "frameworkId": "frk_681ef4bb8eeb2b60d2d9d187", @@ -1934,6 +1808,15 @@ "createdAt": "2025-05-14 19:20:44.920", "updatedAt": "2025-05-14 19:20:44.920" }, + { + "id": "frk_rq_681fe258330b292af74be717", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.306(a.1) General Rules", + "description": "General requirements\r\n\r\nEnsure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.", + "identifier": "164.306(a.1)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:59:00.986" + }, { "id": "frk_rq_681ef8f0554e8fe0b3598167", "frameworkId": "frk_681ef4bb8eeb2b60d2d9d187", @@ -2213,15 +2096,6 @@ "createdAt": "2025-06-03 23:27:11.134", "updatedAt": "2025-06-04 21:49:08.151" }, - { - "id": "frk_rq_681fe28e3e639ff197fed198", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "General Rules", - "description": "General requirements\r\n\r\nProtect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.", - "identifier": "164.306(a.3) ", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-06-09 01:25:28.675" - }, { "id": "frk_rq_681f8ef5d93571d7cecb629b", "frameworkId": "frk_681ef4bb8eeb2b60d2d9d187", @@ -2312,6 +2186,15 @@ "createdAt": "2025-05-14 19:20:44.920", "updatedAt": "2025-05-14 19:20:44.920" }, + { + "id": "frk_rq_681fe28e3e639ff197fed198", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.306(a.3) General Rules", + "description": "General requirements\r\n\r\nProtect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.", + "identifier": "164.306(a.3)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:58:59.950" + }, { "id": "frk_rq_681f9154f48ff5cf10d36b3d", "frameworkId": "frk_681ef4bb8eeb2b60d2d9d187", @@ -2429,15 +2312,6 @@ "createdAt": "2025-06-03 23:28:15.428", "updatedAt": "2025-06-04 21:50:49.364" }, - { - "id": "frk_rq_681fe27650feb9e1decf9b8e", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "General Rules", - "description": "General requirements\r\n\r\nProtect against any reasonably anticipated threats or hazards to the security or integrity of such information.", - "identifier": "164.306(a.2) ", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-06-09 01:25:41.971" - }, { "id": "frk_rq_681f9413f598932f058b541d", "frameworkId": "frk_681ef4bb8eeb2b60d2d9d187", @@ -2636,15 +2510,6 @@ "createdAt": "2025-05-14 19:20:44.920", "updatedAt": "2025-05-14 19:20:44.920" }, - { - "id": "frk_rq_681fe79871e99458f760abba", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.308(a.6.i) Administrative safeguards", - "description": "Standard: Security incident procedures. Implement policies and procedures to address security incidents.", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, { "id": "frk_rq_681f97339b56ff96c517d061", "frameworkId": "frk_681ef4bb8eeb2b60d2d9d187", @@ -3311,15 +3176,6 @@ "createdAt": "2025-05-14 19:20:44.920", "updatedAt": "2025-05-14 19:20:44.920" }, - { - "id": "frk_rq_681fe2c0b70c40a7af7538c1", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.306(a.4) General Rules", - "description": "General requirements\r\n\r\nEnsure compliance with this subpart by its workforce.", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, { "id": "frk_rq_68201502a79c88a0e564e122", "frameworkId": "frk_6820090a1653380dd386c5eb", @@ -4171,603 +4027,540 @@ "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.306(b.1) General Rules", "description": "Flexibility of approach\r\n\r\nCovered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.", - "identifier": "", + "identifier": "164.306(b.1)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:29.005" }, { "id": "frk_rq_681fe3516e9d623341576827", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.306(b.2) General Rules", "description": "Flexibility of approach.\r\n\r\nIn deciding which security measures to use, a covered entity or business associate must take into account the following factors:\r\n\r\n(i) The size, complexity, and capabilities of the covered entity or business associate.\r\n\r\n(ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities.\r\n\r\n(iii) The costs of security measures.\r\n\r\n(iv) The probability and criticality of potential risks to electronic protected health information.", - "identifier": "", + "identifier": "164.306(b.2)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:29.432" }, { "id": "frk_rq_681fe373eec04bb563a58ebc", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.306(c) General Rules", "description": "Standards. \r\n\r\nA covered entity or business associate must comply with the applicable standards as provided in this section and in §§ 164.308, 164.310, 164.312, 164.314 and 164.316 with respect to all electronic protected health information.", - "identifier": "", + "identifier": "164.306(c)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:29.853" }, { "id": "frk_rq_681fe3bfba9f2b5679d07384", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.306(d.1) General Rules", "description": "Implementation specifications\r\n\r\nImplementation specifications are required or addressable. If an implementation specification is required, the word “Required” appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word “Addressable” appears in parentheses after the title of the implementation specification", - "identifier": "", + "identifier": "164.306(d.1)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:30.533" }, { "id": "frk_rq_681fe3e05e9443385b5f512a", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.306(d.2) General Rules", "description": "Implementation specifications\r\n\r\nWhen a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes required implementation specifications, a covered entity or business associate must implement the implementation specifications.", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681fe40489876e2fe301c757", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.306(d.3) General Rules", - "description": "Implementation specifications\r\n\r\nWhen a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes addressable implementation specifications, a covered entity or business associate must—\r\n\r\n(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and\r\n\r\n(ii) As applicable to the covered entity or business associate—\r\n\r\n(A) Implement the implementation specification if reasonable and appropriate; or\r\n\r\n(B) If implementing the implementation specification is not reasonable and appropriate—\r\n\r\n$(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and\r\n\r\n$(2) Implement an equivalent alternative measure if reasonable and appropriate.", - "identifier": "", + "identifier": "164.306(d.2)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:30.986" }, { "id": "frk_rq_681fe413d1788e6d2a2e0e70", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.306(e) General Rules", "description": "Maintenance. \r\n\r\nA covered entity or business associate must review and modify the security measures implemented under this subpart as needed to continue provision of reasonable and appropriate protection of electronic protected health information, and update documentation of such security measures in accordance with § 164.316(b)(2)(iii).", - "identifier": "", + "identifier": "164.306(e)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:31.808" }, { "id": "frk_rq_681fe4f2409a61f406391e27", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.1.i) Administrative safeguards", "description": "Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.", - "identifier": "", + "identifier": "164.308(a.1.i)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:32.244" }, { "id": "frk_rq_681fe50a602bee19cc6c58de", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.1.ii.A) Administrative safeguards", "description": "Risk analysis (Required). \r\n\r\nConduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.", - "identifier": "", + "identifier": "164.308(a.1.ii.A)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:32.600" }, { "id": "frk_rq_681fe525546b5f5cbaa4caba", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.1.ii.B) Administrative safeguards", "description": "Risk management (Required). \r\n\r\nImplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).", - "identifier": "", + "identifier": "164.308(a.1.ii.B)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:33.000" }, { "id": "frk_rq_681fe539da6767ccaa42fd4f", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.1.ii.C) Administrative safeguards", "description": "Sanction policy (Required). \r\n\r\nApply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.", - "identifier": "", + "identifier": "164.308(a.1.ii.C)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:33.359" }, { "id": "frk_rq_681fe5585124a63c27427588", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.1.ii.D) Administrative safeguards", "description": "Information system activity review (Required). \r\n\r\nImplement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.", - "identifier": "", + "identifier": "164.308(a.1.ii.D)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:33.719" }, { "id": "frk_rq_681fe569c808990634c7168b", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.2) Administrative safeguards", "description": "Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.", - "identifier": "", + "identifier": "164.308(a.2)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:34.151" }, { "id": "frk_rq_681fe58b5d73fb1379508c93", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.3.i) Administrative safeguards", "description": "Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.", - "identifier": "", + "identifier": "164.308(a.3.i)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:34.565" }, { "id": "frk_rq_681fe5b24ae8db1cf3743db7", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.3.ii.A) Administrative safeguards", "description": "Implementation specifications:\r\n\r\nAuthorization and/or supervision (Addressable). \r\n\r\nImplement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.", - "identifier": "", + "identifier": "164.308(a.3.ii.A)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:34.927" }, { "id": "frk_rq_681fe614fa8f4da199b1ab38", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.3.ii.B) Administrative safeguards", "description": "Workforce clearance procedure (Addressable). \r\n\r\nImplement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.", - "identifier": "", + "identifier": "164.308(a.3.ii.B)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:35.311" }, { "id": "frk_rq_681fe62d157ad538df0ac0b7", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.3.ii.C) Administrative safeguards", "description": "Termination procedures (Addressable). \r\n\r\nImplement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681fe75f468516745997ca4f", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.308(a.5.ii.D) Administrative safeguards", - "description": "Password management (Addressable). \r\n\r\nProcedures for creating, changing, and safeguarding passwords.", - "identifier": "", + "identifier": "164.308(a.3.ii.C)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:35.896" }, { "id": "frk_rq_681fe6440866ea8f5cc73562", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.4.i) Administrative safeguards", "description": "Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.", - "identifier": "", + "identifier": "164.308(a.4.i)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:36.283" }, { "id": "frk_rq_681fe694c60456dba73c3560", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.4.ii.A) Administrative safeguards", "description": "Isolating health care clearinghouse functions (Required). \r\n\r\nIf a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.", - "identifier": "", + "identifier": "164.308(a.4.ii.A)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:36.726" }, { "id": "frk_rq_681fe6aaee3cfefbf52d714e", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.4.ii.B) Administrative safeguards", "description": "Access authorization (Addressable). \r\n\r\nImplement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.", - "identifier": "", + "identifier": "164.308(a.4.ii.B)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:37.112" }, { "id": "frk_rq_681fe6bfe73e1970fc679d5d", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.4.ii.C) Administrative safeguards", "description": "Access establishment and modification (Addressable). \r\n\r\nImplement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.", - "identifier": "", + "identifier": "164.308(a.4.ii.C)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:37.755" }, { "id": "frk_rq_681fe6d4eca9ce895d67b372", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.5.i) Administrative safeguards", "description": "Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).", - "identifier": "", + "identifier": "164.308(a.5.i)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:38.232" }, { "id": "frk_rq_681fe6e799239e3a7cbe2dec", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.5.ii.A) Administrative safeguards", "description": "Security reminders (Addressable). \r\n\r\nPeriodic security updates.", - "identifier": "", + "identifier": "164.308(a.5.ii.A)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:38.661" }, { - "id": "frk_rq_681fe7022814f2d467948e70", + "id": "frk_rq_681fe75f468516745997ca4f", "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.308(a.5.ii.B) Administrative safeguards", - "description": "Protection from malicious software (Addressable). \r\n\r\nProcedures for guarding against, detecting, and reporting malicious software.", - "identifier": "", + "name": "164.308(a.5.ii.D) Administrative safeguards", + "description": "Password management (Addressable). \r\n\r\nProcedures for creating, changing, and safeguarding passwords.", + "identifier": "164.308(a.5.ii.D)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:39.860" }, { "id": "frk_rq_681fe74bab9fd5739de31a2c", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.5.ii.C) Administrative safeguards", "description": "Log-in monitoring (Addressable).\r\n\r\n Procedures for monitoring log-in attempts and reporting discrepancies.", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681fe7b3f5e3ea69698e52e2", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.308(a.6.ii) Administrative safeguards", - "description": "Implementation specification: Response and reporting (Required). \r\n\r\nIdentify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.", - "identifier": "", + "identifier": "164.308(a.5.ii.C)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:39.402" }, { "id": "frk_rq_681fe7e322489db98e7f3c1d", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.7.i) Administrative safeguards", "description": "Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.", - "identifier": "", + "identifier": "164.308(a.7.i)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:41.021" }, { "id": "frk_rq_681fe7f6eb651bd238597fff", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.7.ii.A) Administrative safeguards", "description": "Data backup plan (Required). \r\n\r\nEstablish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.", - "identifier": "", + "identifier": "164.308(a.7.ii.A)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:41.443" }, { "id": "frk_rq_681fe82f9caaf24857c1aabc", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.7.ii.B) Administrative safeguards", "description": "Disaster recovery plan (Required). \r\n\r\nEstablish (and implement as needed) procedures to restore any loss of data.", - "identifier": "", + "identifier": "164.308(a.7.ii.B)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:41.795" }, { "id": "frk_rq_681fe841094784b88791952e", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.7.ii.c) Administrative safeguards", "description": "Emergency mode operation plan (Required). \r\n\r\nEstablish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.", - "identifier": "", + "identifier": "164.308(a.7.ii.c)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:42.239" }, { "id": "frk_rq_681fe8577f4153ab83dbedf2", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.7.ii.D) Administrative safeguards", "description": "Testing and revision procedures (Addressable). \r\n\r\nImplement procedures for periodic testing and revision of contingency plans.", - "identifier": "", + "identifier": "164.308(a.7.ii.D)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:42.599" }, { "id": "frk_rq_681fe8697bff206f287d79cb", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.7.ii.E) Administrative safeguards", "description": "Applications and data criticality analysis (Addressable). \r\n\r\nAssess the relative criticality of specific applications and data in support of other contingency plan components.", - "identifier": "", + "identifier": "164.308(a.7.ii.E)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:43.002" }, { "id": "frk_rq_681fe87de28c10ea32f74832", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(a.8) Administrative safeguards", "description": "Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.", - "identifier": "", + "identifier": "164.308(a.8)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:43.354" }, { "id": "frk_rq_681fe89fa3aa895de49e995e", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(b.1) Administrative safeguards", "description": "Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.", - "identifier": "", + "identifier": "164.308(b.1)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:43.770" }, { "id": "frk_rq_681fe8aa3d80a91789ce36c6", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(b.2) Administrative safeguards", "description": "A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately safeguard the information.", - "identifier": "", + "identifier": "164.308(b.2)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:44.132" }, { "id": "frk_rq_681fe8b819b58da63cf250ac", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.308(b.3) Administrative safeguards", "description": "Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a).", - "identifier": "", + "identifier": "164.308(b.3)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:44.534" }, { "id": "frk_rq_681fe90ba7477425a75f2993", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.310(a.1) Physical Safeguards", "description": "Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.", - "identifier": "", + "identifier": "164.310(a.1)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:44.892" }, { "id": "frk_rq_681fe9465c707c6339b9b335", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.310(a.2.iii) Physical Safeguards", "description": "Access control and validation procedures (Addressable). \r\n\r\nImplement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.", - "identifier": "", + "identifier": "164.310(a.2.iii)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:45.231" }, { "id": "frk_rq_681fe936fa81524e6aeca7c5", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.310(a.2.ii) Physical Safeguards", "description": "Facility security plan (Addressable). \r\n\r\nImplement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.", - "identifier": "", + "identifier": "164.310(a.2.ii)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:45.624" }, { "id": "frk_rq_681fe924a5f99c526e7a2e01", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.310(a.2.i) Physical Safeguards", "description": "Contingency operations (Addressable). \r\n\r\nEstablish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.", - "identifier": "", + "identifier": "164.310(a.2.i)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:45.950" }, { "id": "frk_rq_681fe96d757fb6b5c75cdf76", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.310(a.2.iv) Physical Safeguards", "description": "Maintenance records (Addressable).\r\n\r\nImplement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).", - "identifier": "", + "identifier": "164.310(a.2.iv)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:46.306" }, { "id": "frk_rq_681fe9fd7f224842eb9fe789", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.310(b) Physical Safeguards", "description": "Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.", - "identifier": "", + "identifier": "164.310(b)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:46.731" }, { "id": "frk_rq_681fea0bfcdec41171d7a60c", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.310(c) Physical Safeguards", "description": "Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.", - "identifier": "", + "identifier": "164.310(c)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:47.162" }, { - "id": "frk_rq_681fea1b35a991691d685345", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.310(d.1) Physical Safeguards", - "description": "Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.", + "id": "frk_rq_6820152ff0073eb0c67d97bf", + "frameworkId": "frk_6820090a1653380dd386c5eb", + "name": "GV.RM-01 Risk Management Strategy", + "description": "Risk-management objectives are established and agreed to by organizational stakeholders", "identifier": "", "createdAt": "2025-05-14 19:20:44.920", "updatedAt": "2025-05-14 19:20:44.920" }, { - "id": "frk_rq_681fea2c2d9331380c8b215f", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.310(d.1.i) Physical Safeguards", - "description": "Disposal (Required). \r\n\r\nImplement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_6820152ff0073eb0c67d97bf", - "frameworkId": "frk_6820090a1653380dd386c5eb", - "name": "GV.RM-01 Risk Management Strategy", - "description": "Risk-management objectives are established and agreed to by organizational stakeholders", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681fea39308dba0a946b8ec8", + "id": "frk_rq_681fea39308dba0a946b8ec8", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.310(d.1.ii) Physical Safeguards", "description": "Media re-use (Required). \r\n\r\nImplement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.", - "identifier": "", + "identifier": "164.310(d.1.ii)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:48.031" }, { - "id": "frk_rq_681fea4735996fcd17f711bb", + "id": "frk_rq_681fea2c2d9331380c8b215f", "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.310(d.1.iii) Physical Safeguards", - "description": "Accountability (Addressable). \r\n\r\nMaintain a record of the movements of hardware and electronic media and any person responsible therefore", - "identifier": "", + "name": "164.310(d.1.i) Physical Safeguards", + "description": "Disposal (Required). \r\n\r\nImplement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.", + "identifier": "164.310(d.1.i)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:48.413" }, { "id": "frk_rq_681fea57826a6f30eba2db5c", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.310(d.1.iv) Physical Safeguards", "description": "Data backup and storage (Addressable). \r\n\r\nCreate a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.", - "identifier": "", + "identifier": "164.310(d.1.iv)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:48.824" }, { "id": "frk_rq_681fea884bc3d8ebe8856b10", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.312(a.1) Technical Safeguards", "description": "Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).", - "identifier": "", + "identifier": "164.312(a.1)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:49.619" }, { - "id": "frk_rq_681feaa7f3753839388472a6", + "id": "frk_rq_681feac2b1123600caf4bb93", "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.312(a.2.i) Technical Safeguards", - "description": "Unique user identification (Required). \r\n\r\nAssign a unique name and/or number for identifying and tracking user identity.", - "identifier": "", + "name": "164.312(a.2.iii) Technical Safeguards", + "description": "Automatic logoff (Addressable). \r\n\r\nImplement electronic procedures that terminate an electronic session after a predetermined time of inactivity.", + "identifier": "164.312(a.2.iii)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:49.955" }, { "id": "frk_rq_681feab50d2c7e307828a563", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.312(a.2.ii) Technical Safeguards", "description": "Emergency access procedure (Required). \r\n\r\nEstablish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.", - "identifier": "", + "identifier": "164.312(a.2.ii)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:50.408" }, { - "id": "frk_rq_681feac2b1123600caf4bb93", + "id": "frk_rq_681feaa7f3753839388472a6", "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.312(a.2.iii) Technical Safeguards", - "description": "Automatic logoff (Addressable). \r\n\r\nImplement electronic procedures that terminate an electronic session after a predetermined time of inactivity.", - "identifier": "", + "name": "164.312(a.2.i) Technical Safeguards", + "description": "Unique user identification (Required). \r\n\r\nAssign a unique name and/or number for identifying and tracking user identity.", + "identifier": "164.312(a.2.i)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:50.864" }, { "id": "frk_rq_681fead4ff2821e8f81aeba4", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.312(a.2.iv) Technical Safeguards", "description": "Encryption and decryption (Addressable).\r\n\r\nImplement a mechanism to encrypt and decrypt electronic protected health information.", - "identifier": "", + "identifier": "164.312(a.2.iv)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:51.239" }, { "id": "frk_rq_681feae44e7169c3144956be", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.312(b) Technical Safeguards", "description": "Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.", - "identifier": "", + "identifier": "164.312(b)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:51.647" }, { "id": "frk_rq_681feafc58012fcf85eb9c67", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.312(c.1) Technical Safeguards", "description": "Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.", - "identifier": "", + "identifier": "164.312(c.1)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:51.999" }, { "id": "frk_rq_681feb100a4680e507ae3c0b", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.312(c.2) Technical Safeguards", "description": "Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). \r\n\r\nImplement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.", - "identifier": "", + "identifier": "164.312(c.2)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:52.398" }, { "id": "frk_rq_681feb1fd6847a219b5379c4", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.312(d) Technical Safeguards", "description": "Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.", - "identifier": "", + "identifier": "164.312(d)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:52.750" }, { "id": "frk_rq_681feb2e8cd16f8cd6887c0f", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.312(e.1) Technical Safeguards", "description": "Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681feb3ed01dfe41d1902a2b", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.312(e.2.i) Technical Safeguards", - "description": "Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.", - "identifier": "", + "identifier": "164.312(e.1)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:53.113" }, { "id": "frk_rq_681feb51b84ba0badd659fe4", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.312(e.2.ii) Technical Safeguards", "description": "Encryption (Addressable). \r\n\r\nImplement a mechanism to encrypt electronic protected health information whenever deemed appropriate.", - "identifier": "", + "identifier": "164.312(e.2.ii)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:53.551" }, { - "id": "frk_rq_681febd6a160cdcafacbc30a", + "id": "frk_rq_681feb3ed01dfe41d1902a2b", "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.314(a.2.i) Organizational requirements.", - "description": "Business associate contracts. The contract must provide that the business associate will:\r\n\r\n(A) Comply with the applicable requirements of this subpart;\r\n\r\n(B) In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and\r\n\r\n(C) Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410.", - "identifier": "", + "name": "164.312(e.2.i) Technical Safeguards", + "description": "Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.", + "identifier": "164.312(e.2.i)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:53.963" }, { "id": "frk_rq_681feb8df6c8f41d44a9e287", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.314(a.1) Organizational requirements.", "description": "Standard: Business associate contracts or other arrangements. The contract or other arrangement required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable.", - "identifier": "", + "identifier": "164.314(a.1)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:54.331" }, { "id": "frk_rq_681febf659324baa56a6a189", "frameworkId": "frk_681fdd150f59a1560a66c89a", "name": "164.314(a.2.ii) Organizational requirements.", "description": "Other arrangements. The covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3).", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681fec08c1179a2bfe677069", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.314(a.2.iii) Organizational requirements.", - "description": "Business associate contracts with subcontractors. The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.", - "identifier": "", + "identifier": "164.314(a.2.ii)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:55.123" }, { - "id": "frk_rq_681fec1b32de927d4dbeb093", + "id": "frk_rq_681febd6a160cdcafacbc30a", "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.314(b.1) Organizational requirements.", - "description": "Standard: Requirements for group health plans. Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to § 164.504(f)(1)(ii) or (iii), or as authorized under § 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan.", - "identifier": "", + "name": "164.314(a.2.i) Organizational requirements.", + "description": "Business associate contracts. The contract must provide that the business associate will:\r\n\r\n(A) Comply with the applicable requirements of this subpart;\r\n\r\n(B) In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and\r\n\r\n(C) Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410.", + "identifier": "164.314(a.2.i)", "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" + "updatedAt": "2026-04-24 14:58:55.543" }, { "id": "frk_rq_68201513580cb5ac722431f7", @@ -4796,60 +4589,6 @@ "createdAt": "2025-05-14 19:20:44.920", "updatedAt": "2025-05-14 19:20:44.920" }, - { - "id": "frk_rq_681fec55c16831a6cd91f592", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.314(b.2) Organizational requirements.", - "description": "Implementation specifications (Required). \r\n\r\nThe plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to—\r\n\r\n(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;\r\n\r\n(ii) Ensure that the adequate separation required by § 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;\r\n\r\n(iii) Ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and\r\n\r\n(iv) Report to the group health plan any security incident of which it becomes aware.", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681fec804cec43ea81323332", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.316(a) Policies and procedures and documentation requirements.", - "description": "Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681fecb74a602ca1480b819a", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.316(b.1) Policies and procedures and documentation requirements.", - "description": "i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and\r\n\r\n(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681fecdb6b408ef4d3ce8e31", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.316(b.2.ii) Policies and procedures and documentation requirements.", - "description": "Availability (Required). \r\n\r\nMake documentation available to those persons responsible for implementing the procedures to which the documentation pertains.", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681fece9f29ff4dafccf7833", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "164.316(b.2.iii) Policies and procedures and documentation requirements.", - "description": "Updates (Required). \r\n\r\nReview documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.", - "identifier": "", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-05-14 19:20:44.920" - }, - { - "id": "frk_rq_681feccc0a6b9c390f81ccab", - "frameworkId": "frk_681fdd150f59a1560a66c89a", - "name": "Policies and procedures and documentation requirements.", - "description": "Time limit (Required). \r\n\r\nRetain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.", - "identifier": "164.316(b.2.i)", - "createdAt": "2025-05-14 19:20:44.920", - "updatedAt": "2025-06-09 02:39:22.626" - }, { "id": "frk_rq_682015381413ba5fc3abf704", "frameworkId": "frk_6820090a1653380dd386c5eb", @@ -4949,6 +4688,51 @@ "createdAt": "2025-05-14 19:20:44.920", "updatedAt": "2025-05-14 19:20:44.920" }, + { + "id": "frk_rq_681fec804cec43ea81323332", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.316(a) Policies and procedures and documentation requirements.", + "description": "Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.", + "identifier": "164.316(a)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:58:57.368" + }, + { + "id": "frk_rq_681fecb74a602ca1480b819a", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.316(b.1) Policies and procedures and documentation requirements.", + "description": "i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and\r\n\r\n(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment", + "identifier": "164.316(b.1)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:58:57.888" + }, + { + "id": "frk_rq_681fece9f29ff4dafccf7833", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.316(b.2.iii) Policies and procedures and documentation requirements.", + "description": "Updates (Required). \r\n\r\nReview documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.", + "identifier": "164.316(b.2.iii)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:58:58.378" + }, + { + "id": "frk_rq_681fecdb6b408ef4d3ce8e31", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.316(b.2.ii) Policies and procedures and documentation requirements.", + "description": "Availability (Required). \r\n\r\nMake documentation available to those persons responsible for implementing the procedures to which the documentation pertains.", + "identifier": "164.316(b.2.ii)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:58:58.926" + }, + { + "id": "frk_rq_681feccc0a6b9c390f81ccab", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.316(b.2.i) Policies and procedures and documentation requirements.", + "description": "Time limit (Required). \r\n\r\nRetain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.", + "identifier": "164.316(b.2.i)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:59:01.568" + }, { "id": "frk_rq_682015a011500bab38429cbb", "frameworkId": "frk_6820090a1653380dd386c5eb", @@ -6011,15 +5795,6 @@ "createdAt": "2025-05-14 19:20:44.920", "updatedAt": "2025-05-14 19:20:44.920" }, - { - "id": "frk_rq_683f316954a237019ca60e26", - "frameworkId": "frk_683f3102f9ae801df35d47b4", - "name": "CC1", - "description": "CC1 SOC 2", - "identifier": "CC1", - "createdAt": "2025-06-03 17:31:21.379", - "updatedAt": "2025-06-03 17:31:21.379" - }, { "id": "frk_rq_6820cd0c33c6d0b792d7ad32", "frameworkId": "frk_6820c8b318a6d88bf2c4586d", @@ -6821,15 +6596,6 @@ "createdAt": "2025-05-14 19:20:44.920", "updatedAt": "2025-05-14 19:20:44.920" }, - { - "id": "frk_rq_683f3179d3ba9393821ad7a4", - "frameworkId": "frk_683f31582b71fc8d9253ad89", - "name": "A.1", - "description": "A1 ISO 27001", - "identifier": "A1", - "createdAt": "2025-06-03 17:31:36.578", - "updatedAt": "2025-06-03 17:31:36.578" - }, { "id": "frk_rq_6820cf48a00e4423470a1c44", "frameworkId": "frk_6820c8b318a6d88bf2c4586d", @@ -7820,24 +7586,6 @@ "createdAt": "2025-06-03 23:18:27.903", "updatedAt": "2025-06-04 21:34:40.204" }, - { - "id": "frk_rq_68b59a381860dff55c1ab1aa", - "frameworkId": "frk_681ef1952907deb7cb85896d", - "name": "GDPR Requirement", - "description": "Everything related to GDPR", - "identifier": "1", - "createdAt": "2025-09-01 13:06:00.288", - "updatedAt": "2025-09-01 13:06:00.288" - }, - { - "id": "frk_rq_68b59f4c9739efdb63dd807e", - "frameworkId": "frk_681ecc34e85064efdbb76993", - "name": "ISO Requirement", - "description": "Everything ISO", - "identifier": "1", - "createdAt": "2025-09-01 13:27:39.721", - "updatedAt": "2025-09-01 13:27:39.721" - }, { "id": "frk_rq_68c1eafed7ef7c22cc3ba9db", "frameworkId": "frk_68c1ead24950f84849db81bb", @@ -8818,5 +8566,3443 @@ "identifier": "QMS-10.2-01", "createdAt": "2025-11-19 20:44:19.831", "updatedAt": "2025-11-19 20:44:19.831" + }, + { + "id": "frk_rq_69bd96f0dea75329f6d0f12e", + "frameworkId": "frk_69bd93a9a68c82ba0998008d", + "name": "Test", + "description": "sdfs", + "identifier": "xx1", + "createdAt": "2026-03-20 18:50:23.528", + "updatedAt": "2026-03-20 18:50:23.528" + }, + { + "id": "frk_rq_69d7e576d8b4cc0f5440725d", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including guidelines for acceptable and unacceptable technology usage behaviors with outlined consequences for unacceptable actions. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers through structured governance and behavioral standards that ensure proper technology usage and overall organizational conduct to protect customer service delivery", + "identifier": "CC5.1", + "createdAt": "2026-04-09 17:44:21.645", + "updatedAt": "2026-04-09 17:44:21.645" + }, + { + "id": "frk_rq_69d7e657b68baf33653627a1", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company. Senior Management maintains segregated responsibilities and duties across the organization to mitigate risks to customer services through systematic oversight, including annual reviews and approvals of company policies, risk assessments, vendor assessments, and organizational structures. The organization conducts periodic evaluations of subservice organizations to ensure customer commitments are met, while the Information Security program undergoes planned reviews to ensure continuing effectiveness. Responsibilities are further segregated through the Information Security Officer's independent oversight of production access controls, supported by continuous monitoring systems that provide program health reporting to stakeholders", + "identifier": "CC5.2", + "createdAt": "2026-04-09 17:48:07.014", + "updatedAt": "2026-04-09 17:48:07.014" + }, + { + "id": "frk_rq_69d7e725c3b1c5035b646414", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers through structured policy governance, including: making all policies and procedures available to all staff members for reference; establishing procedures for new staff to acknowledge applicable company policies during onboarding; and requiring periodic acknowledgment of applicable company policies by all staff to ensure ongoing awareness and compliance in protecting customer service delivery.", + "identifier": "CC5.3", + "createdAt": "2026-04-09 17:51:32.703", + "updatedAt": "2026-04-09 17:51:32.703" + }, + { + "id": "frk_rq_69d7e73978f57e698ba562fb", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including documented policies for data classification through physical and logical labeling, and guidelines for information disposal and retention. Senior Management segregates responsibilities and duties across the organization to mitigate risks to customer services through systematic information management and transparency controls, including: generating and reviewing system information to evaluate impacts on internal control functioning; making all policies and procedures available to staff members for reference and compliance; maintaining current service information on the company website for customer accessibility; and implementing data classification and retention procedures to ensure proper information handling that protects customer service delivery and regulatory compliance", + "identifier": "CC2.1", + "createdAt": "2026-04-09 17:51:52.618", + "updatedAt": "2026-04-09 17:51:52.618" + }, + { + "id": "frk_rq_69d7e74ab37477b3cb910456", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including behavioral standards, acceptable business conduct policies, and Information Security policies that provide guidance on reporting failures, incidents, concerns, and complaints related to organizational services and systems. Senior Management segregates responsibilities and duties across the organization to mitigate risks to customer services through comprehensive personnel governance and awareness programs, including: establishing procedures for new staff to acknowledge applicable company policies and complete security and privacy literacy training during onboarding; requiring periodic policy acknowledgment by all staff; making all policies and procedures available to staff members for reference; and documenting, monitoring, and retaining individual training activities and records to ensure ongoing compliance and competency in protecting customer service delivery.", + "identifier": "CC2.2", + "createdAt": "2026-04-09 17:52:10.056", + "updatedAt": "2026-04-09 17:52:10.056" + }, + { + "id": "frk_rq_69e918bbb477e38341c4a83b", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Data Processor Agreements", + "description": "Sign a data processing agreement between your organization and any third parties that process personal data on your behalf.", + "identifier": "AG-2", + "createdAt": "2026-04-22 18:51:39.087", + "updatedAt": "2026-04-22 18:51:39.087" + }, + { + "id": "frk_rq_69e918bc947251b4d29f2da2", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Right of Access", + "description": "It's easy for your customers to request and receive all the information you have about them.", + "identifier": "PR-1", + "createdAt": "2026-04-22 18:51:40.278", + "updatedAt": "2026-04-22 18:51:40.278" + }, + { + "id": "frk_rq_69e918bd1ad4fdd1d8a45987", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Right to Rectification", + "description": "It's easy for your customers to correct or update inaccurate or incomplete information.", + "identifier": "PR-2", + "createdAt": "2026-04-22 18:51:40.718", + "updatedAt": "2026-04-22 18:51:40.718" + }, + { + "id": "frk_rq_69d7e757ea97d3f6fc14a16f", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company. Senior Management segregates responsibilities and duties across the organization to mitigate risks to customer services through transparent customer communication controls, including: displaying current information about services on the company website for customer accessibility; and providing customers with information on how to report failures, incidents, concerns, or other complaints related to organizational services and systems to ensure prompt issue resolution and continuous service improvement", + "identifier": "CC2.3", + "createdAt": "2026-04-09 17:52:23.365", + "updatedAt": "2026-04-09 17:52:23.365" + }, + { + "id": "frk_rq_69d7e76988750007ab774faf", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company. Senior Management segregates responsibilities and duties across the organization to mitigate risks to customer services through comprehensive governance and oversight mechanisms, including: assigning an Information Security Officer to centrally manage, coordinate, develop, implement, and maintain the enterprise-wide cybersecurity and privacy program; conducting annual reviews and approvals of all company policies, Risk Assessment Reports, Vendor Risk Assessment Reports, and organizational charts for all employees; performing planned interval reviews of the Information Security program including policies, standards, and procedures, or when significant changes occur, to ensure continuing suitability, adequacy, and effectiveness; establishing mechanisms to assign and manage asset ownership responsibilities with common understanding of asset protection requirements; periodically updating and reviewing system inventories as part of installations, removals, and system updates; periodically evaluating all subservice organizations to ensure customer commitments can be met; and implementing continuous monitoring systems to track and report information security program health to stakeholders, ensuring systematic protection of customer service delivery.", + "identifier": "CC4.1", + "createdAt": "2026-04-09 17:52:40.830", + "updatedAt": "2026-04-09 17:52:40.830" + }, + { + "id": "frk_rq_69d7e7a53e9ce2aeac1a4738", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including Information Security policies that provide employees with guidance on reporting failures, incidents, concerns, or other complaints related to organizational services and systems. Senior Management segregates responsibilities and duties across the organization to mitigate risks to customer services through systematic program oversight, including: conducting annual reviews and approvals of all company policies; performing planned interval reviews of the Information Security program including policies, standards, and procedures, or when significant changes occur, to ensure their continuing suitability, adequacy, and effectiveness; and implementing continuous monitoring systems to track and report the health of the information security program to the Information Security Officer and other stakeholders, ensuring comprehensive protection of customer service delivery", + "identifier": "CC4.2", + "createdAt": "2026-04-09 17:53:40.674", + "updatedAt": "2026-04-09 17:53:40.674" + }, + { + "id": "frk_rq_69d7e7b42dea66c8ad0751ea", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.", + "description": "The organization has documented a comprehensive suite of policies and procedures that define expected behavior with regard to the Company, including guidelines for information disposal and retention. Senior Management segregates responsibilities and duties across the organization to mitigate risks to customer services by enforcing systematic governance oversight, which comprises annual reviews and approvals of all company policies, risk assessment reports (including vendor assessments), and the organizational chart for all employees, as well as planned interval reviews of the Information Security program—covering its policies, standards, and procedures—whenever significant changes occur, thereby ensuring their continuing suitability, adequacy, and effectiveness in protecting and supporting customer service delivery.", + "identifier": "CC1.2", + "createdAt": "2026-04-09 17:53:55.660", + "updatedAt": "2026-04-09 17:53:55.660" + }, + { + "id": "frk_rq_69d7e7dc23b7f38d35c92917", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company. Senior Management segregates responsibilities and duties across the organization to mitigate risks to customer services through structured organizational governance, including: maintaining an organizational structure that defines authorities, facilitates information flow, and establishes clear responsibilities; appointing a People Operations Officer to develop personnel-related security strategies; assigning an Information Security Officer to centrally manage the enterprise-wide cybersecurity and privacy program; establishing procedures to communicate staff roles and responsibilities; and implementing mechanisms to assign asset ownership responsibilities with common understanding of protection requirements. Senior Management conducts planned interval reviews of the Information Security program, including policies, standards, and procedures, or when significant changes occur, to ensure continuing suitability, adequacy, and effectiveness in protecting customer services", + "identifier": "CC1.3", + "createdAt": "2026-04-09 17:54:36.002", + "updatedAt": "2026-04-09 17:54:36.002" + }, + { + "id": "frk_rq_69d7e7fe5acf93ce81590446", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company. Senior Management segregates responsibilities and duties across the organization to mitigate risks to customer services through structured personnel security controls, including established procedures to perform security risk screening of individuals before authorizing access and ensuring that all security-related positions are staffed by qualified individuals with the necessary skill sets to protect customer service delivery", + "identifier": "CC1.4", + "createdAt": "2026-04-09 17:55:09.571", + "updatedAt": "2026-04-09 17:55:09.571" + }, + { + "id": "frk_rq_69d7f03a3473f216eee50dc8", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company. Senior Management segregates responsibilities and duties across the organization to mitigate risks to customer services through structured personnel security controls, including established procedures to perform security risk screening of individuals before authorizing access and ensuring that all security-related positions are staffed by qualified individuals with the necessary skill sets to protect customer service delivery", + "identifier": "CC1.4", + "createdAt": "2026-04-09 18:30:18.304", + "updatedAt": "2026-04-09 18:30:18.304" + }, + { + "id": "frk_rq_69d7ec749fdfe0889e8e1004", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company. Senior Management segregates responsibilities and duties across the organization to mitigate risks to customer services through comprehensive personnel development and oversight programs, including: providing job-function-relevant information security and privacy training to all staff; requiring new staff to complete security and privacy literacy training during onboarding; establishing procedures for periodic acknowledgment of applicable company policies; conducting periodic evaluations of employees in client serving, IT, Engineering, and Information Security roles regarding their job responsibilities; and documenting, monitoring, and retaining individual training activities and records to ensure ongoing competency and compliance in protecting customer service delivery", + "identifier": "CC1.5", + "createdAt": "2026-04-09 18:14:12.264", + "updatedAt": "2026-04-09 18:14:12.264" + }, + { + "id": "frk_rq_69d7ecc2e48e690433555325", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.", + "description": "The organization performs a formal risk assessment exercise annually, as per documented guidelines and procedures, to identify threats that could impair systems' security commitments and requirements.", + "identifier": "CC3.1", + "createdAt": "2026-04-09 18:15:29.526", + "updatedAt": "2026-04-09 18:15:29.526" + }, + { + "id": "frk_rq_69d7f04a624c5b6746879e47", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company. Senior Management segregates responsibilities and duties across the organization to mitigate risks to customer services through comprehensive personnel development and oversight programs, including: providing job-function-relevant information security and privacy training to all staff; requiring new staff to complete security and privacy literacy training during onboarding; establishing procedures for periodic acknowledgment of applicable company policies; conducting periodic evaluations of employees in client serving, IT, Engineering, and Information Security roles regarding their job responsibilities; and documenting, monitoring, and retaining individual training activities and records to ensure ongoing competency and compliance in protecting customer service delivery", + "identifier": "CC1.5", + "createdAt": "2026-04-09 18:30:33.815", + "updatedAt": "2026-04-09 18:30:33.815" + }, + { + "id": "frk_rq_69d7f15174a126ae9318c700", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including documented guidelines and procedures for formal risk assessment exercises. Senior Management segregates responsibilities and duties across the organization to mitigate risks to customer services through comprehensive annual risk management activities, including: performing formal risk assessment exercises to identify threats that could impair systems' security commitments and requirements; conducting formal vendor risk assessments to identify vendors critical to systems' security commitments; and assessing each identified risk with scoring based on likelihood of occurrence and potential impact on security, availability, and confidentiality of the Company platform, with risks mapped to mitigating factors that address some or all of the identified risk to ensure protection of customer service delivery", + "identifier": "CC3.4", + "createdAt": "2026-04-09 18:34:56.564", + "updatedAt": "2026-04-09 18:34:56.564" + }, + { + "id": "frk_rq_69d7f069bba09cd6fde415b4", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including documented guidelines and procedures for formal risk assessment exercises. Senior Management segregates responsibilities and duties across the organization to mitigate risks to customer services through systematic risk management practices, including: establishing procedures for new staff to acknowledge applicable company policies during onboarding; performing annual formal risk assessment exercises to identify threats that could impair systems' security commitments and requirements; conducting annual vendor risk assessments to identify vendors critical to systems' security commitments; and assessing each identified risk with scoring based on likelihood of occurrence and potential impact on security, availability, and confidentiality of the Company platform, with risks mapped to mitigating factors that address some or all of the identified risk to protect customer service delivery", + "identifier": "CC3.2", + "createdAt": "2026-04-09 18:31:05.079", + "updatedAt": "2026-04-09 18:31:05.079" + }, + { + "id": "frk_rq_69d7f07a5dde9e3489417256", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives.", + "description": "The organization considers the potential for fraud when assessing risks. This is an entry in the risk matrix.", + "identifier": "CC3.3", + "createdAt": "2026-04-09 18:31:22.461", + "updatedAt": "2026-04-09 18:31:22.461" + }, + { + "id": "frk_rq_69d7f490f8a6458bf15ef544", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entity's objectives related to privacy.", + "description": "The organization includes Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals.", + "identifier": "P3.2", + "createdAt": "2026-04-09 18:48:48.038", + "updatedAt": "2026-04-09 18:48:48.038" + }, + { + "id": "frk_rq_69d7f492512cd3853fc1678f", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entity's objectives related to privacy.", + "description": "The organization maintains an inventory of categories of personal information collected along with its usage, sources and specific purposes for collection as per regulatory requirements (\"Record of Processing Activities\") and reviews it on an annual basis", + "identifier": "P3.2", + "createdAt": "2026-04-09 18:48:49.933", + "updatedAt": "2026-04-09 18:48:49.933" + }, + { + "id": "frk_rq_69d7f69f05eb9e749bbbb94b", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "Personal information is collected consistent with the entity's objectives related to privacy.", + "description": "The organization has documented policies and procedures providing guidance on Data Protection and Privacy, including a Privacy Policy published on the company website that meets all regulatory requirements and defines staff responsibilities for handling personal data. It maintains a Record of Processing Activities—a comprehensive inventory of the categories of personal information collected, their sources, specific purposes, and usage—which is reviewed annually to ensure ongoing compliance. All forms that collect personal information include Privacy Act statements, either directly on the form or via a separate notice that individuals can retain, thereby ensuring transparency, informed consent, and adherence to regulatory obligations throughout the data lifecycle.", + "identifier": "P3.1", + "createdAt": "2026-04-09 18:57:35.298", + "updatedAt": "2026-04-09 18:57:35.298" + }, + { + "id": "frk_rq_69d7f6a079d5fe17bb88ddca", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including Access Control policies and procedures with an accompanying process to register and authorize users for issuing system credentials that grant access to critical systems. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers through structured access management controls, including: ensuring logical access provisioning to critical systems requires approval from authorized personnel on an individual need or predefined role basis; and ensuring that logical access is made inaccessible in a timely manner when no longer required due to termination, thereby maintaining systematic protection of customer service delivery through proper access governance and lifecycle management.", + "identifier": "CC6.2", + "createdAt": "2026-04-09 18:57:36.267", + "updatedAt": "2026-04-09 18:57:36.267" + }, + { + "id": "frk_rq_69d7f6a1e9853f081604ebb6", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity assesses and manages risks associated with vendors and business partners.", + "description": "The organization has established documented policies and procedures that define expected behavior, including vendor and third-party management guidelines instructing staff on how to perform risk assessments, and a risk management framework for identifying, assessing, and mitigating risks to business objectives—fully aligned with the organization’s service commitments and system requirements. Senior Management segregates responsibilities and duties across the organization to ensure effective oversight, including a formal annual vendor risk assessment to identify and address the security-critical suppliers whose performance could impact the delivery of customer services.", + "identifier": "CC9.2", + "createdAt": "2026-04-09 18:57:37.185", + "updatedAt": "2026-04-09 18:57:37.185" + }, + { + "id": "frk_rq_69d7f6a2717be78f524ee2d5", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including documented policies and procedures to manage changes to its operating environment. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers through structured change management controls, including: establishing procedures to govern changes to the operating environment; implementing approval procedures when making changes to the operating environment; and developing, documenting, and maintaining an inventory of organizational infrastructure systems with all necessary information to achieve accountability, thereby maintaining systematic change governance to ensure comprehensive protection of customer service delivery through controlled and documented operational modifications.", + "identifier": "CC8.1", + "createdAt": "2026-04-09 18:57:38.038", + "updatedAt": "2026-04-09 18:57:38.038" + }, + { + "id": "frk_rq_69d7f6a36f14aa8d8d69619c", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.", + "description": "The organization has documented policies and procedures that establish guidelines for managing data backups, contingency planning, and disaster recovery, including a data-backup policy accessible to all relevant staff via the company portal, contingency-planning controls to sustain operations, and disaster-recovery procedures for restoring services after a disruption or security incident. The organization regularly backs up all relevant user and system data to meet defined recovery-time and recovery-point objectives, periodically verifies backup integrity, and tests backup media for reliability, thereby ensuring timely restoration of operations and uninterrupted delivery of customer services under adverse conditions.", + "identifier": "A1.2", + "createdAt": "2026-04-09 18:57:38.980", + "updatedAt": "2026-04-09 18:57:38.980" + }, + { + "id": "frk_rq_69d7f6a47ba0011b49e504b1", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including Access Control policies and procedures with an accompanying process to register and authorize users for issuing system credentials that grant access to critical systems. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers through comprehensive access management controls, including: ensuring logical access provisioning to critical systems requires approval from authorized personnel on an individual need or predefined role basis; restricting access to production databases and critical systems to only those individuals who require such access to perform their job functions; requiring Senior Management or the Information Security Officer to periodically review and ensure that both general and administrative access to critical systems is restricted to authorized individuals based on job function requirements; and ensuring that logical access is made inaccessible in a timely manner when no longer required due to termination, thereby maintaining systematic protection of customer service delivery through proper access governance, lifecycle management, and ongoing oversight.", + "identifier": "CC6.3", + "createdAt": "2026-04-09 18:57:39.843", + "updatedAt": "2026-04-09 18:57:39.843" + }, + { + "id": "frk_rq_69d7f6a532778d48c8050941", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity's objectives related to privacy.", + "description": "The organization has documented policies and procedures that establish expected behavior with regard to personal data, including a Privacy Policy published on the company website that meets all regulatory requirements and assigns a Privacy Officer to assess and facilitate compliance. It maintains a Record of Processing Activities—an annually reviewed inventory of the categories of personal information collected, their sources, specific purposes, and usage—and requires all forms that collect personal data to include a Privacy Act statement, either on the form itself or via a separate notice. In accordance with its Privacy Policy, the organization honors all Subject Access Requests promptly and fully, ensuring transparency, accountability, and protection of individual data rights.", + "identifier": "P7.1", + "createdAt": "2026-04-09 18:57:40.697", + "updatedAt": "2026-04-09 18:57:40.697" + }, + { + "id": "frk_rq_69d7f6a64f4c35988d6081a6", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity's objectives related to privacy. The entity's basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented.", + "description": "The organization maintains an inventory of categories of personal information collected along with its usage, sources and specific purposes for collection as per regulatory requirements (\"Record of Processing Activities\") and reviews it on an annual basis The organization maintains a list of all contractual obligations based on customer contracts. The organization ensures regulatory requirements regarding user consent are met prior to processing personal data", + "identifier": "P2.1", + "createdAt": "2026-04-09 18:57:41.604", + "updatedAt": "2026-04-09 18:57:41.604" + }, + { + "id": "frk_rq_69d7f6a7c8eb4a69910f4a26", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity's objectives related to privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entity's objectives related to privacy.", + "description": "The organization has a documented Privacy Policy that meets all regulatory requirements and is published on the company’s website. This Policy mandates that all forms collecting personal information include a Privacy Act statement—either directly on the form or via a separate notice for individuals to retain—and requires that subject access requests be honored promptly and in full accordance with the Policy. Moreover, whenever personal data is shared with third-party vendors as part of processing activities, the organization implements appropriate remediation measures—including contractual safeguards, vendor assessments, and incident response procedures—to ensure ongoing protection, transparency, and compliance throughout the data lifecycle.", + "identifier": "P5.2", + "createdAt": "2026-04-09 18:57:42.555", + "updatedAt": "2026-04-09 18:57:42.555" + }, + { + "id": "frk_rq_69d7f6a7a26e58ad51f72e4b", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity's objectives related to privacy.", + "description": "The organization has documented privacy policies and procedures that establish guidelines for the collection, processing, and protection of personal information. Senior Management appoints a Privacy Officer responsible for assessing and facilitating the organization’s compliance with all applicable privacy regulations. The organization maintains a Record of Processing Activities—a comprehensive inventory of the categories of personal information collected, their sources, usage, and specific purposes—which is reviewed and updated annually to ensure accuracy and regulatory alignment. In accordance with its Privacy Policy, the organization ensures that all Subject Access Requests are honored promptly and fully, thereby safeguarding individual rights and maintaining transparency across its data processing operations.", + "identifier": "P6.2", + "createdAt": "2026-04-09 18:57:43.427", + "updatedAt": "2026-04-09 18:57:43.427" + }, + { + "id": "frk_rq_69dcfef2652e248e46a4d10e", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Inbound traffic from untrusted to trusted networks is restricted to necessary communications only.", + "description": "Inbound firewall rules for untrusted-to-trusted flows; approved inbound services list", + "identifier": "1.4.2", + "createdAt": "2026-04-13 14:34:25.566", + "updatedAt": "2026-04-13 14:34:25.566" + }, + { + "id": "frk_rq_69dcfef29d9116e66aa52b2a", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Anti-spoofing measures are implemented to detect and block forged source IP addresses.", + "description": "uRPF/ingress ACL configuration; IPS anti-spoofing signatures; test evidence", + "identifier": "1.4.3", + "createdAt": "2026-04-13 14:34:26.480", + "updatedAt": "2026-04-13 14:34:26.480" + }, + { + "id": "frk_rq_69d7f6a8624c458f2893d407", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity's objectives related to privacy.", + "description": "The organization has documented policies and procedures that define guidelines for notifying customers and other stakeholders—specifically addressing PII breaches—in the event of any information security incident. Senior Management appoints a Privacy Officer to assess and facilitate compliance with all relevant privacy regulations. The organization conducts risk assessments of suspected data breaches and, when a breach is deemed significant, notifies all affected parties without unreasonable delay. All security incidents are recorded along with their investigations and the response plans executed, in accordance with the incident reporting and management procedures.", + "identifier": "P6.3", + "createdAt": "2026-04-09 18:57:44.282", + "updatedAt": "2026-04-09 18:57:44.282" + }, + { + "id": "frk_rq_69d7f6a9a24e04508e70db9a", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity's objectives related to privacy.", + "description": "The organization has documented policies and procedures that establish guidelines for vendor management and personal data protection, requiring an annual formal vendor risk assessment to identify suppliers critical to its security commitments and mandating appropriate remediation measures—such as contractual safeguards and incident response protocols—whenever personal data is shared with third parties. It ensures all regulatory consent requirements are fulfilled before processing personal data and conducts periodic Data Protection Impact Assessments to evaluate and mitigate privacy and regulatory risks across its processing activities, thereby maintaining comprehensive oversight and compliance throughout the data lifecycle.", + "identifier": "P6.1", + "createdAt": "2026-04-09 18:57:45.132", + "updatedAt": "2026-04-09 18:57:45.132" + }, + { + "id": "frk_rq_69d7f6aa16228e705a19b376", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity's objectives.", + "description": "The organization has a documented policy that provides guidance on decommissioning of information assets that contain classified information.", + "identifier": "CC6.5", + "createdAt": "2026-04-09 18:57:45.981", + "updatedAt": "2026-04-09 18:57:45.981" + }, + { + "id": "frk_rq_69d7f6ab0ce69e3e2743b723", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including documented policies and procedures to establish guidelines for managing technical vulnerabilities, documented guidelines on notifying customers and other stakeholders in case of a breach, and policies for reporting and managing incidents. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers through comprehensive security monitoring, vulnerability management, and incident response controls, including: configuring infrastructure to generate audit events for security-related actions of interest on all critical systems and to review and analyze audit events to detect anomalous or suspicious activity and threats; implementing methods to continuously monitor critical assets to generate capacity alerts ensuring optimal performance, meeting future capacity requirements, and protecting against denial-of-service attacks; identifying vulnerabilities on the Company platform through regular vulnerability scans and annual penetration testing exercises conducted by qualified third-party service providers; tracking all vulnerabilities and remediating them according to defined vulnerability management policies and procedures; performing security and privacy compliance checks on software versions and patches of remote devices prior to establishing internal connections; maintaining records of information security incidents, investigations, and response plan executions; and utilizing continuous monitoring systems to track and report information security program health to stakeholders, thereby maintaining systematic security governance to ensure comprehensive protection of customer service delivery through proactive monitoring, vulnerability management, and incident response capabilities", + "identifier": "CC7.3", + "createdAt": "2026-04-09 18:57:46.848", + "updatedAt": "2026-04-09 18:57:46.848" + }, + { + "id": "frk_rq_69d7f6acfbe88ecd7aa205de", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity's objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity's objectives related to privacy.", + "description": "The organization has a documented Privacy Policy that meets all regulatory requirements and is published on the company website. This Privacy Policy requires that every form collecting personal information include a Privacy Act statement—either directly on the form or via a separate notice for individuals to retain—and mandates that all subject access requests be honored promptly and in accordance with the Policy, thereby ensuring transparency, informed consent, and full compliance throughout the data lifecycle.", + "identifier": "P5.1", + "createdAt": "2026-04-09 18:57:47.700", + "updatedAt": "2026-04-09 18:57:47.700" + }, + { + "id": "frk_rq_69d7f6ad063694ae9c92b3d8", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality.", + "description": "The organization has documented a comprehensive suite of policies and procedures that define expected behavior with regard to the Company, including behavioral standards, acceptable business conduct, cybersecurity responsibilities, and an Information Security Policy governing the confidentiality, integrity, and availability of its systems. Senior Management segregates responsibilities and duties across the organization to mitigate risks to customer services by enforcing structured policy governance, which requires new staff to acknowledge applicable policies during onboarding and mandates periodic policy acknowledgment by all personnel to ensure ongoing compliance and awareness. In addition, the organization labels information systems physically and/or logically in accordance with its data classification policy, employs cryptographic mechanisms to encrypt all production databases that store customer data at rest, and ensures that endpoints with access to critical servers or data are encrypted to protect against unauthorized access, thereby integrating controls across people, processes, and technology to safeguard service delivery.", + "identifier": "C1.1", + "createdAt": "2026-04-09 18:57:48.545", + "updatedAt": "2026-04-09 18:57:48.545" + }, + { + "id": "frk_rq_69d7f6adeddd2e0c23b6e615", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity identifies, develops, and implements activities to recover from identified security incidents.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including documented policies and procedures that establish guidelines for continuing business operations and facilitate the application of contingency planning controls, a documented policy on managing Data Backups made available to all relevant staff, and documented guidelines to manage Disaster Recovery. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers through comprehensive business continuity and disaster recovery controls, including: establishing guidelines and procedures for continuing business operations in case of a disruption or security incident; implementing data backup management policies accessible to relevant staff through the company employee portal; and maintaining disaster recovery guidelines that ensure business operations continuity during disruptive events, thereby maintaining systematic business continuity governance to ensure comprehensive protection and uninterrupted delivery of customer services through proactive contingency planning and recovery capabilities.", + "identifier": "CC7.5", + "createdAt": "2026-04-09 18:57:49.473", + "updatedAt": "2026-04-09 18:57:49.473" + }, + { + "id": "frk_rq_69d7f6ae46305678b122956f", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including documented policies and procedures that describe how to identify risks to business objectives and how those risks are assessed and mitigated, with objectives incorporating the organization's service commitments and system requirements. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers through systematic risk management processes, including: performing annual formal risk assessment exercises according to documented guidelines and procedures to identify threats that could impair systems' security commitments and requirements; assessing each risk and assigning risk scores based on the likelihood of occurrence and potential impact on the security, availability, and confidentiality of the Company platform; and mapping risks to mitigating factors that address some or all of the identified risk, thereby maintaining comprehensive risk governance to ensure systematic protection of customer service delivery through proactive risk identification, assessment, and mitigation capabilities.", + "identifier": "CC9.1", + "createdAt": "2026-04-09 18:57:50.325", + "updatedAt": "2026-04-09 18:57:50.325" + }, + { + "id": "frk_rq_69d7f6afc442b0a62cac9590", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity's objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner.", + "description": "The organization maintains a documented Privacy Policy that meets all applicable regulatory requirements and is published on the company website. This Policy mandates that valid user consent be obtained before any personal data processing and clearly informs individuals of their rights. In accordance with both the Policy and regulatory obligations, the organization promptly and fully honors all Subject Access Requests, ensuring transparency, accountability, and respect for individual privacy throughout the data lifecycle.", + "identifier": "P8.1", + "createdAt": "2026-04-09 18:57:51.188", + "updatedAt": "2026-04-09 18:57:51.188" + }, + { + "id": "frk_rq_69d7f6b0a7ffde853174b371", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity objectives.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers through systematic infrastructure protection and compliance controls, including: ensuring every production host is protected by a firewall with deny-by-default rules leveraging cloud provider security defaults; and implementing measures to perform security and privacy compliance checks on software versions and patches of remote devices prior to establishing internal connections, thereby maintaining comprehensive network security governance to protect customer service delivery through controlled access and validated device compliance.", + "identifier": "CC6.8", + "createdAt": "2026-04-09 18:57:52.104", + "updatedAt": "2026-04-09 18:57:52.104" + }, + { + "id": "frk_rq_69d7f6b1f6533b5ebd588a61", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity implements logical access security measures to protect against threats from sources outside its system boundaries.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including endpoint security policies and procedures, guidelines for communications protections and network security of critical systems, and documented procedures for endpoint security and related controls. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers through comprehensive endpoint and network security controls, including: developing, documenting, and maintaining an inventory of organizational endpoint systems with necessary accountability information; ensuring endpoints with access to critical servers or data are configured to auto-screen-lock after 15 minutes of inactivity and are encrypted to protect from unauthorized access; requiring malware protection software on endpoints accessing critical servers or data; protecting production databases and Secure Shell access to infrastructure entities from public internet access; implementing firewall protection on every production host with deny-by-default rules; performing security and privacy compliance checks on software versions and patches of remote devices prior to establishing internal connections; requiring multifactor authentication for all staff members with access to critical systems; and maintaining systematic endpoint security governance to ensure comprehensive protection of customer service delivery.", + "identifier": "CC6.6", + "createdAt": "2026-04-09 18:57:52.968", + "updatedAt": "2026-04-09 18:57:52.968" + }, + { + "id": "frk_rq_69d7f6b2837296fc18c8e05e", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including Access Control policies and procedures for user registration and authorization, physical and environmental security policies, and password and secure login mechanism guidelines made available to all staff members. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers through comprehensive access management controls, including: ensuring production databases and Secure Shell access to infrastructure entities are protected from public internet access; requiring Senior Management or the Information Security Officer to periodically review and ensure that administrative and critical system access is restricted to only those individuals who require such access to perform their job functions; implementing logical access provisioning to critical systems that requires approval from authorized personnel on an individual need or predefined role basis; and utilizing continuous monitoring systems to alert security teams to update access levels of team members whose roles have changed, ensuring systematic protection of customer service delivery through proper access governance", + "identifier": "CC6.1", + "createdAt": "2026-04-09 18:57:53.812", + "updatedAt": "2026-04-09 18:57:53.812" + }, + { + "id": "frk_rq_69d7f6b31a628c6d4a1eefca", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity's objectives.", + "description": "The organization's software application ensures input values are limited to acceptable ranges. The organization performs physical and/or logical labeling of information systems as per the guidelines documented policy defined for data classification", + "identifier": "PI1.2", + "createdAt": "2026-04-09 18:57:54.723", + "updatedAt": "2026-04-09 18:57:54.723" + }, + { + "id": "frk_rq_69d7f6b4cc3364592f0a4b17", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity's objectives.", + "description": "The organization has established procedures for approval when implementing changes to the operating environment.", + "identifier": "PI1.3", + "createdAt": "2026-04-09 18:57:55.592", + "updatedAt": "2026-04-09 18:57:55.592" + }, + { + "id": "frk_rq_69e918bb5b30f6ad4823455b", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "EU Representative", + "description": "If your organization is outside the EU, appoint a representative within one of the EU member states.", + "identifier": "AG-3", + "createdAt": "2026-04-22 18:51:39.459", + "updatedAt": "2026-04-22 18:51:39.459" + }, + { + "id": "frk_rq_69d7f6b4775baf784cba6dc5", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity's objectives.", + "description": "The organization ensures that logical access provisioning to critical systems requires approval from authorized personnel on an individual need or for a predefined role. Company does application regression testing to validate key processing for the application during the change management process. The organization has established procedures for approval when implementing changes to the operating environment.", + "identifier": "PI1.4", + "createdAt": "2026-04-09 18:57:56.456", + "updatedAt": "2026-04-09 18:57:56.456" + }, + { + "id": "frk_rq_69d7f6b5fe119219dd0ddd6d", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity's objectives.", + "description": "The organization has documented policies and procedures to manage Access Control and an accompanying process to register and authorize users for issuing system credentials which grant the ability to access the critical systems. The organization has set up cryptographic mechanisms to encrypt all production database[s] that store customer data at rest.", + "identifier": "PI1.5", + "createdAt": "2026-04-09 18:57:57.330", + "updatedAt": "2026-04-09 18:57:57.330" + }, + { + "id": "frk_rq_69d7f6b6749edb51a734d0af", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity limits the use of personal information to the purposes identified in the entity's objectives related to privacy.", + "description": "The organization has documented a Privacy Policy and supporting procedures that establish expected behavior with regard to the Company, meet all regulatory requirements, and are published on the company website. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers by maintaining an annually reviewed Record of Processing Activities—an inventory of personal information categories collected, their sources, specific purposes, and usage—ensuring that all forms collecting personal data include a Privacy Act statement either on the form itself or via a separate notice for individuals, and enforcing logical access provisioning to critical systems only upon approval by authorized personnel based on individual need or predefined roles.", + "identifier": "P4.1", + "createdAt": "2026-04-09 18:57:58.181", + "updatedAt": "2026-04-09 18:57:58.181" + }, + { + "id": "frk_rq_69d7f6b7b4984a3804a9f169", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.", + "description": "The organization has set up methods to continuously monitor critical assets to generate capacity alerts to ensure optimal performance, meet future capacity requirements, and protect against denial-of-service attacks.", + "identifier": "A1.1", + "createdAt": "2026-04-09 18:57:59.032", + "updatedAt": "2026-04-09 18:57:59.032" + }, + { + "id": "frk_rq_69d7f6b899f3425ec64a4e78", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including documented policies and procedures to establish guidelines for managing technical vulnerabilities. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers through comprehensive vulnerability management and monitoring controls, including: identifying vulnerabilities on the Company platform through regular vulnerability scan execution; tracking all vulnerabilities and remediating them according to defined vulnerability management policies and procedures; configuring infrastructure to generate audit events for security-related actions of interest on all critical systems and to review and analyze audit events to detect anomalous or suspicious activity and threats; and implementing methods to continuously monitor critical assets to generate capacity alerts ensuring optimal performance, meeting future capacity requirements, and protecting against denial-of-service attacks, thereby maintaining systematic vulnerability and threat management governance to ensure comprehensive protection of customer service delivery through proactive detection, monitoring, and remediation capabilities.", + "identifier": "CC7.2", + "createdAt": "2026-04-09 18:57:59.965", + "updatedAt": "2026-04-09 18:57:59.965" + }, + { + "id": "frk_rq_69d7f6b953dac7d535a96861", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity's objectives related to privacy.", + "description": "The organization has documented policies and procedures governing personal data protection, including requirements to obtain user consent prior to any processing and to follow documented vendor management guidelines—complete with staff guidance on performing vendor risk assessments and mandated remediation measures whenever personal data is shared. These procedures also enforce compliance with all regulatory obligations for cross-border data transfers. In the event of suspected data breaches, the organization conducts risk assessments and, for any significant breach, notifies all affected parties without unreasonable delay. Employees are provided with clear Information Security policies and procedures detailing how to report operational failures, security incidents, concerns, or complaints related to the organization’s services or systems, ensuring accountability and ongoing protection of personal data.", + "identifier": "P6.5", + "createdAt": "2026-04-09 18:58:00.835", + "updatedAt": "2026-04-09 18:58:00.835" + }, + { + "id": "frk_rq_69d7f6ba36b85d9fcdab3676", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.", + "description": "The organization has documented a comprehensive data classification policy requiring physical and logical labeling of all information systems to reflect sensitivity levels, data definitions, and product/service specifications. In support of this policy, its software applications enforce data quality controls by requiring all mandatory fields to be completed before a record can be created or modified, and by validating that input values fall within predefined acceptable ranges, thereby ensuring the accuracy, completeness, and consistency of critical system data.", + "identifier": "PI1.1", + "createdAt": "2026-04-09 18:58:01.814", + "updatedAt": "2026-04-09 18:58:01.814" + }, + { + "id": "frk_rq_69d7f6c1d6e942d8365e41fa", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity retains personal information consistent with the entity's objectives related to privacy.", + "description": "The organization’s documented Privacy Policy meets all applicable regulatory requirements and is published on the company website. It also maintains a documented policy outlining guidelines for the disposal and retention of information. To ensure accountability and transparency, the organization compiles and annually reviews a Record of Processing Activities—a comprehensive inventory of personal information categories collected, their sources, usage, and specific purposes—and requires that every form collecting personal data include a Privacy Act statement, either directly on the form or via a separate notice that individuals can retain.", + "identifier": "P4.2", + "createdAt": "2026-04-09 18:58:08.871", + "updatedAt": "2026-04-09 18:58:08.871" + }, + { + "id": "frk_rq_69d7f6bbdd5d2871cb2e24a5", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity's objectives related to privacy. The entity assesses those parties' compliance on a periodic and as-needed basis and takes corrective action, if necessary.", + "description": "The organization has documented policies and procedures governing vendor and third-party management that provide staff with clear guidance on conducting risk assessments and require appropriate remediation measures—such as contractual data protection clauses, security control reviews, and incident response protocols—whenever personal data is shared. These same policies establish procedures to ensure compliance with all regulatory requirements for transferring personal data outside the region in which it was collected, mandating that cross-border data flows be authorized, secured, and monitored in accordance with applicable laws.", + "identifier": "P6.4", + "createdAt": "2026-04-09 18:58:02.721", + "updatedAt": "2026-04-09 18:58:02.721" + }, + { + "id": "frk_rq_69d7f6bc7a2c8e4b02b8d04f", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects' personal information, upon the data subjects' request, to meet the entity's objectives related to privacy.", + "description": "The organization ensures regulatory requirements regarding user consent are met prior to processing personal data. The organization ensures that Subject Access Requests are being honored in accordance with the Privacy Policy", + "identifier": "P6.7", + "createdAt": "2026-04-09 18:58:03.652", + "updatedAt": "2026-04-09 18:58:03.652" + }, + { + "id": "frk_rq_69d7f6bd0c41735bfcf991c9", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity provides notice to data subjects about its privacy practices to meet the entity's objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity's privacy practices, including changes in the use of personal information, to meet the entity's objectives related to privacy.", + "description": "The organization has documented a comprehensive Privacy Policy and supporting procedures that embed privacy-by-design principles into all systems and processes to ensure ongoing compliance with applicable privacy regulations. This Privacy Policy meets all regulatory requirements and is published on the company website. In addition, every form that collects personal information—whether part of a Privacy Act system of records or not—carries a Privacy Act statement, either directly on the form or on a separate notice provided to individuals, thereby ensuring transparency, informed consent, and full regulatory compliance across the data lifecycle.", + "identifier": "P1.1", + "createdAt": "2026-04-09 18:58:04.502", + "updatedAt": "2026-04-09 18:58:04.502" + }, + { + "id": "frk_rq_69d7f6bd5f0fd2ee4ae2ddd7", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity's objectives related to privacy.", + "description": "The organization has documented policies and procedures that establish expected behavior with regard to the Company, including guidelines for incident detection, reporting, notification, and remediation. Senior Management segregates responsibilities and duties across the organization to mitigate risks to customer services by enforcing comprehensive incident management protocols. All employees receive Information Security policies and procedures detailing how to report operational failures, security incidents, concerns, or complaints related to services or systems. The organization conducts risk assessments of suspected data breaches, maintains a complete record of all security incidents, investigations, and executed response plans in accordance with its policies, and notifies customers and other stakeholders—particularly in the event of PII breaches—without unreasonable delay, thereby ensuring transparent communication and effective resolution.", + "identifier": "P6.6", + "createdAt": "2026-04-09 18:58:05.372", + "updatedAt": "2026-04-09 18:58:05.372" + }, + { + "id": "frk_rq_69d7f6beb47525c0472e5a28", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including established policies and procedures with guidelines to be undertaken in response to information security incidents and policies and procedures to report and manage incidents. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers through comprehensive incident management controls, including: maintaining records of information security incidents, their investigations, and the response plans executed in accordance with defined incident reporting and management policies and procedures; and utilizing continuous monitoring systems to track and report the health of the information security program to the Information Security Officer and other stakeholders, thereby maintaining systematic incident response governance to ensure comprehensive protection of customer service delivery through structured incident detection, response, and documentation capabilities", + "identifier": "CC7.4", + "createdAt": "2026-04-09 18:58:06.253", + "updatedAt": "2026-04-09 18:58:06.253" + }, + { + "id": "frk_rq_69d7f6bf60aa81ed491d2fbc", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.", + "description": "", + "identifier": "CC6.4", + "createdAt": "2026-04-09 18:58:07.107", + "updatedAt": "2026-04-09 18:58:07.107" + }, + { + "id": "frk_rq_69d7f6c0c17faabc4e00be1a", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including a documented policy to manage encryption and cryptographic protection controls. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers through comprehensive encryption and data protection controls, including: developing, documenting, and maintaining an inventory of organizational infrastructure systems with necessary accountability information; utilizing standard encryption methods including HTTPS with TLS algorithm to keep transmitted data confidential; implementing cryptographic mechanisms to encrypt all production databases that store customer data at rest; ensuring that endpoints and critical endpoints with access to critical servers or data are encrypted to protect from unauthorized access; and requiring that customer data used in non-production environments receives the same level of protection as the production environment, thereby maintaining systematic encryption governance to ensure comprehensive protection of customer service delivery through cryptographic controls.", + "identifier": "CC6.7", + "createdAt": "2026-04-09 18:58:08.014", + "updatedAt": "2026-04-09 18:58:08.014" + }, + { + "id": "frk_rq_69dcfef10367e82c5c60ea24", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "NSCs are implemented between trusted and untrusted networks.", + "description": "Firewall/IPS configuration; trust zone documentation; placement diagrams", + "identifier": "1.4.1", + "createdAt": "2026-04-13 14:34:24.658", + "updatedAt": "2026-04-13 14:34:24.658" + }, + { + "id": "frk_rq_69dcfef3ab8a1c333b3b3a7f", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "System components storing cardholder data are not directly accessible from untrusted networks.", + "description": "Segmentation test results; architecture diagram showing CHD storage system placement", + "identifier": "1.4.4", + "createdAt": "2026-04-13 14:34:27.382", + "updatedAt": "2026-04-13 14:34:27.382" + }, + { + "id": "frk_rq_69dcfef47bd26dd287a7ad11", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Internal IP addresses and routing information are not disclosed to untrusted networks.", + "description": "NAT configuration; route summarization policy; BGP/OSPF filtering configs", + "identifier": "1.4.5", + "createdAt": "2026-04-13 14:34:28.286", + "updatedAt": "2026-04-13 14:34:28.286" + }, + { + "id": "frk_rq_69d7f6c2baae65ae4fa2bfaa", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity securely disposes of personal information to meet the entity's objectives related to privacy.", + "description": "The organization maintains a documented Privacy Policy, published on the company website, that meets all regulatory requirements and includes guidelines for the disposal and retention of information. It compiles and annually reviews a Record of Processing Activities—an inventory of the categories of personal information collected, their sources, usage, and specific purposes—and requires that every form collecting personal data include a Privacy Act statement, either on the form itself or via a separate notice for individuals to retain. The organization also ensures that all subject access requests are honored promptly and in accordance with its Privacy Policy, thereby guaranteeing transparency, compliance, and secure handling of personal data throughout its lifecycle.", + "identifier": "P4.3", + "createdAt": "2026-04-09 18:58:09.722", + "updatedAt": "2026-04-09 18:58:09.722" + }, + { + "id": "frk_rq_69d7f6c33da8c8699a30e69a", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "The entity tests recovery plan procedures supporting system recovery to meet its objectives.", + "description": "The organization has documented policies and procedures establishing guidelines for continuing business operations, contingency planning, and disaster recovery, including regular backups of all relevant user and system data to meet defined recovery-time and recovery-point objectives with periodic verification of backup media reliability and data integrity; comprehensive disaster-recovery guidelines that define roles, responsibilities, and procedures to sustain operations during disruptions or security incidents; and scheduled tests and exercises of the contingency plan to assess its effectiveness and the organization’s readiness to execute recovery processes. Together, these integrated controls ensure that customer-facing services can be restored promptly and reliably following any interruption.", + "identifier": "A1.3", + "createdAt": "2026-04-09 18:58:10.573", + "updatedAt": "2026-04-09 18:58:10.573" + }, + { + "id": "frk_rq_69d7f6c4333b851266824b47", + "frameworkId": "frk_69d7e513446cc6e0376edf60", + "name": "To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.", + "description": "The organization has documented a set of policies and procedures that establish expected behavior with regard to the Company, including policies and procedures for vulnerability management. Senior Management segregates responsibilities and duties across the organization to mitigate risks to the services provided to its customers through comprehensive monitoring and threat detection controls, including: implementing methods to continuously monitor critical assets to generate capacity alerts ensuring optimal performance, meeting future capacity requirements, and protecting against denial-of-service attacks; identifying vulnerabilities on the Company platform through regular vulnerability scan execution; configuring infrastructure to generate audit events for security-related actions of interest on all critical systems and to review and analyze audit events to detect anomalous or suspicious activity and threats; and tracking all vulnerabilities with remediation according to defined vulnerability management policies and procedures, thereby maintaining systematic security monitoring governance to ensure comprehensive protection of customer service delivery through proactive threat detection and response capabilities.", + "identifier": "CC7.1", + "createdAt": "2026-04-09 18:58:11.514", + "updatedAt": "2026-04-09 18:58:11.514" + }, + { + "id": "frk_rq_69dcfe7d2e55a7bd0d38374e", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Processes and mechanisms for managing all components of network security controls (NSCs) are documented, kept current, and operational.", + "description": "Network security policy; NSC configuration standards; version history; review sign-offs", + "identifier": "1.1.1", + "createdAt": "2026-04-13 14:32:28.524", + "updatedAt": "2026-04-13 14:32:28.524" + }, + { + "id": "frk_rq_69dcfe7e9c17b826488010fc", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Roles and responsibilities for performing activities under Requirement 1 are documented, assigned, and understood.", + "description": "RACI or responsibility matrix; job descriptions; signed acknowledgment records", + "identifier": "1.1.2", + "createdAt": "2026-04-13 14:32:29.580", + "updatedAt": "2026-04-13 14:32:29.580" + }, + { + "id": "frk_rq_69dcfe7fd9e733b180b8ff84", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Configuration standards for NSCs address all applicable security risks.", + "description": "NSC configuration standards; approved rule-set templates; risk justification records", + "identifier": "1.2.1", + "createdAt": "2026-04-13 14:32:30.635", + "updatedAt": "2026-04-13 14:32:30.635" + }, + { + "id": "frk_rq_69dcfee58e52a2062649dacd", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All permitted services, protocols, and ports are identified, approved, and have a defined business justification.", + "description": "Approved services/ports/protocols list; firewall rule justification log; change management tickets", + "identifier": "1.2.2", + "createdAt": "2026-04-13 14:34:13.247", + "updatedAt": "2026-04-13 14:34:13.247" + }, + { + "id": "frk_rq_69dcfee61935b50ba3d0a22c", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "An accurate network diagram showing all CDE connections to other networks is maintained and current.", + "description": "Network diagram(s) with date; CDE boundary clearly marked; connection inventory", + "identifier": "1.2.3", + "createdAt": "2026-04-13 14:34:14.210", + "updatedAt": "2026-04-13 14:34:14.210" + }, + { + "id": "frk_rq_69dcfee70753501e66c6e02b", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "An accurate data-flow diagram showing all account data flows across systems and networks is maintained.", + "description": "Data-flow diagram with CHD/SAD flows shown; review dates and approvals", + "identifier": "1.2.4", + "createdAt": "2026-04-13 14:34:15.194", + "updatedAt": "2026-04-13 14:34:15.194" + }, + { + "id": "frk_rq_69dcfee8e213a935800448c6", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All services, protocols, and ports in use are reviewed at least every six months.", + "description": "Bi-annual review records; updated approved services list; reviewer sign-offs", + "identifier": "1.2.5", + "createdAt": "2026-04-13 14:34:16.131", + "updatedAt": "2026-04-13 14:34:16.131" + }, + { + "id": "frk_rq_69dcfee943bdcd3eef5178b1", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Security features are defined and implemented for all insecure services, protocols, or ports in use.", + "description": "Insecure protocol register; compensating controls documentation; TLS/SSH version configs", + "identifier": "1.2.6", + "createdAt": "2026-04-13 14:34:17.059", + "updatedAt": "2026-04-13 14:34:17.059" + }, + { + "id": "frk_rq_69dcfeea714798633b651170", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "NSC configurations are reviewed at least every six months to confirm they are relevant and effective.", + "description": "Bi-annual config review logs; review checklist; approver sign-offs", + "identifier": "1.2.7", + "createdAt": "2026-04-13 14:34:17.978", + "updatedAt": "2026-04-13 14:34:17.978" + }, + { + "id": "frk_rq_69dcfeeb2ca10880083b7f82", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "NSC configuration files are protected from unauthorized access and kept consistent with active network configurations.", + "description": "Access controls on config files; FIM alerts; change management records comparing backup to live", + "identifier": "1.2.8", + "createdAt": "2026-04-13 14:34:19.010", + "updatedAt": "2026-04-13 14:34:19.010" + }, + { + "id": "frk_rq_69dcfeec0b624eb54eb28e89", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Network and data-flow diagrams are kept current, reviewed at least every 12 months or on significant change.", + "description": "12-month or on-change review evidence; version history; change-triggered update records", + "identifier": "1.2.9", + "createdAt": "2026-04-13 14:34:19.935", + "updatedAt": "2026-04-13 14:34:19.935" + }, + { + "id": "frk_rq_69dcfeedbe961b4ad3875add", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All connections between the CDE and third-party/cloud environments are documented and reviewed.", + "description": "Third-party connection register; cloud connectivity documentation; approved connection records", + "identifier": "1.2.10", + "createdAt": "2026-04-13 14:34:20.949", + "updatedAt": "2026-04-13 14:34:20.949" + }, + { + "id": "frk_rq_69dcfeeecdf5ed81b9692fa2", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Inbound traffic to the CDE is restricted to only traffic that is necessary.", + "description": "Firewall inbound rule-set; deny-all default rule evidence; approved inbound service list", + "identifier": "1.3.1", + "createdAt": "2026-04-13 14:34:21.866", + "updatedAt": "2026-04-13 14:34:21.866" + }, + { + "id": "frk_rq_69dcfeef48700ce37f4b36ee", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Outbound traffic from the CDE is restricted to only traffic that is necessary.", + "description": "Firewall outbound rule-set; egress filtering policy; approved outbound service list", + "identifier": "1.3.2", + "createdAt": "2026-04-13 14:34:22.802", + "updatedAt": "2026-04-13 14:34:22.802" + }, + { + "id": "frk_rq_69dcfef0b5a41febaa878746", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "NSCs are installed between all wireless networks and the CDE.", + "description": "Network diagram showing wireless/CDE segmentation; wireless NSC config; segmentation test results", + "identifier": "1.3.3", + "createdAt": "2026-04-13 14:34:23.714", + "updatedAt": "2026-04-13 14:34:23.714" + }, + { + "id": "frk_rq_69dcfef554c52d0a4e141e26", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Security controls are implemented on devices that connect to both untrusted networks and the CDE.", + "description": "MDM policy; endpoint firewall config; split-tunneling policy; VPN configuration", + "identifier": "1.5.1", + "createdAt": "2026-04-13 14:34:29.202", + "updatedAt": "2026-04-13 14:34:29.202" + }, + { + "id": "frk_rq_69dcfef8b4c232559209d742", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Configuration standards are developed, implemented, and kept current for all system components.", + "description": "Hardening standards (CIS Benchmarks or equivalent); applicability matrix per OS/platform; version history", + "identifier": "2.2.1", + "createdAt": "2026-04-13 14:34:31.969", + "updatedAt": "2026-04-13 14:34:31.969" + }, + { + "id": "frk_rq_69dcfefc580593304a75c2a0", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "If insecure services, protocols, or daemons are present, business justification is documented and additional security features are implemented.", + "description": "Insecure service register; business justification records; compensating control documentation", + "identifier": "2.2.5", + "createdAt": "2026-04-13 14:34:35.725", + "updatedAt": "2026-04-13 14:34:35.725" + }, + { + "id": "frk_rq_69dcff02f9ade221fa118fbb", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Account data storage is minimized via a data retention and disposal policy covering all stored account data.", + "description": "Data retention policy; data discovery scan results; disposal records; data minimization guidelines", + "identifier": "3.2.1", + "createdAt": "2026-04-13 14:34:42.216", + "updatedAt": "2026-04-13 14:34:42.216" + }, + { + "id": "frk_rq_69dcff035133fef9160ef01e", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "SAD (full track data, CVV2, PIN) is not retained after authorization is complete.", + "description": "Data discovery scan results showing no SAD post-auth; application data flow documentation; purge logs", + "identifier": "3.3.1", + "createdAt": "2026-04-13 14:34:43.123", + "updatedAt": "2026-04-13 14:34:43.123" + }, + { + "id": "frk_rq_69dcff0462ae94b7a97d2d2e", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "SAD stored prior to authorization completion is encrypted using strong cryptography.", + "description": "Encryption implementation documentation; key management records; application architecture showing pre-auth SAD handling", + "identifier": "3.3.2", + "createdAt": "2026-04-13 14:34:44.028", + "updatedAt": "2026-04-13 14:34:44.028" + }, + { + "id": "frk_rq_69dcff06faa8fa63e5c02dfd", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Technical controls prevent copy or relocation of PAN when using remote-access technologies.", + "description": "Remote access policy; clipboard restriction config (VDI/DLP); screen capture prevention settings", + "identifier": "3.4.2", + "createdAt": "2026-04-13 14:34:45.893", + "updatedAt": "2026-04-13 14:34:45.893" + }, + { + "id": "frk_rq_69dcff0747513fb4a06145e7", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "PAN is secured via strong one-way hashes, truncation, index tokens, or strong cryptography wherever it is stored.", + "description": "Data protection implementation doc; encryption or tokenization design; key management records", + "identifier": "3.5.1", + "createdAt": "2026-04-13 14:34:46.811", + "updatedAt": "2026-04-13 14:34:46.811" + }, + { + "id": "frk_rq_69dcfef6b0e7be6f8e62f448", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Processes and mechanisms for applying secure configurations to all components are documented, current, and in use.", + "description": "Configuration hardening policy; secure baseline standards; version history", + "identifier": "2.1.1", + "createdAt": "2026-04-13 14:34:30.140", + "updatedAt": "2026-04-13 14:34:30.140" + }, + { + "id": "frk_rq_69dcfef70c971c9098bf6e14", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Roles and responsibilities for activities under Requirement 2 are documented, assigned, and understood.", + "description": "RACI or job descriptions; signed acknowledgments", + "identifier": "2.1.2", + "createdAt": "2026-04-13 14:34:31.041", + "updatedAt": "2026-04-13 14:34:31.041" + }, + { + "id": "frk_rq_69dcfef9fc8be55124e1ce08", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Vendor default accounts are managed: unused defaults removed or disabled; passwords changed before installation.", + "description": "Default account inventory; commissioning checklist; change records confirming default credential changes", + "identifier": "2.2.2", + "createdAt": "2026-04-13 14:34:32.883", + "updatedAt": "2026-04-13 14:34:32.883" + }, + { + "id": "frk_rq_69dcfefaf0ce72126bd10d60", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All non-console administrative access is encrypted using strong cryptography.", + "description": "SSH/TLS configuration; disabled Telnet/plain HTTP configs; admin access method documentation", + "identifier": "2.2.3", + "createdAt": "2026-04-13 14:34:33.817", + "updatedAt": "2026-04-13 14:34:33.817" + }, + { + "id": "frk_rq_69dcfefb1b23d778e3f0f70c", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Only necessary services, protocols, daemons, and functions are enabled on system components.", + "description": "Baseline OS build spec; enabled services list; port scans of in-scope systems", + "identifier": "2.2.4", + "createdAt": "2026-04-13 14:34:34.752", + "updatedAt": "2026-04-13 14:34:34.752" + }, + { + "id": "frk_rq_69dcfefd004ff3cd6e459921", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "System security parameters are configured to prevent misuse.", + "description": "System hardening configs; CIS benchmark scan results; SIEM security parameter alerts", + "identifier": "2.2.6", + "createdAt": "2026-04-13 14:34:36.680", + "updatedAt": "2026-04-13 14:34:36.680" + }, + { + "id": "frk_rq_69dcfefe7539265b071b130b", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All non-console administrative access is encrypted using strong cryptography.", + "description": "SSH/HTTPS admin access configs; certificate management records", + "identifier": "2.2.7", + "createdAt": "2026-04-13 14:34:37.591", + "updatedAt": "2026-04-13 14:34:37.591" + }, + { + "id": "frk_rq_69dcfeff9f3ac4d37add4ab0", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "For wireless environments connected to or transmitting account data, all wireless vendor defaults are changed at installation.", + "description": "Wireless device commissioning checklist; SSID naming; WPA2/3 config; default password change records", + "identifier": "2.3.1", + "createdAt": "2026-04-13 14:34:38.527", + "updatedAt": "2026-04-13 14:34:38.527" + }, + { + "id": "frk_rq_69dcfeffce3d8f57d4eadd06", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "For wireless environments connected to the CDE, wireless encryption keys are changed on personnel departure and at least every 12 months.", + "description": "Key rotation policy; change records for wireless keys; departure checklist including key rotation", + "identifier": "2.3.2", + "createdAt": "2026-04-13 14:34:39.420", + "updatedAt": "2026-04-13 14:34:39.420" + }, + { + "id": "frk_rq_69dcff004d2e6d95f036ac58", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Processes and mechanisms for protecting stored account data are documented, current, and in use.", + "description": "Data protection policy; data retention/disposal policy; version history", + "identifier": "3.1.1", + "createdAt": "2026-04-13 14:34:40.324", + "updatedAt": "2026-04-13 14:34:40.324" + }, + { + "id": "frk_rq_69dcff01d0e636be71476447", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Roles and responsibilities for activities under Requirement 3 are documented, assigned, and understood.", + "description": "RACI; job descriptions; signed acknowledgments", + "identifier": "3.1.2", + "createdAt": "2026-04-13 14:34:41.295", + "updatedAt": "2026-04-13 14:34:41.295" + }, + { + "id": "frk_rq_69dcff05530220c5959ec50c", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Full PAN is only displayed to those with a legitimate business need; masking is used otherwise (minimum first 6 / last 4 digits).", + "description": "Application screenshots showing PAN masking; display policy; role-based access logs", + "identifier": "3.4.1", + "createdAt": "2026-04-13 14:34:44.947", + "updatedAt": "2026-04-13 14:34:44.947" + }, + { + "id": "frk_rq_69dcff084dcf233d1ca149b9", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Hashes used to render PAN unreadable are keyed cryptographic hashes (HMAC) of the entire PAN.", + "description": "Hash implementation documentation; algorithm specification (HMAC-SHA256 or equivalent)", + "identifier": "3.5.1.1", + "createdAt": "2026-04-13 14:34:47.744", + "updatedAt": "2026-04-13 14:34:47.744" + }, + { + "id": "frk_rq_69dcff091f650503a28195a1", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "If disk-level or partition-level encryption is used to render PAN unreadable, it is only applied to removable electronic media.", + "description": "Encryption implementation records; media inventory; OS encryption documentation", + "identifier": "3.5.1.2", + "createdAt": "2026-04-13 14:34:48.732", + "updatedAt": "2026-04-13 14:34:48.732" + }, + { + "id": "frk_rq_69dcff0aa9d13acc126b2de8", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "If disk-level or partition-level encryption is used, logical access must be managed separately from native OS authentication.", + "description": "Access control documentation for encrypted media; separate credential management records", + "identifier": "3.5.1.3", + "createdAt": "2026-04-13 14:34:49.638", + "updatedAt": "2026-04-13 14:34:49.638" + }, + { + "id": "frk_rq_69dcff0b6928a6e5169089f5", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Procedures and processes for protecting cryptographic keys used to protect stored account data are documented and implemented.", + "description": "Key management policy; key custodian assignment records; key ceremony documentation", + "identifier": "3.6.1", + "createdAt": "2026-04-13 14:34:50.593", + "updatedAt": "2026-04-13 14:34:50.593" + }, + { + "id": "frk_rq_69dcff0c1dc0b5e7a8bb40b9", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "A documented description of the cryptographic architecture is maintained, including all algorithms, protocols, and keys in use.", + "description": "Cryptographic inventory / architecture document; algorithm register; key inventory", + "identifier": "3.6.1.1", + "createdAt": "2026-04-13 14:34:51.525", + "updatedAt": "2026-04-13 14:34:51.525" + }, + { + "id": "frk_rq_69dcff0c6466103e02fdec19", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Secret and private keys used to protect stored account data are stored in secure forms at all times.", + "description": "Key storage implementation records (HSM, encrypted key store); key wrapping documentation", + "identifier": "3.6.1.2", + "createdAt": "2026-04-13 14:34:52.442", + "updatedAt": "2026-04-13 14:34:52.442" + }, + { + "id": "frk_rq_69dcff0d6ba2d210146b7e0b", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Access to cleartext cryptographic key-encrypting keys is restricted to the fewest custodians necessary.", + "description": "Key custodian list; access control records for key-encrypting keys; dual-control evidence", + "identifier": "3.6.1.3", + "createdAt": "2026-04-13 14:34:53.358", + "updatedAt": "2026-04-13 14:34:53.358" + }, + { + "id": "frk_rq_69dcff0edfa877f8fd59e4fa", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Cryptographic keys are stored in the fewest possible locations.", + "description": "Key location inventory; key storage policy", + "identifier": "3.6.1.4", + "createdAt": "2026-04-13 14:34:54.320", + "updatedAt": "2026-04-13 14:34:54.320" + }, + { + "id": "frk_rq_69dcff0ff6667eeb439ac92d", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Key management policies cover generation of strong cryptographic keys.", + "description": "Key generation policy; algorithm and key-length specifications (AES-256, RSA-2048+)", + "identifier": "3.7.1", + "createdAt": "2026-04-13 14:34:55.302", + "updatedAt": "2026-04-13 14:34:55.302" + }, + { + "id": "frk_rq_69dcff1079df11c41407d594", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Key management policies cover secure distribution of cryptographic keys.", + "description": "Key distribution procedure; secure channel documentation (key ceremony, HSM transfer)", + "identifier": "3.7.2", + "createdAt": "2026-04-13 14:34:56.214", + "updatedAt": "2026-04-13 14:34:56.214" + }, + { + "id": "frk_rq_69dcff1171ddc363fe1163fd", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Key management policies cover secure storage of cryptographic keys.", + "description": "Key storage policy; HSM or encrypted key store configuration", + "identifier": "3.7.3", + "createdAt": "2026-04-13 14:34:57.110", + "updatedAt": "2026-04-13 14:34:57.110" + }, + { + "id": "frk_rq_69dcff12f1a473ff1c537988", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Key management policies cover key changes at the end of each cryptoperiod.", + "description": "Cryptoperiod policy; key rotation schedule; rotation completion records", + "identifier": "3.7.4", + "createdAt": "2026-04-13 14:34:58.028", + "updatedAt": "2026-04-13 14:34:58.028" + }, + { + "id": "frk_rq_69dcff1303e257a95fbe5049", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Key management policies cover retirement or replacement of keys.", + "description": "Key retirement procedure; decommission records; key archival policy", + "identifier": "3.7.5", + "createdAt": "2026-04-13 14:34:58.984", + "updatedAt": "2026-04-13 14:34:58.984" + }, + { + "id": "frk_rq_69dcff140e07cd3e7afa53e8", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Manual clear-text cryptographic key-management operations are managed using split knowledge and dual control.", + "description": "Split knowledge and dual control policy; key ceremony records; custodian sign-off logs", + "identifier": "3.7.6", + "createdAt": "2026-04-13 14:34:59.926", + "updatedAt": "2026-04-13 14:34:59.926" + }, + { + "id": "frk_rq_69dcff15b5e8ee31c7093b64", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Unauthorized substitution of cryptographic keys is prevented.", + "description": "Key integrity verification procedures; FIM or key attestation records", + "identifier": "3.7.7", + "createdAt": "2026-04-13 14:35:00.855", + "updatedAt": "2026-04-13 14:35:00.855" + }, + { + "id": "frk_rq_69dcff1629621152913d7324", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Key custodians formally acknowledge their key-custodian responsibilities.", + "description": "Signed key-custodian agreements; training records; acknowledgment logs", + "identifier": "3.7.8", + "createdAt": "2026-04-13 14:35:01.845", + "updatedAt": "2026-04-13 14:35:01.845" + }, + { + "id": "frk_rq_69dcff177062f35e09be9e5c", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Processes and mechanisms for protecting account data in transit are documented, current, and in use.", + "description": "Encryption in transit policy; TLS standards documentation; version history", + "identifier": "4.1.1", + "createdAt": "2026-04-13 14:35:02.883", + "updatedAt": "2026-04-13 14:35:02.883" + }, + { + "id": "frk_rq_69dcff1881e1bebb12a5c6eb", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Roles and responsibilities for activities under Requirement 4 are documented, assigned, and understood.", + "description": "RACI or job descriptions; signed acknowledgments", + "identifier": "4.1.2", + "createdAt": "2026-04-13 14:35:03.790", + "updatedAt": "2026-04-13 14:35:03.790" + }, + { + "id": "frk_rq_69dcff1a165baf0394644b51", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "An inventory of all trusted keys and certificates used to protect PAN in transit is maintained.", + "description": "Certificate/key inventory with purpose, issuer, expiry, and renewal schedule", + "identifier": "4.2.1.1", + "createdAt": "2026-04-13 14:35:05.701", + "updatedAt": "2026-04-13 14:35:05.701" + }, + { + "id": "frk_rq_69dcff1cb3c3a0c1bcf6346b", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "PAN is secured with strong cryptography whenever sent via end-user messaging technologies (email, SMS, chat).", + "description": "Email DLP policy; secure messaging platform configs; DLP incident records for unencrypted PAN", + "identifier": "4.2.2", + "createdAt": "2026-04-13 14:35:07.603", + "updatedAt": "2026-04-13 14:35:07.603" + }, + { + "id": "frk_rq_69dcff1d859fd998bac7948e", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Processes and mechanisms for protecting all systems against malware are documented, current, and in use.", + "description": "Anti-malware policy; endpoint protection standard; version history", + "identifier": "5.1.1", + "createdAt": "2026-04-13 14:35:08.529", + "updatedAt": "2026-04-13 14:35:08.529" + }, + { + "id": "frk_rq_69dcff1d6e8e06f38769eb37", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Roles and responsibilities for activities under Requirement 5 are documented, assigned, and understood.", + "description": "RACI or job descriptions; signed acknowledgments", + "identifier": "5.1.2", + "createdAt": "2026-04-13 14:35:09.474", + "updatedAt": "2026-04-13 14:35:09.474" + }, + { + "id": "frk_rq_69dcff1f913a3851412e6152", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Anti-malware solutions detect known types of malware and protect against or address the effects of malware.", + "description": "AV/EDR product capabilities documentation; scan logs; quarantine/block records", + "identifier": "5.2.2", + "createdAt": "2026-04-13 14:35:11.323", + "updatedAt": "2026-04-13 14:35:11.323" + }, + { + "id": "frk_rq_69dcff20b57ba3362e33b03b", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Systems not at risk from malware are evaluated periodically to confirm that the risk assessment remains accurate.", + "description": "Low-risk exception records; periodic review schedule; updated risk assessments", + "identifier": "5.2.3", + "createdAt": "2026-04-13 14:35:12.322", + "updatedAt": "2026-04-13 14:35:12.322" + }, + { + "id": "frk_rq_69dcff25f930412d8f4a7fdc", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Anti-malware mechanisms cannot be disabled or altered by users.", + "description": "Endpoint protection tamper-protection configuration; admin-only access controls; policy enforcement logs", + "identifier": "5.3.3", + "createdAt": "2026-04-13 14:35:17.151", + "updatedAt": "2026-04-13 14:35:17.151" + }, + { + "id": "frk_rq_69dcff26e497c0d93bb8b841", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Anti-malware solution logs are retained and available for review.", + "description": "AV/EDR log retention policy; SIEM forwarding configuration; log samples", + "identifier": "5.3.4", + "createdAt": "2026-04-13 14:35:18.102", + "updatedAt": "2026-04-13 14:35:18.102" + }, + { + "id": "frk_rq_69dcff276033713e3105e596", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Anti-malware solution(s) cannot be disabled or altered without documented exceptions with management approval.", + "description": "Exception records with management approval; temporary disable logs; reactivation evidence", + "identifier": "5.3.5", + "createdAt": "2026-04-13 14:35:19.023", + "updatedAt": "2026-04-13 14:35:19.023" + }, + { + "id": "frk_rq_69dcff2905d5e8bf0f39d088", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Processes and mechanisms for developing and maintaining secure systems and software are documented, current, and in use.", + "description": "SDLC policy; secure coding standards; version history", + "identifier": "6.1.1", + "createdAt": "2026-04-13 14:35:20.866", + "updatedAt": "2026-04-13 14:35:20.866" + }, + { + "id": "frk_rq_69dcff19a50ef3f4cc515dba", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Strong cryptography is used to safeguard PAN during transmission over open, public networks.", + "description": "TLS configuration extracts (nginx/Apache/load balancer); Qualys SSL Labs or equivalent scan results; cipher suite documentation", + "identifier": "4.2.1", + "createdAt": "2026-04-13 14:35:04.779", + "updatedAt": "2026-04-13 14:35:04.779" + }, + { + "id": "frk_rq_69dcff1b3c019806a66495aa", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Certificates used for PAN transmission are confirmed as valid and not expired.", + "description": "Certificate monitoring tool alerts; current certificate status report; renewal records", + "identifier": "4.2.1.2", + "createdAt": "2026-04-13 14:35:06.635", + "updatedAt": "2026-04-13 14:35:06.635" + }, + { + "id": "frk_rq_69dcff1eb2e612067cc06689", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "An anti-malware solution is deployed on all system components, except those confirmed as low-risk via periodic evaluation.", + "description": "AV/EDR deployment report; system inventory with protection status; exception register with risk evaluations", + "identifier": "5.2.1", + "createdAt": "2026-04-13 14:35:10.398", + "updatedAt": "2026-04-13 14:35:10.398" + }, + { + "id": "frk_rq_69dcff2178ae451953e6ccad", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "The frequency of periodic evaluations of systems not at risk from malware is defined in the entity's targeted risk analysis.", + "description": "Risk analysis document; defined evaluation frequency; approval records", + "identifier": "5.2.3.1", + "createdAt": "2026-04-13 14:35:13.248", + "updatedAt": "2026-04-13 14:35:13.248" + }, + { + "id": "frk_rq_69dcff22146c8825df44cba4", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Anti-malware solution(s) are kept current via automatic updates.", + "description": "AV/EDR update configuration; update logs showing recent definition/version updates", + "identifier": "5.3.1", + "createdAt": "2026-04-13 14:35:14.186", + "updatedAt": "2026-04-13 14:35:14.186" + }, + { + "id": "frk_rq_69dcff23517e30660b32e82a", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Anti-malware solution(s) perform periodic scans and active/real-time scanning.", + "description": "Scheduled scan configuration; scan completion logs; real-time protection status", + "identifier": "5.3.2", + "createdAt": "2026-04-13 14:35:15.109", + "updatedAt": "2026-04-13 14:35:15.109" + }, + { + "id": "frk_rq_69dcff249c8cac39dc053355", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "If periodic malware scans are performed, the frequency is defined in the entity's targeted risk analysis.", + "description": "Risk analysis with defined scan frequency; scan schedule documentation; approval records", + "identifier": "5.3.2.1", + "createdAt": "2026-04-13 14:35:16.127", + "updatedAt": "2026-04-13 14:35:16.127" + }, + { + "id": "frk_rq_69dcff287f85466efc21f5ef", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Processes and automated mechanisms are in place to detect and protect against phishing attacks.", + "description": "Email security gateway config; anti-phishing tool configuration; user awareness training records; phishing simulation results", + "identifier": "5.4.1", + "createdAt": "2026-04-13 14:35:19.958", + "updatedAt": "2026-04-13 14:35:19.958" + }, + { + "id": "frk_rq_69dcff2a6b628ffc40d594cb", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Roles and responsibilities for activities under Requirement 6 are documented, assigned, and understood.", + "description": "RACI or job descriptions; signed acknowledgments", + "identifier": "6.1.2", + "createdAt": "2026-04-13 14:35:21.802", + "updatedAt": "2026-04-13 14:35:21.802" + }, + { + "id": "frk_rq_69dcff2bdb1b55a1c3806a0f", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Bespoke and custom software are developed securely by following secure coding guidelines.", + "description": "Secure coding standards document referencing OWASP or equivalent; developer training records; code review policy", + "identifier": "6.2.1", + "createdAt": "2026-04-13 14:35:22.918", + "updatedAt": "2026-04-13 14:35:22.918" + }, + { + "id": "frk_rq_69dcff2cc3942cb41ecd6889", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Software development personnel working on bespoke/custom software are trained in secure coding techniques at least annually.", + "description": "Annual training records; training curriculum; completion certificates", + "identifier": "6.2.2", + "createdAt": "2026-04-13 14:35:23.854", + "updatedAt": "2026-04-13 14:35:23.854" + }, + { + "id": "frk_rq_69dcff2de69d0de80dc895c7", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Bespoke and custom software is reviewed prior to release to identify and remediate potential vulnerabilities.", + "description": "Code review records; SAST/DAST scan results; peer review sign-offs; security gates in CI/CD pipeline", + "identifier": "6.2.3", + "createdAt": "2026-04-13 14:35:25.378", + "updatedAt": "2026-04-13 14:35:25.378" + }, + { + "id": "frk_rq_69dcff2e1bf5bf4be8c2b03e", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "If manual code reviews are performed, code changes are reviewed by someone other than the originating developer.", + "description": "Code review records showing reviewer ≠ author; peer review policy; ticketing system evidence", + "identifier": "6.2.3.1", + "createdAt": "2026-04-13 14:35:26.302", + "updatedAt": "2026-04-13 14:35:26.302" + }, + { + "id": "frk_rq_69dcff2f9a128163f0f0394e", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Software engineering techniques or other methods are defined and in use to prevent or mitigate common software vulnerabilities.", + "description": "Secure coding checklist; SAST/DAST tool configuration; OWASP Top 10 coverage; vulnerability management records", + "identifier": "6.2.4", + "createdAt": "2026-04-13 14:35:27.287", + "updatedAt": "2026-04-13 14:35:27.287" + }, + { + "id": "frk_rq_69dcff307f0939472c98b0d8", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Security vulnerabilities are identified and managed via a process that includes subscribing to reputable security vulnerability information sources.", + "description": "Threat intel subscriptions (NVD, CISA KEV, vendor advisories); vulnerability management policy; patch management records", + "identifier": "6.3.1", + "createdAt": "2026-04-13 14:35:28.207", + "updatedAt": "2026-04-13 14:35:28.207" + }, + { + "id": "frk_rq_69dcff313299b5055bf4a37a", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "An inventory of bespoke and custom software is maintained to facilitate vulnerability and patch management.", + "description": "Software inventory with version numbers; SBOM where applicable; update tracking records", + "identifier": "6.3.2", + "createdAt": "2026-04-13 14:35:29.133", + "updatedAt": "2026-04-13 14:35:29.133" + }, + { + "id": "frk_rq_69dcff32217541c6335876d7", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All system components are protected from known vulnerabilities by installing applicable security patches/updates.", + "description": "Patch management policy with SLAs (critical: 1 month per v4.0.1); patch status reports; exception register", + "identifier": "6.3.3", + "createdAt": "2026-04-13 14:35:30.048", + "updatedAt": "2026-04-13 14:35:30.048" + }, + { + "id": "frk_rq_69dcff33b8e68177611c33de", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Public-facing web applications are protected against attacks.", + "description": "WAF deployment records; WAF policy; penetration test report covering web apps; DAST scan results", + "identifier": "6.4.1", + "createdAt": "2026-04-13 14:35:30.964", + "updatedAt": "2026-04-13 14:35:30.964" + }, + { + "id": "frk_rq_69dcff34a4d5d4d838e9354d", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "An automated technical solution that detects and prevents web-based attacks is deployed for public-facing web applications.", + "description": "WAF configuration; rule set; blocking mode configuration; false-positive management records", + "identifier": "6.4.2", + "createdAt": "2026-04-13 14:35:31.918", + "updatedAt": "2026-04-13 14:35:31.918" + }, + { + "id": "frk_rq_69dcff35ebe7f0f919be1220", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All payment page scripts loaded and executed in the consumer's browser are managed.", + "description": "Payment page script inventory; script authorization records; SRI (subresource integrity) hashes; CSP headers; change management records", + "identifier": "6.4.3", + "createdAt": "2026-04-13 14:35:32.844", + "updatedAt": "2026-04-13 14:35:32.844" + }, + { + "id": "frk_rq_69dcff36a0de7399adf64cb1", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Changes to system components are made according to a defined change-control process.", + "description": "Change management policy; change tickets; CAB records; emergency change procedures", + "identifier": "6.5.1", + "createdAt": "2026-04-13 14:35:33.820", + "updatedAt": "2026-04-13 14:35:33.820" + }, + { + "id": "frk_rq_69dcff3772ddda25fa510528", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "After a change, all applicable PCI DSS requirements are confirmed to be in place and newly identified vulnerabilities are addressed.", + "description": "Post-change verification checklists; re-test records; security sign-off on changes", + "identifier": "6.5.2", + "createdAt": "2026-04-13 14:35:34.732", + "updatedAt": "2026-04-13 14:35:34.732" + }, + { + "id": "frk_rq_69dcff38d92835591f6d33e1", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Pre-production environments are separate from production and the separation is enforced with access controls.", + "description": "Environment architecture documentation; access control records showing dev/test vs. prod separation", + "identifier": "6.5.3", + "createdAt": "2026-04-13 14:35:35.682", + "updatedAt": "2026-04-13 14:35:35.682" + }, + { + "id": "frk_rq_69dcff39f841d3b959277a95", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Roles and functions are separated between production and development/test environments.", + "description": "Role assignment records; access control matrix showing separation of duties", + "identifier": "6.5.4", + "createdAt": "2026-04-13 14:35:36.596", + "updatedAt": "2026-04-13 14:35:36.596" + }, + { + "id": "frk_rq_69dcff3a4e59825c6b2bf8a4", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Live PANs are not used in pre-production environments except where those environments are within the CDE scope.", + "description": "Data masking policy; pre-production data management records; masking tool usage logs", + "identifier": "6.5.5", + "createdAt": "2026-04-13 14:35:37.506", + "updatedAt": "2026-04-13 14:35:37.506" + }, + { + "id": "frk_rq_69dcff3a6999fa45c9973ba1", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Test data and accounts are removed before production systems become active.", + "description": "Production launch checklist requiring removal of test accounts/data; production readiness review records", + "identifier": "6.5.6", + "createdAt": "2026-04-13 14:35:38.447", + "updatedAt": "2026-04-13 14:35:38.447" + }, + { + "id": "frk_rq_69dcff3bd6eab0cabf8e5143", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Processes and mechanisms for restricting access to system components and cardholder data are documented, current, and in use.", + "description": "Access control policy; business-need-to-know policy; version history", + "identifier": "7.1.1", + "createdAt": "2026-04-13 14:35:39.424", + "updatedAt": "2026-04-13 14:35:39.424" + }, + { + "id": "frk_rq_69dcff3f412d52f5b06ca705", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Required privileges are approved by authorized personnel.", + "description": "Access request tickets with management approval; provisioning workflow records", + "identifier": "7.2.3", + "createdAt": "2026-04-13 14:35:43.304", + "updatedAt": "2026-04-13 14:35:43.304" + }, + { + "id": "frk_rq_69dcff41955f84ea0e563041", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All application and system accounts and related access privileges are assigned and managed per least privilege.", + "description": "Service account inventory; access rights per service account; approval records", + "identifier": "7.2.5", + "createdAt": "2026-04-13 14:35:45.215", + "updatedAt": "2026-04-13 14:35:45.215" + }, + { + "id": "frk_rq_69dcff42de2711fed58334d5", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All application and system accounts and related access rights are reviewed at least once every six months.", + "description": "Semi-annual service account review records; sign-offs; remediation records", + "identifier": "7.2.5.1", + "createdAt": "2026-04-13 14:35:46.157", + "updatedAt": "2026-04-13 14:35:46.157" + }, + { + "id": "frk_rq_69dcff43e91cb5685c511c93", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All user access to query repositories of stored cardholder data is restricted to the minimum necessary.", + "description": "Database access control records; query access logs; RBAC for database access", + "identifier": "7.2.6", + "createdAt": "2026-04-13 14:35:47.074", + "updatedAt": "2026-04-13 14:35:47.074" + }, + { + "id": "frk_rq_69dcff454540cdc67ec5cc55", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All access to system components and cardholder data is assigned and managed via an access control system.", + "description": "IAM system documentation; access provisioning workflow; access control system configuration", + "identifier": "7.3.1", + "createdAt": "2026-04-13 14:35:48.557", + "updatedAt": "2026-04-13 14:35:48.557" + }, + { + "id": "frk_rq_69dcff4683b09426d28bd353", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "The access control system(s) are configured to enforce access control settings after each login request.", + "description": "IAM configuration; session control settings; re-authentication settings", + "identifier": "7.3.2", + "createdAt": "2026-04-13 14:35:49.579", + "updatedAt": "2026-04-13 14:35:49.579" + }, + { + "id": "frk_rq_69dcff463d117670a150959e", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "The access control system(s) are set to 'deny all' by default.", + "description": "Default-deny configuration evidence; IAM policy documentation; rule precedence documentation", + "identifier": "7.3.3", + "createdAt": "2026-04-13 14:35:50.486", + "updatedAt": "2026-04-13 14:35:50.486" + }, + { + "id": "frk_rq_69dcff47dcbb3e7cf896a31f", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Processes and mechanisms for identifying and authenticating access are documented, current, and in use.", + "description": "Identity and access management policy; authentication standards; version history", + "identifier": "8.1.1", + "createdAt": "2026-04-13 14:35:51.399", + "updatedAt": "2026-04-13 14:35:51.399" + }, + { + "id": "frk_rq_69dcff4bb1fdf4c5a72375ce", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Addition, deletion, and modification of user IDs and authentication factors are managed per formal processes.", + "description": "User lifecycle management procedure; provisioning/deprovisioning tickets; JML process documentation", + "identifier": "8.2.4", + "createdAt": "2026-04-13 14:35:55.239", + "updatedAt": "2026-04-13 14:35:55.239" + }, + { + "id": "frk_rq_69dcff4deaf158a194b31651", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Inactive user accounts are removed or disabled within 90 days.", + "description": "Automated inactivity reports; 90-day review and disable records; IAM configuration showing 90-day threshold", + "identifier": "8.2.6", + "createdAt": "2026-04-13 14:35:57.168", + "updatedAt": "2026-04-13 14:35:57.168" + }, + { + "id": "frk_rq_69dcff580c8abb1ed5c36b09", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "MFA is implemented for all remote network access originating from outside the entity's network.", + "description": "VPN/remote access MFA configuration; remote access policy; authentication logs", + "identifier": "8.4.3", + "createdAt": "2026-04-13 14:36:08.178", + "updatedAt": "2026-04-13 14:36:08.178" + }, + { + "id": "frk_rq_69dcff59093f80b6b5f93ede", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "MFA systems are implemented securely to prevent MFA bypass.", + "description": "MFA system configuration; replay attack prevention; out-of-band channel configuration; no-bypass configuration", + "identifier": "8.5.1", + "createdAt": "2026-04-13 14:36:09.252", + "updatedAt": "2026-04-13 14:36:09.252" + }, + { + "id": "frk_rq_69dcff5a0689e9848805617c", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "If accounts used by systems or applications can be used for interactive login, they are managed and protected.", + "description": "Service account inventory; interactive login restriction policy; service account access logs", + "identifier": "8.6.1", + "createdAt": "2026-04-13 14:36:10.174", + "updatedAt": "2026-04-13 14:36:10.174" + }, + { + "id": "frk_rq_69dcff5c4e2e039756c30c04", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Passwords for any application and system accounts are protected against misuse.", + "description": "Secrets management policy; vault configuration; rotation schedule for service account credentials", + "identifier": "8.6.3", + "createdAt": "2026-04-13 14:36:12.106", + "updatedAt": "2026-04-13 14:36:12.106" + }, + { + "id": "frk_rq_69dcff5e675b23b53711e58a", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Roles and responsibilities for activities under Requirement 9 are documented, assigned, and understood.", + "description": "RACI or job descriptions; signed acknowledgments", + "identifier": "9.1.2", + "createdAt": "2026-04-13 14:36:13.938", + "updatedAt": "2026-04-13 14:36:13.938" + }, + { + "id": "frk_rq_69dcff5fdc280eb94be0039d", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Appropriate facility entry controls are in place to limit and monitor physical access to systems in the CDE.", + "description": "Access control system logs; badge reader configuration; CCTV records", + "identifier": "9.2.1", + "createdAt": "2026-04-13 14:36:14.846", + "updatedAt": "2026-04-13 14:36:14.846" + }, + { + "id": "frk_rq_69dcff60aaa239198fc1a3d0", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Individual physical access to sensitive areas within the CDE is monitored with video cameras or physical access control mechanisms.", + "description": "Camera coverage maps; access control log for sensitive areas; retention settings (minimum 3 months)", + "identifier": "9.2.1.1", + "createdAt": "2026-04-13 14:36:15.781", + "updatedAt": "2026-04-13 14:36:15.781" + }, + { + "id": "frk_rq_69dcff622b60baca6c5cb4cd", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Physical access to wireless APs, gateways, handheld devices, networking hardware, and telecom lines in the CDE is restricted.", + "description": "Physical security inventory for wireless/networking hardware; access restriction evidence (cages, cabinets)", + "identifier": "9.2.3", + "createdAt": "2026-04-13 14:36:17.622", + "updatedAt": "2026-04-13 14:36:17.622" + }, + { + "id": "frk_rq_69dcff63a09efbccfe305a95", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Access to consoles in sensitive areas is restricted via locking when not in use.", + "description": "Console lock policy; screen lock configuration; physical observation evidence", + "identifier": "9.2.4", + "createdAt": "2026-04-13 14:36:18.549", + "updatedAt": "2026-04-13 14:36:18.549" + }, + { + "id": "frk_rq_69dcff66b9c46103ddf77fd9", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "A visitor log is used to maintain a physical audit trail of visitor access.", + "description": "Visitor log (physical or electronic); log retention records (minimum 3 months)", + "identifier": "9.3.4", + "createdAt": "2026-04-13 14:36:22.342", + "updatedAt": "2026-04-13 14:36:22.342" + }, + { + "id": "frk_rq_69dcff696445afd56ff3c2e0", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "The security of offline media backup locations is reviewed at least annually.", + "description": "Annual security review records for off-site locations; review checklist; sign-offs", + "identifier": "9.4.1.2", + "createdAt": "2026-04-13 14:36:25.228", + "updatedAt": "2026-04-13 14:36:25.228" + }, + { + "id": "frk_rq_69dcff6b75060bf37b99db11", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Media with cardholder data sent outside the facility is secured.", + "description": "Media transport policy; tracked courier/secure transport records; chain of custody documentation", + "identifier": "9.4.3", + "createdAt": "2026-04-13 14:36:27.156", + "updatedAt": "2026-04-13 14:36:27.156" + }, + { + "id": "frk_rq_69dcff6cce53eb27962c728d", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Management approves all media with cardholder data moved outside the facility.", + "description": "Management approval records for media transfers; transport authorization logs", + "identifier": "9.4.4", + "createdAt": "2026-04-13 14:36:28.102", + "updatedAt": "2026-04-13 14:36:28.102" + }, + { + "id": "frk_rq_69dcff6f571248c093ade975", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Hard-copy materials with cardholder data are destroyed when no longer needed.", + "description": "Hard-copy destruction policy; cross-cut shredder records; secure bin usage; certificate of destruction", + "identifier": "9.4.6", + "createdAt": "2026-04-13 14:36:30.965", + "updatedAt": "2026-04-13 14:36:30.965" + }, + { + "id": "frk_rq_69dcff3c7b813604dd33848b", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Roles and responsibilities for activities under Requirement 7 are documented, assigned, and understood.", + "description": "RACI or job descriptions; signed acknowledgments", + "identifier": "7.1.2", + "createdAt": "2026-04-13 14:35:40.405", + "updatedAt": "2026-04-13 14:35:40.405" + }, + { + "id": "frk_rq_69dcff3d7eff2daf7d1eecb6", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "An access control model is defined and includes granting access based on least privilege and need-to-know.", + "description": "Access control model documentation; role definitions; least privilege policy", + "identifier": "7.2.1", + "createdAt": "2026-04-13 14:35:41.329", + "updatedAt": "2026-04-13 14:35:41.329" + }, + { + "id": "frk_rq_69dcff3ee7b85cd010d78dcc", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Access is assigned to users, including privileged users, based on job classification and function.", + "description": "RBAC matrix; user account provisioning records; job function documentation", + "identifier": "7.2.2", + "createdAt": "2026-04-13 14:35:42.270", + "updatedAt": "2026-04-13 14:35:42.270" + }, + { + "id": "frk_rq_69dcff408cc7a841ed94e038", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All user accounts and access rights are reviewed at least once every six months.", + "description": "Semi-annual user access review records; reviewer sign-offs; remediation records for excess access", + "identifier": "7.2.4", + "createdAt": "2026-04-13 14:35:44.316", + "updatedAt": "2026-04-13 14:35:44.316" + }, + { + "id": "frk_rq_69dcff48933a909e70ec59f1", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Roles and responsibilities for activities under Requirement 8 are documented, assigned, and understood.", + "description": "RACI or job descriptions; signed acknowledgments", + "identifier": "8.1.2", + "createdAt": "2026-04-13 14:35:52.317", + "updatedAt": "2026-04-13 14:35:52.317" + }, + { + "id": "frk_rq_69dcff49428742555a80f331", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All users are assigned a unique ID before allowing access to system components or cardholder data.", + "description": "User provisioning records; Active Directory/IAM user listing; no-shared-account policy", + "identifier": "8.2.1", + "createdAt": "2026-04-13 14:35:53.274", + "updatedAt": "2026-04-13 14:35:53.274" + }, + { + "id": "frk_rq_69dcff4a4a17963ebdb7e8db", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Group, shared, or generic accounts or passwords are only used when necessary and managed per additional controls.", + "description": "Shared account policy; shared account inventory; exception register with justification", + "identifier": "8.2.2", + "createdAt": "2026-04-13 14:35:54.293", + "updatedAt": "2026-04-13 14:35:54.293" + }, + { + "id": "frk_rq_69dcff4c94051eec2eb36978", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Access for terminated users is immediately revoked.", + "description": "Termination procedure; HR-IT notification process; deprovisioning records with timestamps", + "identifier": "8.2.5", + "createdAt": "2026-04-13 14:35:56.171", + "updatedAt": "2026-04-13 14:35:56.171" + }, + { + "id": "frk_rq_69dcff4eef4d973db6749aaa", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Accounts used by third parties are managed per Requirement 8 controls.", + "description": "Third-party account inventory; third-party access policy; just-in-time access records", + "identifier": "8.2.7", + "createdAt": "2026-04-13 14:35:58.195", + "updatedAt": "2026-04-13 14:35:58.195" + }, + { + "id": "frk_rq_69dcff4fcd6918d1cb665e86", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "If a user session has been idle for more than 15 minutes, re-authentication is required.", + "description": "Session timeout configuration (≤15 minutes); system configuration screenshots", + "identifier": "8.2.8", + "createdAt": "2026-04-13 14:35:59.263", + "updatedAt": "2026-04-13 14:35:59.263" + }, + { + "id": "frk_rq_69dcff505832b24179f594da", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All user and admin passwords/passphrases meet a minimum length of at least 12 characters (or 8 if system does not support 12).", + "description": "Password policy configuration; AD/IAM password policy settings screenshot", + "identifier": "8.3.1", + "createdAt": "2026-04-13 14:36:00.203", + "updatedAt": "2026-04-13 14:36:00.203" + }, + { + "id": "frk_rq_69dcff512f1643822ffc40e9", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "User and admin passwords/passphrases are properly secured during transmission and storage.", + "description": "Password hashing implementation documentation; TLS for authentication screens; LDAP over TLS config", + "identifier": "8.3.2", + "createdAt": "2026-04-13 14:36:01.179", + "updatedAt": "2026-04-13 14:36:01.179" + }, + { + "id": "frk_rq_69dcff5244a445e2083124bb", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Invalid authentication attempts are limited to no more than 10 tries before locking the account.", + "description": "Account lockout policy configuration; AD/IAM lockout threshold setting", + "identifier": "8.3.4", + "createdAt": "2026-04-13 14:36:02.142", + "updatedAt": "2026-04-13 14:36:02.142" + }, + { + "id": "frk_rq_69dcff53f0d3e72346c35750", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "If passwords are used as authentication factors, they meet minimum complexity requirements.", + "description": "Password complexity policy configuration; enforcement evidence across all systems", + "identifier": "8.3.6", + "createdAt": "2026-04-13 14:36:03.189", + "updatedAt": "2026-04-13 14:36:03.189" + }, + { + "id": "frk_rq_69dcff5459bbc24b82e95346", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Individuals are not allowed to submit a new password the same as any of their last four passwords.", + "description": "Password history enforcement (minimum 4 history); IAM policy configuration", + "identifier": "8.3.7", + "createdAt": "2026-04-13 14:36:04.172", + "updatedAt": "2026-04-13 14:36:04.172" + }, + { + "id": "frk_rq_69dcff558d7ef3b5791eb24f", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "If passwords are the only authentication factor for user access, they must be changed at least every 90 days OR the system dynamically assesses account security posture.", + "description": "Password expiry policy (≤90 days) OR dynamic assessment configuration; enforcement records", + "identifier": "8.3.9", + "createdAt": "2026-04-13 14:36:05.133", + "updatedAt": "2026-04-13 14:36:05.133" + }, + { + "id": "frk_rq_69dcff56d1dc19e437dcc6da", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "MFA is implemented for all non-console access into the CDE for personnel with administrative access.", + "description": "MFA configuration for admin access; authentication logs showing MFA enforcement; MFA policy", + "identifier": "8.4.1", + "createdAt": "2026-04-13 14:36:06.106", + "updatedAt": "2026-04-13 14:36:06.106" + }, + { + "id": "frk_rq_69dcff57a27eda29d28d1a51", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "MFA is implemented for all access into the CDE.", + "description": "MFA configuration for all CDE access; VPN MFA config; authentication logs", + "identifier": "8.4.2", + "createdAt": "2026-04-13 14:36:07.213", + "updatedAt": "2026-04-13 14:36:07.213" + }, + { + "id": "frk_rq_69dcff5be046e7444d27c470", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Passwords for application and system accounts that can be used for interactive login are not hard-coded in scripts, applications, or configuration files.", + "description": "Code review records; secrets scanning tool results; vault/secrets manager configuration", + "identifier": "8.6.2", + "createdAt": "2026-04-13 14:36:11.109", + "updatedAt": "2026-04-13 14:36:11.109" + }, + { + "id": "frk_rq_69dcff5d5419b9e6dd0fecda", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Processes and mechanisms for restricting physical access to cardholder data are documented, current, and in use.", + "description": "Physical security policy; facility access procedure; version history", + "identifier": "9.1.1", + "createdAt": "2026-04-13 14:36:13.036", + "updatedAt": "2026-04-13 14:36:13.036" + }, + { + "id": "frk_rq_69dcff618eb41f404917d281", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Physical and/or logical controls restrict use of publicly accessible network jacks.", + "description": "Network jack policy; 802.1X or port security configuration; physical port lock/cover evidence", + "identifier": "9.2.2", + "createdAt": "2026-04-13 14:36:16.703", + "updatedAt": "2026-04-13 14:36:16.703" + }, + { + "id": "frk_rq_69dcff633226b6615536612b", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Procedures are implemented for authorizing and managing physical access of personnel to the CDE.", + "description": "Personnel access authorization records; access list; access request/approval workflow", + "identifier": "9.3.1", + "createdAt": "2026-04-13 14:36:19.467", + "updatedAt": "2026-04-13 14:36:19.467" + }, + { + "id": "frk_rq_69dcff64fea13841683f18bb", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Procedures are implemented for managing visitor access to the CDE.", + "description": "Visitor policy; visitor log; visitor badge procedure; escort policy", + "identifier": "9.3.2", + "createdAt": "2026-04-13 14:36:20.478", + "updatedAt": "2026-04-13 14:36:20.478" + }, + { + "id": "frk_rq_69dcff65403b9e40cecd10ed", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Visitor badges or identification are surrendered or deactivated before visitors leave the facility.", + "description": "Visitor check-out records; badge return procedure; badge deactivation logs", + "identifier": "9.3.3", + "createdAt": "2026-04-13 14:36:21.384", + "updatedAt": "2026-04-13 14:36:21.384" + }, + { + "id": "frk_rq_69dcff6707ec7913810857e4", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All media with cardholder data is physically secured.", + "description": "Media storage policy; locked storage evidence (cabinet logs); media inventory", + "identifier": "9.4.1", + "createdAt": "2026-04-13 14:36:23.286", + "updatedAt": "2026-04-13 14:36:23.286" + }, + { + "id": "frk_rq_69dcff68a147f3de0eea37e4", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Offline media backups with cardholder data are stored in a secure location.", + "description": "Offline backup storage policy; off-site storage agreement; facility security assessment", + "identifier": "9.4.1.1", + "createdAt": "2026-04-13 14:36:24.219", + "updatedAt": "2026-04-13 14:36:24.219" + }, + { + "id": "frk_rq_69dcff6ad323e7481a2a947b", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All media with cardholder data is classified in accordance with the sensitivity of the data.", + "description": "Media classification policy; media labeling records; sensitivity classification scheme", + "identifier": "9.4.2", + "createdAt": "2026-04-13 14:36:26.244", + "updatedAt": "2026-04-13 14:36:26.244" + }, + { + "id": "frk_rq_69dcff6da2df8cba3c6adc88", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Inventory logs of all electronic media with cardholder data are maintained.", + "description": "Electronic media inventory log; periodic inventory review records", + "identifier": "9.4.5", + "createdAt": "2026-04-13 14:36:29.037", + "updatedAt": "2026-04-13 14:36:29.037" + }, + { + "id": "frk_rq_69dcff6eebcdcef1b3719bf7", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Inventories of electronic media with cardholder data are conducted at least annually.", + "description": "Annual media inventory records; date of last inventory; discrepancy resolution records", + "identifier": "9.4.5.1", + "createdAt": "2026-04-13 14:36:29.972", + "updatedAt": "2026-04-13 14:36:29.972" + }, + { + "id": "frk_rq_69dcff70db9f49439ea3a578", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Electronic media with cardholder data is destroyed when no longer needed.", + "description": "Electronic media destruction policy; degaussing/secure wipe records; certificate of destruction", + "identifier": "9.4.7", + "createdAt": "2026-04-13 14:36:31.896", + "updatedAt": "2026-04-13 14:36:31.896" + }, + { + "id": "frk_rq_69dcff718575d135791b7d6e", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "POI devices that capture payment card data via direct physical interaction are protected from tampering and unauthorized substitution.", + "description": "POI device inventory; device inspection records; anti-tampering policy", + "identifier": "9.5.1", + "createdAt": "2026-04-13 14:36:32.939", + "updatedAt": "2026-04-13 14:36:32.939" + }, + { + "id": "frk_rq_69dcff7240318f3d092f02a6", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.", + "description": "Inspection checklist; periodic inspection records; photo evidence of inspection", + "identifier": "9.5.1.1", + "createdAt": "2026-04-13 14:36:33.880", + "updatedAt": "2026-04-13 14:36:33.880" + }, + { + "id": "frk_rq_69dcff73fd64fa5ccce46aa9", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Personnel are trained to be aware of attempted tampering or substitution of POI devices.", + "description": "Training records covering POI tampering awareness; training curriculum with tampering indicators", + "identifier": "9.5.1.2", + "createdAt": "2026-04-13 14:36:34.801", + "updatedAt": "2026-04-13 14:36:34.801" + }, + { + "id": "frk_rq_69dcff7462dbb18b93e55650", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "A list of POI devices is maintained, including device make, model, location, and serial or other identifier.", + "description": "POI device register with make, model, serial, location; last-update date", + "identifier": "9.5.1.3", + "createdAt": "2026-04-13 14:36:35.720", + "updatedAt": "2026-04-13 14:36:35.720" + }, + { + "id": "frk_rq_69dcff75b6b39b136c68f7ef", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Processes and mechanisms for logging and monitoring all access to system components are documented, current, and in use.", + "description": "Logging and monitoring policy; log management standard; SIEM documentation; version history", + "identifier": "10.1.1", + "createdAt": "2026-04-13 14:36:36.655", + "updatedAt": "2026-04-13 14:36:36.655" + }, + { + "id": "frk_rq_69dcff76e8f6202ef0251616", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Roles and responsibilities for activities under Requirement 10 are documented, assigned, and understood.", + "description": "RACI or job descriptions; signed acknowledgments", + "identifier": "10.1.2", + "createdAt": "2026-04-13 14:36:37.566", + "updatedAt": "2026-04-13 14:36:37.566" + }, + { + "id": "frk_rq_69dcff76214ca4507aeb9676", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Audit logs capture all individual user access to cardholder data.", + "description": "SIEM configuration; log samples showing user access to CHD systems; log policy", + "identifier": "10.2.1", + "createdAt": "2026-04-13 14:36:38.482", + "updatedAt": "2026-04-13 14:36:38.482" + }, + { + "id": "frk_rq_69dcff770e9408ee767d7d61", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Audit logs capture all actions taken by any individual with root or administrative privileges.", + "description": "Log samples showing admin/root actions; SIEM alert configuration for privileged actions", + "identifier": "10.2.1.1", + "createdAt": "2026-04-13 14:36:39.434", + "updatedAt": "2026-04-13 14:36:39.434" + }, + { + "id": "frk_rq_69dcff78e9f10b1a12834a54", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Audit logs capture all access to audit trails.", + "description": "Log samples showing audit trail access; SIEM configuration for log-read events", + "identifier": "10.2.1.2", + "createdAt": "2026-04-13 14:36:40.411", + "updatedAt": "2026-04-13 14:36:40.411" + }, + { + "id": "frk_rq_69dcff79046ad91bb49f4bc6", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Audit logs capture all invalid logical access attempts.", + "description": "Failed login log samples; SIEM failed authentication events; brute-force detection alerts", + "identifier": "10.2.1.3", + "createdAt": "2026-04-13 14:36:41.332", + "updatedAt": "2026-04-13 14:36:41.332" + }, + { + "id": "frk_rq_69dcff7af382be7a8fddd851", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Audit logs capture all use of and changes to identification and authentication mechanisms.", + "description": "Log samples for account creation, deletion, password changes, privilege escalation", + "identifier": "10.2.1.4", + "createdAt": "2026-04-13 14:36:42.260", + "updatedAt": "2026-04-13 14:36:42.260" + }, + { + "id": "frk_rq_69dcff7bca5070a954e4b926", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Audit logs capture all changes to and deletions of audit log records.", + "description": "Log samples showing log deletion/modification attempts; SIEM integrity alerts", + "identifier": "10.2.1.5", + "createdAt": "2026-04-13 14:36:43.178", + "updatedAt": "2026-04-13 14:36:43.178" + }, + { + "id": "frk_rq_69dcff7c6886d812e3bca1a2", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Audit logs capture all initialization, stopping, or pausing of audit logging.", + "description": "Log samples for audit log service start/stop events; SIEM configuration", + "identifier": "10.2.1.6", + "createdAt": "2026-04-13 14:36:44.103", + "updatedAt": "2026-04-13 14:36:44.103" + }, + { + "id": "frk_rq_69dcff7dd59284f830693a8e", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Audit logs capture all creation and deletion of system-level objects.", + "description": "Log samples for object creation/deletion; SIEM object change events", + "identifier": "10.2.1.7", + "createdAt": "2026-04-13 14:36:45.016", + "updatedAt": "2026-04-13 14:36:45.016" + }, + { + "id": "frk_rq_69dcff7e6837c1fdcc088bee", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Audit logs capture: user ID, event type, date/time, success/failure, origin, and identity/name of affected data/component.", + "description": "Log format documentation; sample log records showing all 6 required fields", + "identifier": "10.2.2", + "createdAt": "2026-04-13 14:36:45.928", + "updatedAt": "2026-04-13 14:36:45.928" + }, + { + "id": "frk_rq_69dcff7f641df666a0c22817", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Read access to audit log files is limited to those with a job-related need.", + "description": "Access controls on log files; RBAC for log access; access review records", + "identifier": "10.3.1", + "createdAt": "2026-04-13 14:36:46.835", + "updatedAt": "2026-04-13 14:36:46.835" + }, + { + "id": "frk_rq_69dcff8066ac2874e0cafac8", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Audit log files are protected from unauthorized modifications by technical controls.", + "description": "Log immutability configuration (WORM storage, append-only); FIM on log files; SIEM write protection", + "identifier": "10.3.2", + "createdAt": "2026-04-13 14:36:47.818", + "updatedAt": "2026-04-13 14:36:47.818" + }, + { + "id": "frk_rq_69dcff81e3687caf7f1bd030", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Audit log files, including those for external-facing technologies, are promptly backed up to a secure central log server or SIEM.", + "description": "SIEM ingestion configuration; log forwarding config; backup evidence for log data", + "identifier": "10.3.3", + "createdAt": "2026-04-13 14:36:48.805", + "updatedAt": "2026-04-13 14:36:48.805" + }, + { + "id": "frk_rq_69dcff824662a071ea30b728", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "File integrity monitoring or change detection mechanisms are used on audit logs.", + "description": "FIM configuration covering log files; FIM alert records", + "identifier": "10.3.4", + "createdAt": "2026-04-13 14:36:49.736", + "updatedAt": "2026-04-13 14:36:49.736" + }, + { + "id": "frk_rq_69dcff83f48edc965b711dd3", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Automated mechanisms are used to perform audit log reviews.", + "description": "SIEM alert rules; automated review schedule; SIEM dashboard", + "identifier": "10.4.1", + "createdAt": "2026-04-13 14:36:50.655", + "updatedAt": "2026-04-13 14:36:50.655" + }, + { + "id": "frk_rq_69dcff84eb2f0175af1a5a4a", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Automated log review processes cover all defined auditable events.", + "description": "SIEM use case list; mapping of use cases to required audit events (per Req 10.2.1)", + "identifier": "10.4.1.1", + "createdAt": "2026-04-13 14:36:51.571", + "updatedAt": "2026-04-13 14:36:51.571" + }, + { + "id": "frk_rq_69dcff85c4d2a8dae74164a1", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Logs of all other system components are reviewed periodically.", + "description": "Log review schedule; review records for non-automated systems; reviewer sign-offs", + "identifier": "10.4.2", + "createdAt": "2026-04-13 14:36:52.568", + "updatedAt": "2026-04-13 14:36:52.568" + }, + { + "id": "frk_rq_69dcff86ca9ca870073fc2d8", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "The frequency of periodic log reviews is defined in the entity's targeted risk analysis.", + "description": "Targeted risk analysis defining log review frequency; management approval", + "identifier": "10.4.2.1", + "createdAt": "2026-04-13 14:36:53.505", + "updatedAt": "2026-04-13 14:36:53.505" + }, + { + "id": "frk_rq_69dcff86a14a58f051949e0b", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Exceptions and anomalies identified during log review are addressed.", + "description": "Incident/exception tracking records; follow-up evidence; escalation records", + "identifier": "10.4.3", + "createdAt": "2026-04-13 14:36:54.431", + "updatedAt": "2026-04-13 14:36:54.431" + }, + { + "id": "frk_rq_69dcff8794897fee8d23e907", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Audit log history is retained for at least 12 months, with at least the most recent three months available for immediate analysis.", + "description": "Log retention policy; SIEM or log archive configuration; test retrieval of 3-month and 12-month-old logs", + "identifier": "10.5.1", + "createdAt": "2026-04-13 14:36:55.370", + "updatedAt": "2026-04-13 14:36:55.370" + }, + { + "id": "frk_rq_69dcff888d17e2a40c5ade06", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "System clocks and time are synchronized using accepted time-keeping technology.", + "description": "NTP configuration on all in-scope systems; NTP server documentation; time synchronization logs", + "identifier": "10.6.1", + "createdAt": "2026-04-13 14:36:56.301", + "updatedAt": "2026-04-13 14:36:56.301" + }, + { + "id": "frk_rq_69e918bcf1767ec6050c2ff7", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Data Protection Officer", + "description": "Appoint a Data Protection Officer (if necessary).", + "identifier": "AG-4", + "createdAt": "2026-04-22 18:51:39.837", + "updatedAt": "2026-04-22 18:51:39.837" + }, + { + "id": "frk_rq_69dcff89e8f8db6da78dca7a", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Systems are configured to prevent unauthorized modifications of time.", + "description": "NTP ACL configuration; admin-only access to time settings; audit records for time changes", + "identifier": "10.6.2", + "createdAt": "2026-04-13 14:36:57.230", + "updatedAt": "2026-04-13 14:36:57.230" + }, + { + "id": "frk_rq_69dcff8a58ad310935d80fad", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Time synchronization settings and data are protected from unauthorized access and tampering.", + "description": "NTP authentication configuration; time server access controls; monitoring for time discrepancies", + "identifier": "10.6.3", + "createdAt": "2026-04-13 14:36:58.236", + "updatedAt": "2026-04-13 14:36:58.236" + }, + { + "id": "frk_rq_69dcff8b10fa6474b498b5f6", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Failures of critical security controls (IDS/IPS, FIM, AV, access controls, audit logging, firewalls) are detected, alerted, and addressed promptly.", + "description": "SIEM alert rules for critical control failures; incident/alert records for control failures", + "identifier": "10.7.2", + "createdAt": "2026-04-13 14:36:59.174", + "updatedAt": "2026-04-13 14:36:59.174" + }, + { + "id": "frk_rq_69dcff8dccf4c2d977dd9998", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Processes and mechanisms for regularly testing security of systems and networks are documented, current, and in use.", + "description": "Security testing policy; penetration testing standard; vulnerability management policy; version history", + "identifier": "11.1.1", + "createdAt": "2026-04-13 14:37:01.044", + "updatedAt": "2026-04-13 14:37:01.044" + }, + { + "id": "frk_rq_69dcff936bcdd3953dd57be7", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Internal vulnerability scans are performed by a qualified internal resource or qualified external third party.", + "description": "Scanner qualifications; internal resource training/certification; third-party scanner credentials", + "identifier": "11.3.1.2", + "createdAt": "2026-04-13 14:37:06.916", + "updatedAt": "2026-04-13 14:37:06.916" + }, + { + "id": "frk_rq_69dcff9833b29ae89c1eb64f", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Internal penetration testing is performed at least annually and after significant changes.", + "description": "Annual internal pen test reports; on-change pen test records; testing scope documentation", + "identifier": "11.4.2", + "createdAt": "2026-04-13 14:37:11.631", + "updatedAt": "2026-04-13 14:37:11.631" + }, + { + "id": "frk_rq_69dcff9c8daaf57bbf28b8ef", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Additional requirement for multi-tenant service providers: Support customers for external penetration testing. (SP)", + "description": "Customer pen test support policy; customer access provision records; evidence of customer test facilitation", + "identifier": "11.4.7", + "createdAt": "2026-04-13 14:37:16.359", + "updatedAt": "2026-04-13 14:37:16.359" + }, + { + "id": "frk_rq_69dcff9efe92caf1c8f48290", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "A change-detection mechanism (FIM) is deployed to alert personnel to unauthorized modification of critical files.", + "description": "FIM tool deployment evidence; critical file baseline; FIM alert records; response procedure", + "identifier": "11.5.2", + "createdAt": "2026-04-13 14:37:18.291", + "updatedAt": "2026-04-13 14:37:18.291" + }, + { + "id": "frk_rq_69dcff9f2a32fccc4bdee381", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "A change- and tamper-detection mechanism is deployed to alert on unauthorized modifications to HTTP headers and payment page contents.", + "description": "Payment page monitoring tool deployment evidence; alert records; scope documentation covering all payment pages", + "identifier": "11.6.1", + "createdAt": "2026-04-13 14:37:19.236", + "updatedAt": "2026-04-13 14:37:19.236" + }, + { + "id": "frk_rq_69dcffa0cd7071a70c25eff6", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "An overall information security policy is established, published, maintained, and disseminated to all relevant personnel and applicable vendors.", + "description": "Information security policy document; distribution records; vendor/partner acknowledgment records", + "identifier": "12.1.1", + "createdAt": "2026-04-13 14:37:20.167", + "updatedAt": "2026-04-13 14:37:20.167" + }, + { + "id": "frk_rq_69dcffa119474a2d5739cad6", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "The information security policy is reviewed at least annually and updated when the environment changes.", + "description": "Annual review records; version history; change-triggered review records", + "identifier": "12.1.2", + "createdAt": "2026-04-13 14:37:21.102", + "updatedAt": "2026-04-13 14:37:21.102" + }, + { + "id": "frk_rq_69dcffa4409aba79cfbb6863", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Acceptable use policies for end-user technologies are documented and implemented.", + "description": "Acceptable use policy; signed acknowledgments; technology inventory covered by AUP", + "identifier": "12.2.1", + "createdAt": "2026-04-13 14:37:24.070", + "updatedAt": "2026-04-13 14:37:24.070" + }, + { + "id": "frk_rq_69dcffa72b879950a33ff8ff", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "All cryptographic cipher suites and protocols in use are documented and reviewed at least annually.", + "description": "Cryptographic inventory; annual review records; cipher suite deprecation tracking", + "identifier": "12.3.3", + "createdAt": "2026-04-13 14:37:26.940", + "updatedAt": "2026-04-13 14:37:26.940" + }, + { + "id": "frk_rq_69dcffab5b3ab140e35b2a8f", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "An inventory of system components that are in scope for PCI DSS is maintained, including a description of function/use for each.", + "description": "CDE scope inventory with component type, function, owner, and location", + "identifier": "12.5.1", + "createdAt": "2026-04-13 14:37:31.029", + "updatedAt": "2026-04-13 14:37:31.029" + }, + { + "id": "frk_rq_69dcffac9c60c52edbd56fef", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "PCI DSS scope is documented and confirmed at least once every 12 months and upon significant changes.", + "description": "Annual scope confirmation documentation; significant-change scope review records; QSA confirmation (if applicable)", + "identifier": "12.5.2", + "createdAt": "2026-04-13 14:37:31.966", + "updatedAt": "2026-04-13 14:37:31.966" + }, + { + "id": "frk_rq_69dcffad14c5796fac50382b", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Additional requirement for service providers: PCI DSS scope is confirmed at least every six months and upon significant changes. (SP)", + "description": "Bi-annual scope confirmation records; sign-offs; on-change scope review records", + "identifier": "12.5.2.1", + "createdAt": "2026-04-13 14:37:32.969", + "updatedAt": "2026-04-13 14:37:32.969" + }, + { + "id": "frk_rq_69dcffb0d294a6b409bf2777", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Personnel receive security awareness training upon hire and at least annually.", + "description": "New hire training records; annual re-training records; LMS completion reports", + "identifier": "12.6.3", + "createdAt": "2026-04-13 14:37:35.744", + "updatedAt": "2026-04-13 14:37:35.744" + }, + { + "id": "frk_rq_69dcffb221021671f9e15650", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Security awareness training includes awareness about the acceptable use of end-user technologies.", + "description": "Training content referencing AUP; AUP acknowledgment post-training", + "identifier": "12.6.3.2", + "createdAt": "2026-04-13 14:37:37.601", + "updatedAt": "2026-04-13 14:37:37.601" + }, + { + "id": "frk_rq_69dcffb652f1be5f58bda75d", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "An established process for engaging TPSPs includes proper due diligence prior to engagement.", + "description": "TPSP onboarding policy; due diligence questionnaire; pre-engagement security assessment records", + "identifier": "12.8.3", + "createdAt": "2026-04-13 14:37:41.770", + "updatedAt": "2026-04-13 14:37:41.770" + }, + { + "id": "frk_rq_69dcffb7c9bb0dab205bcd0f", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "A program to monitor TPSPs' PCI DSS compliance status is implemented at least annually.", + "description": "Annual TPSP compliance review records; AOC/SAQ collection; compliance register with expiry dates", + "identifier": "12.8.4", + "createdAt": "2026-04-13 14:37:42.807", + "updatedAt": "2026-04-13 14:37:42.807" + }, + { + "id": "frk_rq_69dcffb80d9e0ce7eccf5b66", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Information is maintained about which PCI DSS requirements are managed by each TPSP and which are managed by the entity.", + "description": "Responsibility matrix per TPSP (shared responsibility matrix); contractual documentation of responsibility split", + "identifier": "12.8.5", + "createdAt": "2026-04-13 14:37:43.714", + "updatedAt": "2026-04-13 14:37:43.714" + }, + { + "id": "frk_rq_69dcffb936d930f67bf2acc9", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Additional requirement for service providers: TPSPs provide written acknowledgment/assurance to customers about PCI DSS requirements they are responsible for. (SP)", + "description": "Responsibility acknowledgment letters; AOC shared with customers; contract clauses detailing SP scope", + "identifier": "12.9.1", + "createdAt": "2026-04-13 14:37:44.685", + "updatedAt": "2026-04-13 14:37:44.685" + }, + { + "id": "frk_rq_69dcffbbae320285dfd82b59", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "An incident response plan exists and is ready to be activated in the event of a system breach.", + "description": "Incident response plan (IRP) covering CHD breach scenarios; contact list; escalation procedures; breach notification procedures", + "identifier": "12.10.1", + "createdAt": "2026-04-13 14:37:46.645", + "updatedAt": "2026-04-13 14:37:46.645" + }, + { + "id": "frk_rq_69dcffbd079e9609d8754451", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents.", + "description": "24/7 on-call roster; escalation contact list; documented on-call procedures", + "identifier": "12.10.3", + "createdAt": "2026-04-13 14:37:48.560", + "updatedAt": "2026-04-13 14:37:48.560" + }, + { + "id": "frk_rq_69dcffbd5a29f5ca49f033a2", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Personnel responsible for responding to suspected and confirmed security incidents are appropriately and regularly trained.", + "description": "IR team training records; tabletop exercise participation records; IR-specific training curriculum", + "identifier": "12.10.4", + "createdAt": "2026-04-13 14:37:49.494", + "updatedAt": "2026-04-13 14:37:49.494" + }, + { + "id": "frk_rq_69dcff8cb4d4d1d377d3a9fc", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Failures of any critical security control are responded to promptly; root cause is identified, documented, and resolved.", + "description": "Incident records with root cause analysis (RCA); RCA documentation; remediation evidence", + "identifier": "10.7.3", + "createdAt": "2026-04-13 14:37:00.095", + "updatedAt": "2026-04-13 14:37:00.095" + }, + { + "id": "frk_rq_69dcff8e7a4db0d82942a727", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Roles and responsibilities for activities under Requirement 11 are documented, assigned, and understood.", + "description": "RACI or job descriptions; signed acknowledgments", + "identifier": "11.1.2", + "createdAt": "2026-04-13 14:37:01.961", + "updatedAt": "2026-04-13 14:37:01.961" + }, + { + "id": "frk_rq_69dcff8f197c76085dff0f70", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Authorized and unauthorized wireless access points are managed.", + "description": "Wireless scanning tool (WIPS/WIDS) configuration; quarterly wireless scan reports; unauthorized AP detection/response records", + "identifier": "11.2.1", + "createdAt": "2026-04-13 14:37:02.974", + "updatedAt": "2026-04-13 14:37:02.974" + }, + { + "id": "frk_rq_69dcff90072c1b750388be26", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "An inventory of authorized wireless access points is maintained.", + "description": "Wireless AP inventory with make, model, location, and MAC address; last-updated date", + "identifier": "11.2.2", + "createdAt": "2026-04-13 14:37:03.890", + "updatedAt": "2026-04-13 14:37:03.890" + }, + { + "id": "frk_rq_69dcff91b7e21c99696af30c", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Internal vulnerability scans are performed at least once every three months.", + "description": "Quarterly internal scan reports; scan schedule; authenticated (credentialed) scan configuration and evidence", + "identifier": "11.3.1", + "createdAt": "2026-04-13 14:37:04.822", + "updatedAt": "2026-04-13 14:37:04.822" + }, + { + "id": "frk_rq_69dcff92f25a500690ecb1d2", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Internal vulnerability scans are performed after significant changes.", + "description": "Change-triggered scan records; scan reports linked to change tickets", + "identifier": "11.3.1.1", + "createdAt": "2026-04-13 14:37:05.875", + "updatedAt": "2026-04-13 14:37:05.875" + }, + { + "id": "frk_rq_69dcff944cc63873ea85c709", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Internal vulnerability scan findings are remediated and a rescan is performed to confirm resolution.", + "description": "Remediation records for high/critical findings; rescan reports confirming resolution; exception register for accepted risks", + "identifier": "11.3.1.3", + "createdAt": "2026-04-13 14:37:07.858", + "updatedAt": "2026-04-13 14:37:07.858" + }, + { + "id": "frk_rq_69dcff95ecf248dcbe4462f7", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "External vulnerability scans are performed at least once every three months by an Approved Scanning Vendor (ASV).", + "description": "ASV scan reports (passing status); ASV certification evidence; quarterly scan schedule", + "identifier": "11.3.2", + "createdAt": "2026-04-13 14:37:08.803", + "updatedAt": "2026-04-13 14:37:08.803" + }, + { + "id": "frk_rq_69dcff965d4daf381dbebb56", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "External vulnerability scan findings are remediated and passing scans are achieved.", + "description": "Remediation records; re-scan reports showing passing status; ASV dispute process records if applicable", + "identifier": "11.3.2.1", + "createdAt": "2026-04-13 14:37:09.762", + "updatedAt": "2026-04-13 14:37:09.762" + }, + { + "id": "frk_rq_69dcff977f23cf8501f592c3", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "A penetration testing methodology is defined, documented, and implemented.", + "description": "Penetration testing methodology document covering network and application layers, exploitation, and reporting requirements", + "identifier": "11.4.1", + "createdAt": "2026-04-13 14:37:10.692", + "updatedAt": "2026-04-13 14:37:10.692" + }, + { + "id": "frk_rq_69dcff9974c7634956ba7f0a", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "External penetration testing is performed at least annually and after significant changes.", + "description": "Annual external pen test reports; tester qualifications (CREST/OSCP or equivalent); on-change pen test records", + "identifier": "11.4.3", + "createdAt": "2026-04-13 14:37:12.579", + "updatedAt": "2026-04-13 14:37:12.579" + }, + { + "id": "frk_rq_69dcff9a172f64b803d4f523", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected.", + "description": "Remediation records for pen test findings; re-test evidence confirming resolution; risk acceptance for accepted findings with management sign-off", + "identifier": "11.4.4", + "createdAt": "2026-04-13 14:37:13.509", + "updatedAt": "2026-04-13 14:37:13.509" + }, + { + "id": "frk_rq_69dcff9b08ac85014f447336", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "If segmentation is used to isolate the CDE, segmentation controls are verified at least every six months and after significant change.", + "description": "Bi-annual segmentation test reports; methodology documentation; on-change test records", + "identifier": "11.4.5", + "createdAt": "2026-04-13 14:37:14.501", + "updatedAt": "2026-04-13 14:37:14.501" + }, + { + "id": "frk_rq_69dcff9b7b0dfdd22bc2d410", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Additional requirement for service providers: Pen testing of segmentation controls is performed at least every six months. (SP)", + "description": "Bi-annual segmentation pen test reports; scoping documentation showing all service provider testing boundaries", + "identifier": "11.4.6", + "createdAt": "2026-04-13 14:37:15.420", + "updatedAt": "2026-04-13 14:37:15.420" + }, + { + "id": "frk_rq_69dcff9d4484fa6ab009ad50", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.", + "description": "IDS/IPS deployment evidence; signature update logs; alert records; tuning documentation", + "identifier": "11.5.1", + "createdAt": "2026-04-13 14:37:17.380", + "updatedAt": "2026-04-13 14:37:17.380" + }, + { + "id": "frk_rq_69dcffa2854a8978069abc2e", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "The information security policy clearly defines information security roles and responsibilities for all personnel.", + "description": "IS policy sections defining roles; RACI; job descriptions", + "identifier": "12.1.3", + "createdAt": "2026-04-13 14:37:22.171", + "updatedAt": "2026-04-13 14:37:22.171" + }, + { + "id": "frk_rq_69dcffa34047058834cd7552", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Responsibility for information security is formally assigned to a CISO or another information-security-knowledgeable member of executive management.", + "description": "CISO appointment documentation; executive security accountability records; organization chart", + "identifier": "12.1.4", + "createdAt": "2026-04-13 14:37:23.159", + "updatedAt": "2026-04-13 14:37:23.159" + }, + { + "id": "frk_rq_69dcffa5bbe2ac63ba382ae6", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "A targeted risk analysis is performed for each PCI DSS requirement that allows flexibility in activity frequency.", + "description": "Targeted risk analysis documents per applicable requirement; management approval records", + "identifier": "12.3.1", + "createdAt": "2026-04-13 14:37:25.005", + "updatedAt": "2026-04-13 14:37:25.005" + }, + { + "id": "frk_rq_69dcffa63136b4e7a84d10fc", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "A targeted risk analysis is performed for each PCI DSS requirement specified as needing a customized approach.", + "description": "Customized approach risk analyses; control design documentation; independent review evidence", + "identifier": "12.3.2", + "createdAt": "2026-04-13 14:37:26.016", + "updatedAt": "2026-04-13 14:37:26.016" + }, + { + "id": "frk_rq_69dcffa89c6236dea8c3797d", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Hardware and software technologies in use are reviewed at least annually to confirm that they continue to receive security fixes and support.", + "description": "Technology lifecycle inventory; annual vendor support status review; EOL/EOS tracking register", + "identifier": "12.3.4", + "createdAt": "2026-04-13 14:37:27.962", + "updatedAt": "2026-04-13 14:37:27.962" + }, + { + "id": "frk_rq_69dcffa91626c1563c561918", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Additional requirement for service providers: Executive management establishes responsibility for protection of cardholder data and a PCI DSS compliance program. (SP)", + "description": "Executive charter for PCI DSS compliance; management acknowledgment; named executive accountability", + "identifier": "12.4.1", + "createdAt": "2026-04-13 14:37:29.005", + "updatedAt": "2026-04-13 14:37:29.005" + }, + { + "id": "frk_rq_69dcffaa44f250f4729f4ae0", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Additional requirement for service providers: Reviews confirming that personnel follow security policies and procedures are performed at least quarterly. (SP)", + "description": "Quarterly compliance review records; review scope and methodology; sign-offs", + "identifier": "12.4.2", + "createdAt": "2026-04-13 14:37:29.970", + "updatedAt": "2026-04-13 14:37:29.970" + }, + { + "id": "frk_rq_69dcffaebee28285f81befad", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "A formal security awareness program is implemented to make all personnel aware of the information security policy and procedures.", + "description": "Security awareness program documentation; training schedule; completion records", + "identifier": "12.6.1", + "createdAt": "2026-04-13 14:37:33.891", + "updatedAt": "2026-04-13 14:37:33.891" + }, + { + "id": "frk_rq_69dcffafdd6076fb6394fab2", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "The security awareness program is reviewed at least annually and updated as needed.", + "description": "Annual review records; version history; update log", + "identifier": "12.6.2", + "createdAt": "2026-04-13 14:37:34.806", + "updatedAt": "2026-04-13 14:37:34.806" + }, + { + "id": "frk_rq_69dcffb1c482f1b4c9faa676", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Security awareness training includes awareness of threats and vulnerabilities that could impact the CDE.", + "description": "Training curriculum covering phishing, social engineering, CHD handling, password security, physical security", + "identifier": "12.6.3.1", + "createdAt": "2026-04-13 14:37:36.658", + "updatedAt": "2026-04-13 14:37:36.658" + }, + { + "id": "frk_rq_69dcffb3bb48dd2bca628d6a", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Potential personnel who will have access to the CDE are screened prior to hire, within the constraints of local laws.", + "description": "Background check policy; background check records for CDE-access personnel; screening scope documentation", + "identifier": "12.7.1", + "createdAt": "2026-04-13 14:37:38.598", + "updatedAt": "2026-04-13 14:37:38.598" + }, + { + "id": "frk_rq_69dcffb4bfef6f7f83a002a5", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "A list of all third-party service providers (TPSPs) with whom account data is shared or that could affect security of account data is maintained.", + "description": "TPSP register with service type, data shared, and contact details", + "identifier": "12.8.1", + "createdAt": "2026-04-13 14:37:39.687", + "updatedAt": "2026-04-13 14:37:39.687" + }, + { + "id": "frk_rq_69dcffb5976c9bf607b589bf", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Written agreements with all TPSPs acknowledge their responsibility for the security of account data they possess or could affect.", + "description": "TPSP agreements with PCI DSS clauses; responsibility acknowledgments", + "identifier": "12.8.2", + "createdAt": "2026-04-13 14:37:40.728", + "updatedAt": "2026-04-13 14:37:40.728" + }, + { + "id": "frk_rq_69dcffbae18a11fa1fefd5cc", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Additional requirement for service providers: TPSPs support customers' requests for information related to their PCI DSS compliance. (SP)", + "description": "Customer request handling process; records of customer inquiries and responses", + "identifier": "12.9.2", + "createdAt": "2026-04-13 14:37:45.709", + "updatedAt": "2026-04-13 14:37:45.709" + }, + { + "id": "frk_rq_69dcffbcc00c2a8335362cd9", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "At least once every 12 months, the incident response plan is reviewed and tested.", + "description": "Annual IRP test records (tabletop exercise or live drill); review sign-offs; lessons-learned documentation", + "identifier": "12.10.2", + "createdAt": "2026-04-13 14:37:47.623", + "updatedAt": "2026-04-13 14:37:47.623" + }, + { + "id": "frk_rq_69dcffbe8febb9ad32cee3ac", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "The incident response plan includes monitoring and responding to alerts from security monitoring systems.", + "description": "IRP sections covering SIEM/IDS/FIM alerts; playbooks for common alert types; escalation procedures", + "identifier": "12.10.5", + "createdAt": "2026-04-13 14:37:50.454", + "updatedAt": "2026-04-13 14:37:50.454" + }, + { + "id": "frk_rq_69dcffbfa920236e68274c8a", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "The incident response plan is modified and evolved according to lessons learned and industry developments.", + "description": "IRP version history; lessons-learned records from incidents and tests; review schedule", + "identifier": "12.10.6", + "createdAt": "2026-04-13 14:37:51.469", + "updatedAt": "2026-04-13 14:37:51.469" + }, + { + "id": "frk_rq_69dcffc0f183d6d459f7374d", + "frameworkId": "frk_69dcfb280b550e7ee231f312", + "name": "Incident response procedures are in place for detection of stored PAN where it should not be.", + "description": "IRP section covering unauthorized PAN discovery; data classification and remediation procedures", + "identifier": "12.10.7", + "createdAt": "2026-04-13 14:37:52.400", + "updatedAt": "2026-04-13 14:37:52.400" + }, + { + "id": "frk_rq_681ed20a3f7335dd1ec64b6c", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.5.10 Organizational Controls", + "description": "Acceptable use of information and other associated assets", + "identifier": "A.5.10", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 14:59:49.552" + }, + { + "id": "frk_rq_69e918bdb25c8526688fa93e", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Right to Restrict Processing", + "description": "It's easy for your customers to ask you to stop processing their data.", + "identifier": "PR-4", + "createdAt": "2026-04-22 18:51:41.481", + "updatedAt": "2026-04-22 18:51:41.481" + }, + { + "id": "frk_rq_681ed61f357c7bf776300aa7", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.7.5 Physical Controls", + "description": "Protecting against physical and environmental threats", + "identifier": "A.7.5 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:26.023" + }, + { + "id": "frk_rq_681ed7532959ec62c8ae815c", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.8.19 Technological Controls ", + "description": "Installation of software on operational systems", + "identifier": "\t A.8.19", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:27.407" + }, + { + "id": "frk_rq_681ed7794b363009725bab5b", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.8.21 Technological Controls", + "description": "Security of network services", + "identifier": "A.8.21", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:27.613" + }, + { + "id": "frk_rq_69e918be4efe14f478e1f46a", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Right to Object", + "description": "It's easy for your customers to object to you processing their data.", + "identifier": "PR-6", + "createdAt": "2026-04-22 18:51:42.292", + "updatedAt": "2026-04-22 18:51:42.292" + }, + { + "id": "frk_rq_681ecca11f8e93d33110f582", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "4.1 Context of the organization", + "description": "Understanding the organization and its context", + "identifier": "4.1 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:28.601" + }, + { + "id": "frk_rq_681eccf8ea16a6a8c71b2043", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "4.3 Context of the organization", + "description": "Determining the scope of the ISMS", + "identifier": "4.3 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:28.665" + }, + { + "id": "frk_rq_69e918bf7e5efe469442d414", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Automated Decision-Making Safeguards", + "description": "If you make decisions about people based on automated processes, you have a procedure to protect their rights.", + "identifier": "PR-7", + "createdAt": "2026-04-22 18:51:42.643", + "updatedAt": "2026-04-22 18:51:42.643" + }, + { + "id": "frk_rq_681eccda0b0048baacc8384f", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "4.2 Context of the organization", + "description": "Needs & expectations of interested parties", + "identifier": "4.2 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:28.718" + }, + { + "id": "frk_rq_681ed6f360678a6cf25345b2", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.8.9 Technological Controls", + "description": "Configuration management", + "identifier": "\t A.8.9", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-23 14:43:12.244" + }, + { + "id": "frk_rq_681ed1433a712ae09dc7633b", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "10.1 Improvement ", + "description": "Nonconformity and corrective action", + "identifier": "\t 10.1 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:29.048" + }, + { + "id": "frk_rq_681ecee267499cb4e89dd597", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "5.3 Leadership", + "description": "Organizational roles, responsibilities, and authorities", + "identifier": "5.3 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:29.156" + }, + { + "id": "frk_rq_681ed29613b703c7f368ffdc", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.5.19 Organizational Controls ", + "description": "Information security in supplier relationships", + "identifier": "A.5.19", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:29.987" + }, + { + "id": "frk_rq_681ed38c0abdd2731880fa6e", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.5.30 Organizational Controls", + "description": "ICT readiness for business continuity", + "identifier": "A.5.30", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-20 15:04:32.109" + }, + { + "id": "frk_rq_69e91593a0551c32d5c99972", + "frameworkId": "frk_68d12ec2791043b5a1555950", + "name": "External Vulnerability Scanning", + "description": "External vulnerability scans must be performed at least once every three months and after any significant change to the external attack surface. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV) and meet ASV Program Guide passing criteria. All high-risk and critical vulnerabilities must be remediated and the environment rescanned until a passing scan is achieved.", + "identifier": "11.3.2", + "createdAt": "2026-04-22 18:38:11.289", + "updatedAt": "2026-04-22 18:38:11.289" + }, + { + "id": "frk_rq_69e918b79f38966f5f583cec", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Information Audit", + "description": "Conduct an information audit to determine what information you process and who has access to it.", + "identifier": "LBT-1", + "createdAt": "2026-04-22 18:51:35.305", + "updatedAt": "2026-04-22 18:51:35.305" + }, + { + "id": "frk_rq_69e918b890ecd3f9bb6f77d5", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Legal Justification for Processing", + "description": "Have a legal justification for your data processing activities.", + "identifier": "LBT-2", + "createdAt": "2026-04-22 18:51:35.729", + "updatedAt": "2026-04-22 18:51:35.729" + }, + { + "id": "frk_rq_69e918b8311dfe1878703dc4", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Transparent Privacy Policy", + "description": "Provide clear information about your data processing and legal justification in your privacy policy.", + "identifier": "LBT-3", + "createdAt": "2026-04-22 18:51:36.121", + "updatedAt": "2026-04-22 18:51:36.121" + }, + { + "id": "frk_rq_69e918b9edbcd14b1ce1c115", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Privacy by Design and by Default", + "description": "Take data protection into account at all times, from the moment you begin developing a product to each time you process data.", + "identifier": "DS-1", + "createdAt": "2026-04-22 18:51:36.583", + "updatedAt": "2026-04-22 18:51:36.583" + }, + { + "id": "frk_rq_69e918b9915691574d0c306e", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Data Minimization and Pseudonymization", + "description": "Encrypt, pseudonymize, or anonymize personal data wherever possible.", + "identifier": "DS-2", + "createdAt": "2026-04-22 18:51:37.047", + "updatedAt": "2026-04-22 18:51:37.047" + }, + { + "id": "frk_rq_69e918b9c01cf05118ad6c9f", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Internal Security Policy and Awareness", + "description": "Create an internal security policy for your team members, and build awareness about data protection.", + "identifier": "DS-3", + "createdAt": "2026-04-22 18:51:37.422", + "updatedAt": "2026-04-22 18:51:37.422" + }, + { + "id": "frk_rq_69e918ba0847fd461d701bf3", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Data Protection Impact Assessment", + "description": "Know when to conduct a data protection impact assessment, and have a process in place to carry it out.", + "identifier": "DS-4", + "createdAt": "2026-04-22 18:51:37.823", + "updatedAt": "2026-04-22 18:51:37.823" + }, + { + "id": "frk_rq_69e918ba40b8476a90d01fb2", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Breach Notification Process", + "description": "Have a process in place to notify the authorities and your data subjects in the event of a data breach.", + "identifier": "DS-5", + "createdAt": "2026-04-22 18:51:38.221", + "updatedAt": "2026-04-22 18:51:38.221" + }, + { + "id": "frk_rq_69e918bb12c8b04e6f46554d", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "GDPR Accountability Owner", + "description": "Designate someone responsible for ensuring GDPR compliance across your organization.", + "identifier": "AG-1", + "createdAt": "2026-04-22 18:51:38.678", + "updatedAt": "2026-04-22 18:51:38.678" + }, + { + "id": "frk_rq_681ed81d5e01d43ada52ffae", + "frameworkId": "frk_681ecc34e85064efdbb76993", + "name": "A.8.34 Technological Controls ", + "description": "Protection of information systems during audit and testing", + "identifier": "A.8.34 ", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-23 14:43:12.959" + }, + { + "id": "frk_rq_69e918bd12d2800d62e187a5", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Right to Erasure", + "description": "It's easy for your customers to request to have their personal data deleted.", + "identifier": "PR-3", + "createdAt": "2026-04-22 18:51:41.081", + "updatedAt": "2026-04-22 18:51:41.081" + }, + { + "id": "frk_rq_69e918befc216b296cbbdae9", + "frameworkId": "frk_69e9187a649152cdc715f1ad", + "name": "Right to Data Portability", + "description": "It's easy for your customers to receive a copy of their personal data in a format that can be easily transferred to another company.", + "identifier": "PR-5", + "createdAt": "2026-04-22 18:51:41.846", + "updatedAt": "2026-04-22 18:51:41.846" + }, + { + "id": "frk_rq_69eaa7b7f5a7e613f2506e2e", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Automated Decision-Making Safeguards", + "description": "If you make decisions about people based on automated processes, you have a procedure to protect their rights.", + "identifier": "PR-7", + "createdAt": "2026-04-23 23:13:58.662", + "updatedAt": "2026-04-23 23:13:58.662" + }, + { + "id": "frk_rq_69eaa7b7f31a0487875d4020", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Breach Notification Process", + "description": "Have a process in place to notify the authorities and your data subjects in the event of a data breach.", + "identifier": "DS-5", + "createdAt": "2026-04-23 23:13:58.782", + "updatedAt": "2026-04-23 23:13:58.782" + }, + { + "id": "frk_rq_69eaa7b7da0c92ffd26e6f7e", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Data Minimization and Pseudonymization", + "description": "Encrypt, pseudonymize, or anonymize personal data wherever possible.", + "identifier": "DS-2", + "createdAt": "2026-04-23 23:13:58.862", + "updatedAt": "2026-04-23 23:13:58.862" + }, + { + "id": "frk_rq_69eaa7b71e2f3c4710aa383f", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Data Processor Agreements", + "description": "Sign a data processing agreement between your organization and any third parties that process personal data on your behalf.", + "identifier": "AG-2", + "createdAt": "2026-04-23 23:13:58.927", + "updatedAt": "2026-04-23 23:13:58.927" + }, + { + "id": "frk_rq_69eaa7b77bf5981d7557e448", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Data Protection Impact Assessment", + "description": "Know when to conduct a data protection impact assessment, and have a process in place to carry it out.", + "identifier": "DS-4", + "createdAt": "2026-04-23 23:13:59.014", + "updatedAt": "2026-04-23 23:13:59.014" + }, + { + "id": "frk_rq_69eaa7b76c115a489f4f4b08", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Data Protection Officer", + "description": "Appoint a Data Protection Officer (if necessary).", + "identifier": "AG-4", + "createdAt": "2026-04-23 23:13:59.084", + "updatedAt": "2026-04-23 23:13:59.084" + }, + { + "id": "frk_rq_69eaa7b7b237bc35bb52c10d", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "EU Representative", + "description": "If your organization is outside the EU, appoint a representative within one of the EU member states.", + "identifier": "AG-3", + "createdAt": "2026-04-23 23:13:59.165", + "updatedAt": "2026-04-23 23:13:59.165" + }, + { + "id": "frk_rq_69eaa7b735898b1be6a9ebf2", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "GDPR Accountability Owner", + "description": "Designate someone responsible for ensuring GDPR compliance across your organization.", + "identifier": "AG-1", + "createdAt": "2026-04-23 23:13:59.299", + "updatedAt": "2026-04-23 23:13:59.299" + }, + { + "id": "frk_rq_69eaa7b733cf653074d17a7f", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Information Audit", + "description": "Conduct an information audit to determine what information you process and who has access to it.", + "identifier": "LBT-1", + "createdAt": "2026-04-23 23:13:59.379", + "updatedAt": "2026-04-23 23:13:59.379" + }, + { + "id": "frk_rq_69eaa7b707e431b82960342c", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Internal Security Policy and Awareness", + "description": "Create an internal security policy for your team members, and build awareness about data protection.", + "identifier": "DS-3", + "createdAt": "2026-04-23 23:13:59.470", + "updatedAt": "2026-04-23 23:13:59.470" + }, + { + "id": "frk_rq_69eaa7b8ebe34c5dbee1528f", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Legal Justification for Processing", + "description": "Have a legal justification for your data processing activities.", + "identifier": "LBT-2", + "createdAt": "2026-04-23 23:13:59.550", + "updatedAt": "2026-04-23 23:13:59.550" + }, + { + "id": "frk_rq_69eaa7b8e4e4347bb2b861d5", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Privacy by Design and by Default", + "description": "Take data protection into account at all times, from the moment you begin developing a product to each time you process data.", + "identifier": "DS-1", + "createdAt": "2026-04-23 23:13:59.630", + "updatedAt": "2026-04-23 23:13:59.630" + }, + { + "id": "frk_rq_69eaa7b859ec0d1cb67baf70", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Right of Access", + "description": "It's easy for your customers to request and receive all the information you have about them.", + "identifier": "PR-1", + "createdAt": "2026-04-23 23:13:59.711", + "updatedAt": "2026-04-23 23:13:59.711" + }, + { + "id": "frk_rq_69eaa7b8673a4dc99e803097", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Right to Data Portability", + "description": "It's easy for your customers to receive a copy of their personal data in a format that can be easily transferred to another company.", + "identifier": "PR-5", + "createdAt": "2026-04-23 23:13:59.823", + "updatedAt": "2026-04-23 23:13:59.823" + }, + { + "id": "frk_rq_69eaa7b8d85d601c3b8fd630", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Right to Erasure", + "description": "It's easy for your customers to request to have their personal data deleted.", + "identifier": "PR-3", + "createdAt": "2026-04-23 23:13:59.901", + "updatedAt": "2026-04-23 23:13:59.901" + }, + { + "id": "frk_rq_69eaa7b8cdabaf034bb4f34e", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Right to Object", + "description": "It's easy for your customers to object to you processing their data.", + "identifier": "PR-6", + "createdAt": "2026-04-23 23:13:59.976", + "updatedAt": "2026-04-23 23:13:59.976" + }, + { + "id": "frk_rq_69eaa7b867e5acb44fc95468", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Right to Rectification", + "description": "It's easy for your customers to correct or update inaccurate or incomplete information.", + "identifier": "PR-2", + "createdAt": "2026-04-23 23:14:00.048", + "updatedAt": "2026-04-23 23:14:00.048" + }, + { + "id": "frk_rq_69eaa7b866cb7cb0261b9fe2", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Right to Restrict Processing", + "description": "It's easy for your customers to ask you to stop processing their data.", + "identifier": "PR-4", + "createdAt": "2026-04-23 23:14:00.125", + "updatedAt": "2026-04-23 23:14:00.125" + }, + { + "id": "frk_rq_69eaa7b832769b4ecf0e9295", + "frameworkId": "frk_681ef1952907deb7cb85896d", + "name": "Transparent Privacy Policy", + "description": "Provide clear information about your data processing and legal justification in your privacy policy.", + "identifier": "LBT-3", + "createdAt": "2026-04-23 23:14:00.217", + "updatedAt": "2026-04-23 23:14:00.217" + }, + { + "id": "frk_rq_681fe40489876e2fe301c757", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.306(d.3) General Rules", + "description": "Implementation specifications\r\n\r\nWhen a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes addressable implementation specifications, a covered entity or business associate must—\r\n\r\n(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and\r\n\r\n(ii) As applicable to the covered entity or business associate—\r\n\r\n(A) Implement the implementation specification if reasonable and appropriate; or\r\n\r\n(B) If implementing the implementation specification is not reasonable and appropriate—\r\n\r\n$(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and\r\n\r\n$(2) Implement an equivalent alternative measure if reasonable and appropriate.", + "identifier": "164.306(d.3)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:58:31.430" + }, + { + "id": "frk_rq_681fe7022814f2d467948e70", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.308(a.5.ii.B) Administrative safeguards", + "description": "Protection from malicious software (Addressable). \r\n\r\nProcedures for guarding against, detecting, and reporting malicious software.", + "identifier": "164.308(a.5.ii.B)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:58:39.061" + }, + { + "id": "frk_rq_681fe79871e99458f760abba", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.308(a.6.i) Administrative safeguards", + "description": "Standard: Security incident procedures. Implement policies and procedures to address security incidents.", + "identifier": "164.308(a.6.i)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:58:40.230" + }, + { + "id": "frk_rq_681fe2c0b70c40a7af7538c1", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.306(a.4) General Rules", + "description": "General requirements\r\n\r\nEnsure compliance with this subpart by its workforce.", + "identifier": "164.306(a.4)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:58:59.459" + }, + { + "id": "frk_rq_681fe7b3f5e3ea69698e52e2", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.308(a.6.ii) Administrative safeguards", + "description": "Implementation specification: Response and reporting (Required). \r\n\r\nIdentify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.", + "identifier": "164.308(a.6.ii)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:58:40.628" + }, + { + "id": "frk_rq_681fea4735996fcd17f711bb", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.310(d.1.iii) Physical Safeguards", + "description": "Accountability (Addressable). \r\n\r\nMaintain a record of the movements of hardware and electronic media and any person responsible therefore", + "identifier": "164.310(d.1.iii)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:58:47.677" + }, + { + "id": "frk_rq_681fea1b35a991691d685345", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.310(d.1) Physical Safeguards", + "description": "Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.", + "identifier": "164.310(d.1)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:58:49.246" + }, + { + "id": "frk_rq_681fec08c1179a2bfe677069", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.314(a.2.iii) Organizational requirements.", + "description": "Business associate contracts with subcontractors. The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.", + "identifier": "164.314(a.2.iii)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:58:54.686" + }, + { + "id": "frk_rq_681fec1b32de927d4dbeb093", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.314(b.1) Organizational requirements.", + "description": "Standard: Requirements for group health plans. Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to § 164.504(f)(1)(ii) or (iii), or as authorized under § 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan.", + "identifier": "164.314(b.1)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:58:55.910" + }, + { + "id": "frk_rq_681fec55c16831a6cd91f592", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.314(b.2) Organizational requirements.", + "description": "Implementation specifications (Required). \r\n\r\nThe plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to—\r\n\r\n(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;\r\n\r\n(ii) Ensure that the adequate separation required by § 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;\r\n\r\n(iii) Ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and\r\n\r\n(iv) Report to the group health plan any security incident of which it becomes aware.", + "identifier": "164.314(b.2)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:58:56.274" + }, + { + "id": "frk_rq_681fe27650feb9e1decf9b8e", + "frameworkId": "frk_681fdd150f59a1560a66c89a", + "name": "164.306(a.2) General Rules", + "description": "General requirements\r\n\r\nProtect against any reasonably anticipated threats or hazards to the security or integrity of such information.", + "identifier": "164.306(a.2)", + "createdAt": "2025-05-14 19:20:44.920", + "updatedAt": "2026-04-24 14:59:00.460" + }, + { + "id": "frk_rq_69efa5b70d056f596dc2a7ae", + "frameworkId": "frk_683f377429b8408d1c85f9bd", + "name": "The entity demonstrates a commitment to integrity and ethical values.", + "description": "The organization requires contractor agreements to include a code of conduct or reference to the company code of conduct.", + "identifier": "CC1.1", + "createdAt": "2026-04-27 18:06:47.141", + "updatedAt": "2026-04-27 18:15:27.263" + }, + { + "id": "frk_rq_69efd572c76b7b41d94b0968", + "frameworkId": "frk_69efd433584ba436ae00d413", + "name": "Data Inventory and Mapping", + "description": "Identify and document all personal information the business collects, stores, processes, and shares. Classify data types and map data flows within the organization.", + "identifier": "CCPA-1", + "createdAt": "2026-04-27 21:30:25.566", + "updatedAt": "2026-04-27 21:30:25.566" + }, + { + "id": "frk_rq_69efd574f36aa744a461b0f9", + "frameworkId": "frk_69efd433584ba436ae00d413", + "name": "Privacy Policy Updates", + "description": "Maintain a CCPA-compliant privacy policy that clarifies the type and purpose of data collected, sources, collection methods/formats, parties with shared access, contact details for data subjects, and notices for CCPA/CPRA rights.", + "identifier": "CCPA-2", + "createdAt": "2026-04-27 21:30:27.654", + "updatedAt": "2026-04-27 21:30:27.654" + }, + { + "id": "frk_rq_69efd575c5f8bf35c14f5d69", + "frameworkId": "frk_69efd433584ba436ae00d413", + "name": "Consumer Rights and Requests", + "description": "Honor all CCPA/CPRA consumer rights: Right to Know, Right to Delete, Right to Opt-Out of sale, Right to Non-Discrimination, Right to Correct, and Right to Limit use of sensitive personal information.", + "identifier": "CCPA-3", + "createdAt": "2026-04-27 21:30:29.199", + "updatedAt": "2026-04-27 21:30:29.199" + }, + { + "id": "frk_rq_69efd57711c3f0a61fe673a4", + "frameworkId": "frk_69efd433584ba436ae00d413", + "name": "Verification of Consumer Requests", + "description": "Develop procedures to verify the identity of consumers submitting rights requests in order to prevent fraudulent data access or modification.", + "identifier": "CCPA-4", + "createdAt": "2026-04-27 21:30:30.986", + "updatedAt": "2026-04-27 21:30:30.986" + }, + { + "id": "frk_rq_69efd578456ecb3bb27776f6", + "frameworkId": "frk_69efd433584ba436ae00d413", + "name": "Training and Awareness", + "description": "Train employees who handle personal information on CCPA requirements and educate staff on internal compliance procedures for processing consumer rights requests.", + "identifier": "CCPA-5", + "createdAt": "2026-04-27 21:30:32.334", + "updatedAt": "2026-04-27 21:30:32.334" + }, + { + "id": "frk_rq_69efd57ab20b0aab665f6d8d", + "frameworkId": "frk_69efd433584ba436ae00d413", + "name": "Data Security Measures", + "description": "Implement and maintain reasonable technical and organizational safeguards to protect personal information against unauthorized access, destruction, use, modification, or disclosure.", + "identifier": "CCPA-6", + "createdAt": "2026-04-27 21:30:33.784", + "updatedAt": "2026-04-27 21:30:33.784" + }, + { + "id": "frk_rq_69efd57cea0d187006ea6b13", + "frameworkId": "frk_69efd433584ba436ae00d413", + "name": "Service Provider Contracts", + "description": "Review and update contracts with service providers and contractors to ensure CCPA compliance, including provisions restricting their use of personal information to the specified business purpose.", + "identifier": "CCPA-7", + "createdAt": "2026-04-27 21:30:35.955", + "updatedAt": "2026-04-27 21:30:35.955" + }, + { + "id": "frk_rq_69efd57d8ecf1576f93a0603", + "frameworkId": "frk_69efd433584ba436ae00d413", + "name": "Record Keeping", + "description": "Maintain records of consumer rights requests and the business's responses for at least 24 months. Document compliance efforts and processes.", + "identifier": "CCPA-8", + "createdAt": "2026-04-27 21:30:36.926", + "updatedAt": "2026-04-27 21:30:36.926" + }, + { + "id": "frk_rq_69efd57e84aa9eb34fbdb270", + "frameworkId": "frk_69efd433584ba436ae00d413", + "name": "Opt-Out Mechanism", + "description": "Provide a clear, accessible \"Do Not Sell or Share My Personal Information\" opt-out mechanism and ensure consumers can easily exercise this right.", + "identifier": "CCPA-9", + "createdAt": "2026-04-27 21:30:38.367", + "updatedAt": "2026-04-27 21:30:38.367" + }, + { + "id": "frk_rq_69efd580bc382953d7136073", + "frameworkId": "frk_69efd433584ba436ae00d413", + "name": "Minors' Data", + "description": "Obtain affirmative opt-in consent before selling or sharing the personal information of consumers under 16. For consumers under 13, obtain verifiable parental consent.", + "identifier": "CCPA-10", + "createdAt": "2026-04-27 21:30:39.858", + "updatedAt": "2026-04-27 21:30:39.858" + }, + { + "id": "frk_rq_69efd581f8bf5b44eeecd048", + "frameworkId": "frk_69efd433584ba436ae00d413", + "name": "Regular Audits and Updates", + "description": "Conduct regular audits of CCPA compliance processes, monitor regulatory changes, and amend compliance measures accordingly.", + "identifier": "CCPA-11", + "createdAt": "2026-04-27 21:30:41.018", + "updatedAt": "2026-04-27 21:30:41.018" + }, + { + "id": "frk_rq_69efd583f4e5404bcb066b56", + "frameworkId": "frk_69efd433584ba436ae00d413", + "name": "Communications and Notifications", + "description": "Provide all required CCPA consumer communications: Notice at Collection, comprehensive Privacy Policy, Authorized Agent Notice, Notice of Financial Incentive (if applicable), timely breach notifications, and a prominently displayed privacy policy link.", + "identifier": "CCPA-12", + "createdAt": "2026-04-27 21:30:42.895", + "updatedAt": "2026-04-27 21:30:42.895" + }, + { + "id": "frk_rq_69f3d8f9325e9331eb352d02", + "frameworkId": "frk_69f3d7821751ec330608f200", + "name": "Accountability", + "description": "Designate one or more individuals accountable for PIPEDA compliance, implement privacy policies and practices that govern personal information under the organization's control (including information transferred to third parties), train staff, and make the identity of the accountable person known on request.", + "identifier": "PIPEDA-1", + "createdAt": "2026-04-30 22:34:32.639", + "updatedAt": "2026-04-30 22:34:32.639" + }, + { + "id": "frk_rq_69f3d8f97b102c78dd60613e", + "frameworkId": "frk_69f3d7821751ec330608f200", + "name": "Identifying Purposes", + "description": "Identify and document the purposes for which personal information is collected at or before the time of collection, communicate those purposes clearly to individuals, and obtain new consent before using information for any purpose not previously identified.", + "identifier": "PIPEDA-2", + "createdAt": "2026-04-30 22:34:33.047", + "updatedAt": "2026-04-30 22:34:33.047" + }, + { + "id": "frk_rq_69f3d8fa35b14429dc6a5ae2", + "frameworkId": "frk_69f3d7821751ec330608f200", + "name": "Consent", + "description": "Obtain meaningful, informed consent for the collection, use, or disclosure of personal information except where inappropriate or otherwise permitted by law. Use express consent for sensitive information, allow individuals to withdraw consent subject to legal/contractual restrictions, and never make consent beyond what is necessary a condition of service.", + "identifier": "PIPEDA-3", + "createdAt": "2026-04-30 22:34:33.508", + "updatedAt": "2026-04-30 22:34:33.508" + }, + { + "id": "frk_rq_69f3d8faaaa018c49827ba66", + "frameworkId": "frk_69f3d7821751ec330608f200", + "name": "Limiting Collection", + "description": "Limit the collection of personal information (both type and amount) to what is necessary for the identified purposes, and collect only by fair and lawful means. Distinguish mandatory from optional information and respect statutory restrictions such as those on Social Insurance Numbers.", + "identifier": "PIPEDA-4", + "createdAt": "2026-04-30 22:34:33.982", + "updatedAt": "2026-04-30 22:34:33.982" + }, + { + "id": "frk_rq_69f3d8fab461cfff700cd0fc", + "frameworkId": "frk_69f3d7821751ec330608f200", + "name": "Limiting Use, Disclosure, and Retention", + "description": "Use or disclose personal information only for the purposes for which it was collected, except with consent or as required by law. Retain personal information only as long as necessary to fulfill those purposes, with documented retention schedules and secure destruction or anonymization procedures.", + "identifier": "PIPEDA-5", + "createdAt": "2026-04-30 22:34:34.449", + "updatedAt": "2026-04-30 22:34:34.449" + }, + { + "id": "frk_rq_69f3d8fb5e54d4c7ab693e1a", + "frameworkId": "frk_69f3d7821751ec330608f200", + "name": "Accuracy", + "description": "Keep personal information as accurate, complete, and up-to-date as necessary for the purposes for which it is used, with documented procedures for verifying accuracy, recording sources and update dates, and amending information when challenged successfully by individuals.", + "identifier": "PIPEDA-6", + "createdAt": "2026-04-30 22:34:34.826", + "updatedAt": "2026-04-30 22:34:34.826" + }, + { + "id": "frk_rq_69f3d8fb285f6ce15ead0408", + "frameworkId": "frk_69f3d7821751ec330608f200", + "name": "Safeguards", + "description": "Protect personal information with security safeguards appropriate to its sensitivity — including physical, organizational, and technological measures — covering access control, encryption, secure transmission, employee awareness, breach response, secure disposal, and protection of information used outside the office.", + "identifier": "PIPEDA-7", + "createdAt": "2026-04-30 22:34:35.296", + "updatedAt": "2026-04-30 22:34:35.296" + }, + { + "id": "frk_rq_69f3d8fca6daba5a2eaddaaa", + "frameworkId": "frk_69f3d7821751ec330608f200", + "name": "Openness", + "description": "Make information about the organization's personal information management policies and practices readily available to individuals in an understandable form, including the name and contact information of the accountable person, how to access personal information, what information is held and its general use, and any disclosure to related organizations.", + "identifier": "PIPEDA-8", + "createdAt": "2026-04-30 22:34:35.656", + "updatedAt": "2026-04-30 22:34:35.656" + }, + { + "id": "frk_rq_69f3d8fc64fbb4b8bd63a0f7", + "frameworkId": "frk_69f3d7821751ec330608f200", + "name": "Individual Access", + "description": "On written request, inform individuals of the existence, use, and disclosure of their personal information, give them access to that information, allow them to challenge accuracy/completeness, and respond within 30 days at minimal or no cost. Document refusals with reasons and recourse, and propagate amendments to relevant third parties.", + "identifier": "PIPEDA-9", + "createdAt": "2026-04-30 22:34:36.118", + "updatedAt": "2026-04-30 22:34:36.118" + }, + { + "id": "frk_rq_69f3d8fd143d9729bbe92c18", + "frameworkId": "frk_69f3d7821751ec330608f200", + "name": "Challenging Compliance", + "description": "Provide individuals with an easily accessible procedure to challenge the organization's compliance with PIPEDA, investigate all complaints, take corrective action where complaints are justified (including amending policies and practices), and inform complainants of the outcome and recourse available.", + "identifier": "PIPEDA-10", + "createdAt": "2026-04-30 22:34:36.603", + "updatedAt": "2026-04-30 22:34:36.603" } ] \ No newline at end of file diff --git a/packages/db/prisma/seed/primitives/FrameworkEditorTaskTemplate.json b/packages/db/prisma/seed/primitives/FrameworkEditorTaskTemplate.json index 423b364e79..7941651fff 100644 --- a/packages/db/prisma/seed/primitives/FrameworkEditorTaskTemplate.json +++ b/packages/db/prisma/seed/primitives/FrameworkEditorTaskTemplate.json @@ -22,11 +22,11 @@ { "id": "frk_tt_68406951bd282273ebe286cc", "name": "Employee Verification", - "description": "Maintain a list of reference checks you made for every new hire. Verify the identity of every new hire.\n\nFor ISO 27001: Ensure you are also storing the NDA, candidate evaluation form and access creation request with its approval evidence\n\nFor PCI: For employees with potential access to the CDE, document background verification checks (e.g., reference check, prior employment) before granting access to CHD systems.\n", + "description": "Maintain a list of reference checks you made for every new hire. Verify the identity of every new hire.\n\nFor ISO 27001: Ensure you are also storing the NDA, candidate evaluation form and access creation request with its approval evidence\n\nFor PCI: For employees with potential access to the CDE, document background verification checks (e.g., reference check, prior employment) before granting access to CHD systems.\n\nBackground checks can be ran within the Comp AI Plaform, in the People Tab. Select the User => Background Check\n", "frequency": "yearly", "department": "hr", "createdAt": "2025-06-04 15:42:08.603", - "updatedAt": "2025-09-10 21:06:07.350", + "updatedAt": "2026-04-30 23:56:40.630", "automationStatus": "AUTOMATED" }, { @@ -80,13 +80,13 @@ "automationStatus": "AUTOMATED" }, { - "id": "frk_tt_68b59e7a29bec89c57014868", - "name": "Statement of Applicability", - "description": "The Statement of Applicability identifies relevant ISO 27001 Annex A controls, explains their inclusion or exclusion, and shows their implementation status within the ISMS.\n\nReview the Statement of Applicability in the Questionnaire Tab in the Comp AI app", + "id": "frk_tt_68406d64f09f13271c14dd01", + "name": "Code Changes", + "description": "Enable branch protection on your main branch to prevent direct pushes and enforce pull requests. Ensure regression testing is done.\n\nUpload a screenshot of these settings, demonstrating the disallowed direct push and required pull request.\n\nFor ISO 27001: Show change approval with peer review, change testing evidence, rollback plan and impact assessment.\n\nFor ISO 42001: Extend change management to include AI-specific changes to models, training data, and algorithms. Document review/approval for impacts on risk, ethics, and compliance.\n\nFor PCI: Demonstrate documented change control for CHD application or infrastructure code changes, including approval, testing, rollback plan, and segregation of duties.", "frequency": "yearly", - "department": "admin", - "createdAt": "2025-09-01 13:24:09.841", - "updatedAt": "2025-12-02 18:46:36.579", + "department": "gov", + "createdAt": "2025-06-04 15:59:31.795", + "updatedAt": "2025-09-18 16:14:21.813", "automationStatus": "AUTOMATED" }, { @@ -96,18 +96,8 @@ "frequency": "yearly", "department": "it", "createdAt": "2025-07-07 04:46:43.319", - "updatedAt": "2025-09-10 21:12:35.061", - "automationStatus": "AUTOMATED" - }, - { - "id": "frk_tt_68406d64f09f13271c14dd01", - "name": "Code Changes", - "description": "Enable branch protection on your main branch to prevent direct pushes and enforce pull requests. Ensure regression testing is done.\n\nUpload a screenshot of these settings, demonstrating the disallowed direct push and required pull request.\n\nFor ISO 27001: Show change approval with peer review, change testing evidence, rollback plan and impact assessment.\n\nFor ISO 42001: Extend change management to include AI-specific changes to models, training data, and algorithms. Document review/approval for impacts on risk, ethics, and compliance.\n\nFor PCI: Demonstrate documented change control for CHD application or infrastructure code changes, including approval, testing, rollback plan, and segregation of duties.", - "frequency": "yearly", - "department": "gov", - "createdAt": "2025-06-04 15:59:31.795", - "updatedAt": "2025-09-18 16:14:21.813", - "automationStatus": "AUTOMATED" + "updatedAt": "2026-03-18 18:43:35.242", + "automationStatus": "MANUAL" }, { "id": "frk_tt_68406903839203801ac8041a", @@ -120,23 +110,23 @@ "automationStatus": "AUTOMATED" }, { - "id": "frk_tt_68406d2e86acc048d1774ea6", - "name": "App Availability", - "description": "Make sure your website or app doesn't slow down or crash because too many people are using it, or if there's a problem. \n\nUpload a screenshot showing you have DDoS protection enabled / auto-scale turned on.\n\nShow evidence of firewall configuration on production databases\n", + "id": "frk_tt_68406eedf0f0ddd220ea19c2", + "name": "Sanitized Inputs", + "description": "Implement input validation and sanitization using libraries such as Zod, Pydantic, or equivalent. \n\n", "frequency": "yearly", "department": "it", - "createdAt": "2025-06-04 15:58:37.662", - "updatedAt": "2025-10-06 20:24:37.179", + "createdAt": "2025-06-04 16:06:05.042", + "updatedAt": "2026-04-28 15:41:08.190", "automationStatus": "AUTOMATED" }, { - "id": "frk_tt_68406eedf0f0ddd220ea19c2", - "name": "Sanitized Inputs", - "description": "Implement input validation and sanitization using libraries such as Zod, Pydantic, or equivalent. \n\nEnable a static code analysis tool such as CodeQL (or its equivalent) to automatically detect security vulnerabilities and insecure coding patterns.\n\nUpload a screenshot showing both measures in use or being enforced.", + "id": "frk_tt_68406d2e86acc048d1774ea6", + "name": "App Availability", + "description": "Make sure your website or app doesn't slow down or crash because too many people are using it, or if there's a problem. \n\nUpload a screenshot showing you have DDoS protection enabled / auto-scale turned on.\n\nShow evidence of firewall configuration on production databases\n", "frequency": "yearly", "department": "it", - "createdAt": "2025-06-04 16:06:05.042", - "updatedAt": "2025-10-14 19:27:06.034", + "createdAt": "2025-06-04 15:58:37.662", + "updatedAt": "2025-10-06 20:24:37.179", "automationStatus": "AUTOMATED" }, { @@ -459,16 +449,6 @@ "updatedAt": "2025-10-13 23:15:34.934", "automationStatus": "AUTOMATED" }, - { - "id": "frk_tt_68e80545a8b432bc59eb8037", - "name": "Incident Response Tabletop Exercise", - "description": "Conduct a periodic tabletop exercise to test the effectiveness of your incident response plan. Simulate a security incident to ensure all team members understand their roles, communication channels, and procedures during a real event.\n\nUpload evidence of the most recent exercise, including the agenda or scenario, a list of attendees with their roles, and session notes. You must also include an after-action report that lists findings, improvement actions, assigned owners, and due dates.\n\nTemplate available here: https://docs.google.com/document/d/1HwJPsGEO9rX3H0w-Nzy5AbYWh68kCsjg/edit?usp=drive_link&ouid=105483817633840137498&rtpof=true&sd=true", - "frequency": "yearly", - "department": "itsm", - "createdAt": "2025-10-09 18:56:04.980", - "updatedAt": "2026-01-14 21:31:39.063", - "automationStatus": "MANUAL" - }, { "id": "frk_tt_68e805457c2dcc784e72e3cc", "name": "Access Review Log", @@ -549,6 +529,16 @@ "updatedAt": "2026-01-14 21:31:38.908", "automationStatus": "MANUAL" }, + { + "id": "frk_tt_69033a6bfeb4759be36257bc", + "name": "Infrastructure Inventory", + "description": "Maintain an up-to-date inventory of all infrastructure assets, including cloud accounts, compute resources, databases, storage, and networks. SOC 2 requires that you identify and track all assets in your environment to ensure they are protected and ownership is assigned.\n\nUpload an export or screenshot from your cloud provider (e.g., AWS, GCP, Azure) or CMDB listing these assets. Ensure the evidence clearly shows asset names, tags, owners, and a last-updated date.\n\nTemplate here: https://docs.google.com/spreadsheets/d/170csMBWNcmKIkyC6TE0H3lqwv3C1e5dc/edit?usp=drive_link&ouid=105483817633840137498&rtpof=true&sd=true", + "frequency": "yearly", + "department": "itsm", + "createdAt": "2025-10-30 10:14:03.155", + "updatedAt": "2026-02-06 21:39:59.516", + "automationStatus": "MANUAL" + }, { "id": "frk_tt_68e52b269db179c434734766", "name": "Backup Restoration Test", @@ -569,16 +559,6 @@ "updatedAt": "2025-11-19 11:20:23.305", "automationStatus": "AUTOMATED" }, - { - "id": "frk_tt_69033a6bfeb4759be36257bc", - "name": "Infrastructure Inventory", - "description": "Maintain an up-to-date inventory of all infrastructure assets, including cloud accounts, compute resources, databases, storage, and networks. SOC 2 requires that you identify and track all assets in your environment to ensure they are protected and ownership is assigned.\n\nUpload an export or screenshot from your cloud provider (e.g., AWS, GCP, Azure) or CMDB listing these assets. Ensure the evidence clearly shows asset names, tags, owners, and a last-updated date.\n\nTemplate here: https://docs.google.com/spreadsheets/d/170csMBWNcmKIkyC6TE0H3lqwv3C1e5dc/edit?usp=drive_link&ouid=105483817633840137498&rtpof=true&sd=true", - "frequency": "yearly", - "department": "itsm", - "createdAt": "2025-10-30 10:14:03.155", - "updatedAt": "2025-11-19 11:20:22.122", - "automationStatus": "AUTOMATED" - }, { "id": "frk_tt_68e52b27c4bdbf1b24051b8b", "name": "Employee Performance Evaluations", @@ -679,6 +659,16 @@ "updatedAt": "2026-01-13 12:40:19.823", "automationStatus": "AUTOMATED" }, + { + "id": "frk_tt_69ea915f44950702d9f7733c", + "name": "AIMS Manual", + "description": "Establish, implement and maintain the AI management system, including the processes required and their interactions, in accordance with ISO/IEC 42001.\n\nUpload the AIMS Manual (or equivalent master document) as evidence.\n\nAcceptance criteria: describes AIMS processes, process interactions (inputs/outputs), responsibilities, resources, and references to supporting policies/procedures. Must include version, owner, approver and approval date.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-23 21:38:39.284", + "updatedAt": "2026-04-23 21:38:39.658", + "automationStatus": "MANUAL" + }, { "id": "frk_tt_691e6d9cd5bf039fdc6d364f", "name": "Internal Audit Reports & Schedule", @@ -692,7 +682,7 @@ { "id": "frk_tt_6840796f77d8a0dff53f947a", "name": "Secure Devices", - "description": "Ensure all devices meet the following security requirements:\n\n• Full disk encryption enabled (BitLocker for Windows, FileVault for macOS)\n\n• Screen lock enabled after 15 minutes of inactivity\n\n• Minimum password length of 8+ characters\n\n• Automatic installation of security updates\n\n• Anti-virus enabled (Windows Defender on Windows or macOS XProtect)\n\nYou may verify compliance by uploading screenshots for each device or by installing the Comp AI device agent.\n\nIf you already use a third-party MDM provider (e.g., Jamf, Intune, Kandji, etc.), it is recommended that you do not install the Comp AI device agent, as running multiple device management agents may cause conflicts. In these cases, please upload screenshots instead.\n\nThe Comp AI device agent can be downloaded from: portal.trycomp.ai", + "description": "Ensure all devices meet the following security requirements:\n\n• Full disk encryption enabled (BitLocker for Windows, FileVault for macOS)\n\n• Screen lock enabled after 5 minutes of inactivity on macOS and 15 minutes on Windows\n\n• Minimum password length of 8+ characters\n\n• Automatic installation of security updates\n\n• Anti-virus enabled (Windows Defender on Windows or macOS XProtect)\n\nYou may verify compliance by uploading screenshots for each device or by installing the Comp AI device agent.\n\nIf you already use a third-party MDM provider (e.g., Jamf, Intune, Kandji, etc.), it is recommended that you do not install the Comp AI device agent, as running multiple device management agents may cause conflicts. In these cases, please upload screenshots instead.\n\nThe Comp AI device agent can be downloaded from: portal.trycomp.ai", "frequency": "yearly", "department": "itsm", "createdAt": "2025-06-04 16:50:54.671", @@ -729,6 +719,66 @@ "updatedAt": "2026-01-14 21:33:59.506", "automationStatus": "MANUAL" }, + { + "id": "frk_tt_69ea9161097ef7eb142b70ff", + "name": "AI Leadership Commitment Record", + "description": "Top management demonstrates leadership and commitment to the AIMS by approving the AI policy and objectives, ensuring resources are available, and communicating the importance of effective AIMS.\n\nUpload evidence of leadership commitment (signed AI policy, board/exec meeting minutes, or a dated management statement).\n\nAcceptance criteria: attendees/signatories, date, explicit approval of AI policy and objectives, resource decisions, and references to AIMS performance discussions.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-23 21:38:40.588", + "updatedAt": "2026-04-23 21:38:40.769", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea916227fbbb6a722126b6", + "name": "AI Policy Alignment Review", + "description": "Review the AI policy for alignment with other organizational policies (information security, privacy, quality, risk, ethics, HR) and resolve any conflicts.\n\nUpload the AI Policy Alignment Review record as evidence.\n\nAcceptance criteria: policies reviewed, conflicts identified, resolution actions, reviewer, date, sign-off, and the resulting changes to AI policy or the related policies.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-23 21:38:41.643", + "updatedAt": "2026-04-23 21:38:41.846", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea9167679a59212c7db16f", + "name": "AI Tooling Inventory", + "description": "Maintain an inventory of tooling used across the AI lifecycle (frameworks, libraries, model registries, MLOps platforms, evaluation tools) including versions and approval status.\n\nUpload the AI Tooling Inventory as evidence.\n\nAcceptance criteria: tool name, version, purpose, owner, license, approved-for-use status, security review date, and associated AI systems.", + "frequency": "yearly", + "department": "it", + "createdAt": "2026-04-23 21:38:47.164", + "updatedAt": "2026-04-23 21:38:47.402", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69efd9f81f073e643fb5a19d", + "name": "Quarterly Privacy Notice Display Review", + "description": "Verify each quarter that the Notice at Collection, privacy policy link, \"Do Not Sell or Share\" link, \"Limit the Use of My Sensitive Personal Information\" link, and any Notice of Financial Incentive remain visible, accurate, and accessible across all properties.", + "frequency": "quarterly", + "department": "gov", + "createdAt": "2026-04-27 21:49:43.915", + "updatedAt": "2026-04-27 21:49:43.915", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_698cacc0f06de04786d097ca", + "name": "Security Awareness Training", + "description": "Upload evidence showing that all employees and contractors complete annual security awareness training. ", + "frequency": "yearly", + "department": "hr", + "createdAt": "2026-02-11 16:22:24.072", + "updatedAt": "2026-02-12 17:22:47.428", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69dd3fb7c4f015f0b5851eb0", + "name": "POI register & tamper inspection set", + "description": "Current POI register (make, model, serial, site) plus a sample set of completed periodic tamper/inspection checklists with dates and inspector.", + "frequency": "quarterly", + "department": "it", + "createdAt": "2026-04-13 19:10:47.221", + "updatedAt": "2026-04-13 19:12:10.867", + "automationStatus": "MANUAL" + }, { "id": "frk_tt_6901e041bb02b41fa3b7dca9", "name": "Office Access & Door Monitoring", @@ -736,7 +786,697 @@ "frequency": "yearly", "department": "admin", "createdAt": "2025-10-29 09:37:04.804", - "updatedAt": "2026-01-14 21:33:59.041", + "updatedAt": "2026-03-02 20:35:23.610", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69dd3f8f62639b078e7cc061", + "name": "Executive PCI accountability assignment", + "description": "Executive charter or board/management record formally assigning PCI DSS accountability (e.g. to CISO or named executive) and the compliance program.", + "frequency": "quarterly", + "department": "admin", + "createdAt": "2026-04-13 19:10:07.078", + "updatedAt": "2026-04-13 19:10:22.925", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69dd400bdc718337e0354ff7", + "name": "Passing ASV quarterly scan evidence", + "description": "Most recent passing quarterly ASV report for all in-scope external IPs/FQDNs, with ASV attestations and scan completion dates visible.", + "frequency": "quarterly", + "department": "it", + "createdAt": "2026-04-13 19:12:10.715", + "updatedAt": "2026-04-13 19:12:10.715", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69dd3fe1317ecf573a463bbb", + "name": "Payment page script approval & live integrity config", + "description": "Authorized third-party script inventory for the payment checkout page, tied to change tickets or approvals, plus exported CSP / SRI configuration from the live payment environment.", + "frequency": "quarterly", + "department": "it", + "createdAt": "2026-04-13 19:11:28.561", + "updatedAt": "2026-04-13 19:12:11.036", "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69dd3f6094fc732d635210ae", + "name": "Scope confirmation & CDE inventory pack", + "description": "Signed annual (or bi-annual SP) scope confirmation with attached CDE network/data-flow diagrams and in-scope system list (owner, function, location).", + "frequency": "yearly", + "department": "admin", + "createdAt": "2026-04-13 19:09:20.365", + "updatedAt": "2026-04-13 21:18:49.624", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69e928283390c5483dccbcde", + "name": "Maintain Records of Processing Activities (RoPA)", + "description": "Maintain and review the organization's Article 30 Records of Processing Activities. For each processing activity, document the purpose, categories of data subjects and personal data, recipients, international transfers, retention periods, and applicable security measures. Review at least annually and whenever processing activities materially change. Identify and document who has access to each dataset.", + "frequency": "yearly", + "department": "admin", + "createdAt": "2026-04-22 19:57:27.749", + "updatedAt": "2026-04-22 19:57:27.749", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69e92829b6aa752b0dfba9a8", + "name": "Data Protection Awareness Training", + "description": "Deliver data protection and privacy awareness training to all personnel at onboarding and at least annually thereafter. Training must cover lawful processing, data subject rights, incident reporting, and the internal security policy. Track completion and retain evidence (sign-off, quiz results, or LMS completion reports).", + "frequency": "yearly", + "department": "hr", + "createdAt": "2026-04-22 19:57:28.639", + "updatedAt": "2026-04-22 19:57:28.639", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69e92829ac42d6ca48bc6cd9", + "name": "DPIA Trigger Review and Execution", + "description": "Review planned and current processing activities against DPIA trigger criteria (e.g., large-scale processing of special categories, systematic monitoring, new technologies, automated decision-making with significant effects). For each triggered activity, complete a DPIA, document residual risks, implement mitigations, and consult the supervisory authority where residual risk remains high. Retain DPIA records.", + "frequency": "yearly", + "department": "admin", + "createdAt": "2026-04-22 19:57:29.078", + "updatedAt": "2026-04-22 19:57:29.078", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69e92829e97f5a494f13d67b", + "name": "Data Subject Rights Request Handling", + "description": "Review the Data Subject Access Request (DSAR) log covering the rights of access, rectification, erasure, restriction, portability, and objection. For each request, verify that identity was confirmed, the response was provided within one month (or a justified two-month extension was communicated), and the outcome was documented. Identify any SLA breaches or systemic issues and remediate.", + "frequency": "quarterly", + "department": "admin", + "createdAt": "2026-04-22 19:57:29.435", + "updatedAt": "2026-04-22 19:57:29.435", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69e92cc75996378b01b27ec9", + "name": "Cookie Consent and Tracking Review", + "description": "Inventory all cookies, SDKs, pixels, and trackers used across the organization's public websites and apps. Confirm a consent banner presents non-essential cookies as opt-in with the default off, loads no non-essential trackers before consent, and offers a way to reject as easily as to accept. Confirm a cookie policy discloses the name, purpose, duration, and third-party recipient for each cookie category. Verify consent records are stored with timestamp and scope, and that consent withdrawal is as easy as granting. Reconcile the banner's declared cookie list against what is actually set in production, and remediate drift.", + "frequency": "yearly", + "department": "admin", + "createdAt": "2026-04-22 20:17:11.002", + "updatedAt": "2026-04-22 20:17:11.002", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69ea915ebae9e6858fa4fa07", + "name": "AIMS Scope Statement", + "description": "Define and document the boundaries and applicability of the AI management system. Consider external/internal issues, interested-party requirements, organizational activities, and your role across the AI lifecycle (provider, developer, deployer, user).\n\nUpload the approved AIMS Scope Statement document as evidence.\n\nAcceptance criteria: included (in/out of scope), excluded items with justification, organizational role(s), covered AI systems, owner, approver, approval date, and review cadence.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-23 21:38:38.208", + "updatedAt": "2026-04-23 21:38:38.496", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69e92828297806545638eed7", + "name": "Review Data Retention, Minimization, and Encryption", + "description": "Review personal data holdings to confirm collection is limited to what is necessary for the stated purpose, retention periods are enforced, and data past its retention limit is deleted or anonymized. Verify personal data is encrypted in transit and at rest, and pseudonymized or anonymized wherever feasible. \n\nDocument the review and any remediation performed.", + "frequency": "yearly", + "department": "it", + "createdAt": "2026-04-22 19:57:28.176", + "updatedAt": "2026-04-30 23:56:41.573", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69ea9163eb166db383bb2140", + "name": "AI Policy Review", + "description": "Review the AI policy at planned intervals and when significant changes occur to confirm continuing suitability, adequacy and effectiveness.\n\nUpload the AI Policy Review record (with updated policy if changed) as evidence.\n\nAcceptance criteria: review date, reviewers, inputs considered (incidents, audits, regulatory changes, impact assessments), outcome (no change / amended / reissued), new version number, and approver.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-23 21:38:42.710", + "updatedAt": "2026-04-23 21:38:42.902", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea9164c6574221a69e1107", + "name": "AI Risk and Opportunity Register", + "description": "Maintain a register of risks and opportunities relevant to the AIMS (not individual-system AI risks, which are handled separately) and the planned actions to address them.\n\nUpload the AI Risk and Opportunity Register as evidence.\n\nAcceptance criteria: each entry includes description, likelihood/impact rating, owner, planned action, due date, status, and linkage into AIMS processes.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-23 21:38:43.710", + "updatedAt": "2026-04-23 21:38:43.875", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea9165056eb451ccc79c0f", + "name": "AI Societal Impact Assessment", + "description": "Assess potential societal impacts of each in-scope AI system (economic, environmental, cultural, democratic) and identify mitigations.\n\nUpload the AI Societal Impact Assessment record(s) as evidence.\n\nAcceptance criteria: AI system name, impact categories considered, affected groups/communities, severity and likelihood, mitigations, residual risk, assessor and approver, date, and next review.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-23 21:38:44.710", + "updatedAt": "2026-04-23 21:38:44.882", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea9166fd0793a689981939", + "name": "AI Data Resource Register", + "description": "Maintain an inventory of data resources used by AI systems (training, validation, testing, operational inputs) with ownership, classification, access, retention and intended use.\n\nUpload the AI Data Resource Register as evidence.\n\nAcceptance criteria: dataset name, source, sensitivity, owner, lawful basis, retention, access controls, associated AI system(s), and last-updated date.", + "frequency": "yearly", + "department": "it", + "createdAt": "2026-04-23 21:38:45.752", + "updatedAt": "2026-04-23 21:38:45.920", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea91684c77e2310a928a7a", + "name": "AI Awareness Program", + "description": "Ensure personnel whose work affects AI systems are aware of the AI policy, their contribution to AIMS effectiveness, implications of non-conformance, and potential impacts of the AI systems they develop, deploy or use.\n\nUpload evidence of AI awareness activities (training completion report, attendance list, or acknowledged communication).\n\nAcceptance criteria: audience, content summary, delivery method, completion rate, date, and owner. Include the awareness materials themselves (deck, doc, or link).", + "frequency": "yearly", + "department": "hr", + "createdAt": "2026-04-23 21:38:48.218", + "updatedAt": "2026-04-23 21:38:48.444", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea916984bd6ff9ec7fd09b", + "name": "AI Competence Record", + "description": "Determine competencies required for AI-related roles, assess personnel against them, and close gaps through training/experience/recruitment.\n\nUpload the AI Competence Record (role-to-competence matrix plus evidence of training/assessment).\n\nAcceptance criteria: role, required competencies, person, current level, gap, actions taken, completion dates, and reviewer.", + "frequency": "yearly", + "department": "hr", + "createdAt": "2026-04-23 21:38:49.260", + "updatedAt": "2026-04-23 21:38:49.499", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea916a881ab0d59e67c930", + "name": "AIMS Documented Information Index", + "description": "Maintain a control index of AIMS documented information (policies, procedures, records) with identification, classification, access, retention and disposal rules.\n\nUpload the AIMS Documented Information Index as evidence.\n\nAcceptance criteria: document name, owner, current version, storage location, access/distribution controls, retention period, review date, and change-history reference.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-23 21:38:50.299", + "updatedAt": "2026-04-23 21:38:50.544", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea916b05b146a8a544c406", + "name": "Responsible AI Development Objectives", + "description": "Define and approve objectives for the responsible development of AI systems (fairness, reliability, safety, security, privacy, transparency, explainability, accountability, environmental impact) and direct development activities to meet them.\n\nUpload the Responsible AI Development Objectives document as evidence.\n\nAcceptance criteria: objectives with measurable targets, rationale, owner, approver, approval date, and how each objective flows into design/engineering activities.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-23 21:38:51.337", + "updatedAt": "2026-04-23 21:38:51.582", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea916c7b0b9487da3dbe78", + "name": "AI System Requirements and Specification", + "description": "For each in-scope AI system, produce and approve a requirements-and-specification document covering intended purpose, performance, safety, security, privacy, fairness, transparency, human oversight and applicable regulatory requirements.\n\nUpload the AI System Requirements & Specification document(s) as evidence.\n\nAcceptance criteria: AI system name, intended purpose and users, functional/non-functional requirements, acceptance criteria, regulatory references, author, reviewer, approver, and date.", + "frequency": "yearly", + "department": "it", + "createdAt": "2026-04-23 21:38:52.408", + "updatedAt": "2026-04-23 21:38:52.638", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea916e273fdb8732d89fc6", + "name": "AI Design and Development Documentation", + "description": "For each in-scope AI system, document the design and development (data used, architecture, training procedure, key parameters, evaluation approach, known limitations) sufficient to enable assessment, reproduction and oversight.\n\nUpload the AI Design & Development documentation as evidence (design doc, model architecture, training config, evaluation results).\n\nAcceptance criteria: AI system name, design choices with rationale, data used, training/evaluation results, known limitations, author, reviewer, approval date.", + "frequency": "yearly", + "department": "it", + "createdAt": "2026-04-23 21:38:53.583", + "updatedAt": "2026-04-23 21:38:53.752", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea916f42193436fb7b55de", + "name": "AI Verification & Validation Report", + "description": "Perform and document verification & validation for each in-scope AI system: functional testing, performance, robustness, fairness, safety, security and privacy checks, against defined acceptance criteria, before deployment and after significant changes.\n\nUpload the AI V&V Report(s) as evidence.\n\nAcceptance criteria: AI system name, test scope, methods, datasets, metrics vs. targets (including fairness/robustness), defects found and dispositions, acceptance decision, tester, approver, date.", + "frequency": "quarterly", + "department": "it", + "createdAt": "2026-04-23 21:38:54.622", + "updatedAt": "2026-04-23 21:38:54.798", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea917069457debb719152e", + "name": "AI System Operation & Monitoring Plan", + "description": "Operate and monitor each in-scope AI system in production for performance, drift, reliability, safety, security and ethical outcomes. Define metrics, thresholds, alerting and response procedures.\n\nUpload the AI System Operation & Monitoring Plan and the latest monitoring report as evidence.\n\nAcceptance criteria: AI system name, metrics, thresholds and alert rules, responsible team, review cadence, latest results, drift/incident findings, and corrective actions taken.", + "frequency": "quarterly", + "department": "it", + "createdAt": "2026-04-23 21:38:55.736", + "updatedAt": "2026-04-23 21:38:55.948", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea917139f2541637597cc4", + "name": "AI System Technical Documentation (Model Card)", + "description": "For each in-scope AI system, maintain technical documentation (model card or equivalent) describing intended use, capabilities, limitations, training/evaluation data summary, performance characteristics and risk information, sufficient to support interested parties and regulators.\n\nUpload the AI System Technical Documentation / Model Card(s) as evidence.\n\nAcceptance criteria: AI system name, intended use/users, capabilities, limitations, training & evaluation data summary, performance by relevant subgroups, ethical considerations, owner, version, last-updated date.", + "frequency": "yearly", + "department": "it", + "createdAt": "2026-04-23 21:38:56.777", + "updatedAt": "2026-04-23 21:38:56.957", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea91725a27f56747512056", + "name": "AI System Event Logging Configuration", + "description": "Record event logs generated by AI systems (inputs, outputs, decisions, user interactions, system events) with sufficient integrity, retention and access control to support monitoring, incident response and accountability.\n\nUpload evidence of the AI event-logging configuration (config screenshots, log schema, retention policy) and a sample log extract.\n\nAcceptance criteria: AI system name, log categories captured, integrity/retention settings, access controls, sample log entries, reviewer, date.", + "frequency": "yearly", + "department": "it", + "createdAt": "2026-04-23 21:38:57.871", + "updatedAt": "2026-04-23 21:38:58.036", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea9173e73c9a96895468c8", + "name": "AI Data Acquisition Record", + "description": "For each dataset acquired for AI use, document the lawful basis, contractual rights, licensing, ethical sourcing, consent where required, and acquisition criteria.\n\nUpload the AI Data Acquisition Record(s) as evidence (with source agreements/licenses where applicable).\n\nAcceptance criteria: dataset name, source, lawful basis, license/contract reference, consent where required, acquisition date, reviewer, approver.", + "frequency": "yearly", + "department": "it", + "createdAt": "2026-04-23 21:38:58.928", + "updatedAt": "2026-04-23 21:38:59.100", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea9174fe7e40c0405cd057", + "name": "AI Data Quality Assessment", + "description": "Assess the quality of each dataset used by AI systems against defined requirements (accuracy, completeness, consistency, timeliness, relevance, bias). Record results and remediate issues.\n\nUpload the AI Data Quality Assessment report as evidence.\n\nAcceptance criteria: dataset name, metrics and thresholds, results, bias/representativeness findings, remediation actions, owner, assessment date.", + "frequency": "quarterly", + "department": "it", + "createdAt": "2026-04-23 21:38:59.911", + "updatedAt": "2026-04-23 21:39:00.105", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea9175640d0bbbddde05a7", + "name": "AI Data Provenance Record", + "description": "Record and maintain the provenance of each dataset used by AI systems (source, transformations, lineage, handling history) to support reproducibility, accountability and impact assessment.\n\nUpload the AI Data Provenance Record(s) as evidence.\n\nAcceptance criteria: dataset name, origin, transformations applied (with tools and operators), lineage to upstream sources, hashes/version identifiers, owner, last-updated date.", + "frequency": "yearly", + "department": "it", + "createdAt": "2026-04-23 21:39:00.917", + "updatedAt": "2026-04-23 21:39:01.079", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea91761c04c37d4f867908", + "name": "AI Data Preparation Record", + "description": "Document data preparation activities (cleaning, labeling, annotation, transformation, augmentation, splitting) including rationale, tooling, reviewers and acceptance criteria.\n\nUpload the AI Data Preparation Record(s) as evidence.\n\nAcceptance criteria: dataset name, preparation steps, tools/scripts used (with versions), labeling/annotation procedure and reviewers, acceptance criteria and results, approver, date.", + "frequency": "yearly", + "department": "it", + "createdAt": "2026-04-23 21:39:01.859", + "updatedAt": "2026-04-23 21:39:02.118", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea91773112b091b458de8d", + "name": "Intended Use Statement", + "description": "For each in-scope AI system, determine, document and communicate the intended use and the conditions of that use. Identify reasonably foreseeable misuse and put measures in place to prevent and respond to it.\n\nUpload the Intended Use Statement(s) as evidence.\n\nAcceptance criteria: AI system name, intended users, intended use and conditions, out-of-scope/prohibited uses, foreseeable misuse scenarios with mitigations, owner, approval date.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-23 21:39:03.004", + "updatedAt": "2026-04-23 21:39:03.203", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea9178aaa6c6a7058c0fcf", + "name": "Responsible AI Use Procedure", + "description": "Establish an organization-wide procedure for the responsible use of AI systems, including acceptable-use guidance, human-oversight requirements, escalation paths and periodic review.\n\nUpload the Responsible AI Use Procedure as evidence.\n\nAcceptance criteria: acceptable/prohibited uses, human-oversight responsibilities, escalation and reporting channels, review cadence, owner, approver, approval date.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-23 21:39:04.078", + "updatedAt": "2026-04-23 21:39:04.285", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea917abdbda1fa183386d2", + "name": "AI Third-Party Responsibility Matrix", + "description": "Identify and document the allocation of AI-related responsibilities across the organization, suppliers, partners and customers across the AI lifecycle.\n\nUpload the AI Third-Party Responsibility Matrix as evidence.\n\nAcceptance criteria: lifecycle stage, responsibility (RACI), internal owner, external counterpart, contractual reference, approval date, and review cadence.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-23 21:39:06.218", + "updatedAt": "2026-04-23 21:39:06.393", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea91794c21fc8f347cdddd", + "name": "Responsible AI Use Objectives", + "description": "Define and communicate objectives for the responsible use of AI systems (accountability, transparency, human oversight, harm prevention) and measure progress against them.\n\nUpload the Responsible AI Use Objectives record and latest measurement results as evidence.\n\nAcceptance criteria: objectives with measurable targets, measurement method, current results, gaps, actions, owner, approval date.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-23 21:39:05.184", + "updatedAt": "2026-04-23 21:39:05.346", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea917b78c7fc9f3c659a90", + "name": "AI Supplier Register", + "description": "Maintain a register of AI-related suppliers (model, data, tooling, services), with due diligence, contractual obligations, monitoring and offboarding expectations.\n\nUpload the AI Supplier Register as evidence.\n\nAcceptance criteria: supplier name, service provided, risk rating, due-diligence evidence, contract reference (with AI-specific clauses), monitoring cadence, status, owner.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-23 21:39:07.329", + "updatedAt": "2026-04-23 21:39:07.508", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69ea917c23d26cfe23eb8fca", + "name": "AI Management Review Minutes", + "description": "Top management reviews the AIMS at planned intervals covering required inputs (status of actions, changes, performance, risks, opportunities, improvement) and producing decisions on improvement.\n\nUpload the AI Management Review Minutes as evidence.\n\nAcceptance criteria: date, attendees, inputs covered (Clause 9.3.2 items), decisions and actions (with owners and due dates), next-review date, approver.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-23 21:39:08.439", + "updatedAt": "2026-04-23 21:39:08.621", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69eb875d089573be3295269e", + "name": "Sanction Policy", + "description": "Apply and document appropriate sanctions against workforce members who fail to comply with security policies and procedures. Maintain evidence of sanctions applied.", + "frequency": "yearly", + "department": "hr", + "createdAt": "2026-04-24 15:08:13.443", + "updatedAt": "2026-04-24 15:08:13.443", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69eb875e9567b702dbb7f05e", + "name": "Security Officer Assignment", + "description": "Designate a HIPAA Security Official responsible for developing and implementing required security policies and procedures. Maintain written designation and scope of responsibilities.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-24 15:08:13.804", + "updatedAt": "2026-04-24 15:16:54.860", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69efd9de89f2f4d93e527127", + "name": "Annual CCPA Compliance Audit", + "description": "Conduct a documented annual audit of CCPA/CPRA compliance covering disclosures, request handling, training, vendor contracts, and security controls. Track regulatory changes and update measures.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-27 21:49:18.377", + "updatedAt": "2026-04-27 21:49:18.377", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69eb87606cb315ebeb98ea49", + "name": "Policy Documentation & Retention", + "description": "Retain HIPAA policies, procedures, and related documentation for at least 6 years from date of creation or last effective date. Make documentation available to those responsible for implementing procedures.\n\nThis is satisfied by maintaining polices in the Policies tab, ensure these are up to date, and reviewed and adjusted as needed or yearly", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-24 15:08:15.914", + "updatedAt": "2026-04-30 19:20:56.477", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69eb875ffe511e3ce5298e21", + "name": "Media Sanitization & Disposal Log", + "description": "Maintain a log documenting the disposal, re-use, and movement of hardware and electronic media containing ePHI, including sanitization method and accountability.", + "frequency": "quarterly", + "department": "it", + "createdAt": "2026-04-24 15:08:15.067", + "updatedAt": "2026-04-27 14:53:07.153", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69eb875e71616f3b8a9fadde", + "name": "Business Associate Agreement Registry", + "description": "Maintain a registry of all Business Associates handling ePHI with signed Business Associate Agreements (BAAs). Review agreements at least annually and upon contract changes.\n\nMaintain Business Associate Agreements in the Vendor section by creating a new task for each applicable vendor, and uploading the signed BAA for that vendor in the comments of that task", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-24 15:08:14.253", + "updatedAt": "2026-04-27 15:06:56.645", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69efd9e081684a02f1207ee0", + "name": "Annual Privacy Policy Review and Update", + "description": "Review the public-facing privacy policy at least annually (or upon material change in processing). Ensure all CCPA/CPRA-required disclosures are accurate and the policy is prominently linked from every page collecting personal information.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-27 21:49:20.246", + "updatedAt": "2026-04-27 21:49:20.246", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69efd9e2f40bdd1dd45c057e", + "name": "Annual CCPA Privacy Training", + "description": "Deliver annual CCPA/CPRA privacy training to all employees handling personal information or consumer rights requests. Track completion and retain records.", + "frequency": "yearly", + "department": "hr", + "createdAt": "2026-04-27 21:49:22.106", + "updatedAt": "2026-04-27 21:49:22.106", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69efd9e45e6f00c44f622173", + "name": "Quarterly DSAR Volume and Response Time Review", + "description": "Review the volume, types, and response times of consumer rights requests (Know, Delete, Correct, Opt-Out, Limit) each quarter. Identify trends, SLA breaches, or operational improvements.", + "frequency": "quarterly", + "department": "gov", + "createdAt": "2026-04-27 21:49:24.270", + "updatedAt": "2026-04-27 21:49:24.270", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69efd9e7f46963f71debd961", + "name": "Annual Data Inventory and Data Flow Refresh", + "description": "Re-validate the personal information inventory and data flow maps at least annually, capturing new systems, vendors, data categories, and processing purposes.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-27 21:49:27.424", + "updatedAt": "2026-04-27 21:49:27.424", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69efd9ed795877621cdbd56d", + "name": "Annual Service Provider and Contractor Contract Review", + "description": "Review all service provider, contractor, and third-party agreements that involve personal information at least annually. Confirm CCPA/CPRA-required terms (limited purpose, no sale/share, cooperation with consumer rights, confidentiality).", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-27 21:49:32.926", + "updatedAt": "2026-04-27 21:49:32.926", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69efd9ef3ff6e8fed0fc0028", + "name": "Verify Global Privacy Control (GPC) Signal Honoring", + "description": "Test that the website honors the Global Privacy Control browser signal as a valid opt-out of sale/sharing for all sites and applications subject to the CCPA/CPRA.", + "frequency": "quarterly", + "department": "it", + "createdAt": "2026-04-27 21:49:34.636", + "updatedAt": "2026-04-27 21:49:34.636", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69efd9f0124f63db79cb50b0", + "name": "Annual Incident Response Tabletop Exercise", + "description": "Run an annual tabletop exercise covering a personal information breach scenario. Validate detection, escalation, consumer notification, and Attorney General notification timelines under California Civil Code § 1798.82.", + "frequency": "yearly", + "department": "it", + "createdAt": "2026-04-27 21:49:36.353", + "updatedAt": "2026-04-27 21:49:36.353", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69eb875d77ef6407785a500f", + "name": "Risk Analysis & Treatment Plan", + "description": "Conduct and document an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Document risk treatment decisions and implementation.\n\nThis is handled in the Risk tab in the app. Ensure we have logged and assessed HIPAA related risks, and we can mark this as complete", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-24 15:08:12.975", + "updatedAt": "2026-04-30 16:45:36.071", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69eb876033531483191663a1", + "name": "Workforce Authorization & Supervision", + "description": "Authorize workforce access to ePHI and supervise workforce members whose roles require access. Maintain records of authorization decisions and supervision activities.\n\nThis can be satisfied by use of the RBAX Document in the Documents tab", + "frequency": "quarterly", + "department": "hr", + "createdAt": "2026-04-24 15:08:16.319", + "updatedAt": "2026-04-30 17:12:49.144", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69eb8761ff2b2d874ae2a4da", + "name": "Login Monitoring & Password Management", + "description": "Monitor login attempts and discrepancies, and enforce password management procedures including creation, change, and safeguarding of credentials.\n\nInstall the Comp AI device agent on portal.trycomp.ai, or provide manual evidence of device settings. https://www.trycomp.ai/docs/device-agent#manual-evidence-collection\n\n", + "frequency": "monthly", + "department": "it", + "createdAt": "2026-04-24 15:08:16.690", + "updatedAt": "2026-04-30 19:13:58.750", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69efd9f2322df1e829df8087", + "name": "Annual Identity Verification Procedure Review", + "description": "Review the consumer identity verification procedure annually. Ensure verification rigor matches the sensitivity of the data and the type of request, and that fraud controls remain effective.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-27 21:49:37.837", + "updatedAt": "2026-04-30 23:56:39.959", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69efdbcee1d3e72ee6873ed1", + "name": "Document Consumer Rights Request Fulfillment", + "description": "For each consumer rights request received (Right to Know, Right to Delete, authorized-agent submission, etc.), capture and retain a record of: requester identity and verification method/result, request type and scope, authorized-agent verification (if applicable), business response, fulfillment or denial reason, and dates of receipt and response. Records must be retained for at least 24 months and serve as the primary evidence for CCPA/CPRA consumer rights handling.", + "frequency": "monthly", + "department": "gov", + "createdAt": "2026-04-27 21:57:34.432", + "updatedAt": "2026-04-27 21:57:34.432", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69f0d514d103c34ca40ad332", + "name": "Static Code Scanning ", + "description": "Enable a static code analysis tool such as CodeQL (or its equivalent) to automatically detect security vulnerabilities and insecure coding patterns.", + "frequency": "quarterly", + "department": "none", + "createdAt": "2026-04-28 15:41:07.897", + "updatedAt": "2026-04-28 15:41:07.897", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69f10edce3013d5b6e0ab7c9", + "name": "Updated tasl", + "description": "test", + "frequency": "monthly", + "department": "none", + "createdAt": "2026-04-28 19:47:40.321", + "updatedAt": "2026-04-28 19:47:40.321", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69f10edc75a040a97dd41d0a", + "name": "Updated tasl", + "description": "test", + "frequency": "monthly", + "department": "none", + "createdAt": "2026-04-28 19:47:40.398", + "updatedAt": "2026-04-28 19:47:40.398", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69eb8760d56cb8d18c53df13", + "name": "Contingency Plan Testing & Revision", + "description": "Periodically test contingency plans (data backup, disaster recovery, emergency mode operations) and document results. Revise plans based on test findings and operational changes.\n\nWhat to upload: test report (date, scenarios tested e.g. ransomware/region outage, participants, RTO/RPO results, gaps found, plan revisions). HIPAA cites §164.308(a)(7).", + "frequency": "yearly", + "department": "it", + "createdAt": "2026-04-24 15:08:15.544", + "updatedAt": "2026-04-30 17:13:41.699", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69eb875fa49f13b4b81e9f3b", + "name": "Facility Security Plan", + "description": "Document and maintain a facility security plan that safeguards facilities and the equipment therein from unauthorized physical access, tampering, and theft.\n\nList required sections (access control, contingency ops, maintenance records, device/media controls), upload the signed plan + photos of safeguards (locks, cameras, server room)\n\nIf team is fully remote, or no physical PHI stored on site, you can mark this as not relevant. ", + "frequency": "yearly", + "department": "admin", + "createdAt": "2026-04-24 15:08:14.631", + "updatedAt": "2026-04-30 17:14:57.750", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69f3ac66d4f449b6c8c503c4", + "name": "test", + "description": "test", + "frequency": "monthly", + "department": "none", + "createdAt": "2026-04-30 19:24:21.757", + "updatedAt": "2026-04-30 19:24:21.757", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69f3ea6497e3c0fbd6726ea5", + "name": "Quarterly PIPEDA Privacy Notice Display Review", + "description": "Verify each quarter that the PIPEDA privacy notice (or a meaningful link to it) is displayed at every collection point — web forms, account creation flows, mobile apps, in-person collection materials, and contracts — and that the Privacy Officer's contact details and complaint channel remain visible and accurate. Record any gaps and remediation timelines.", + "frequency": "quarterly", + "department": "gov", + "createdAt": "2026-04-30 23:48:52.431", + "updatedAt": "2026-04-30 23:48:52.431", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69f3ea65dd312f6d70654ac4", + "name": "Review International Personal Information Transfers (PIPEDA Accountability)", + "description": "Review every transfer of personal information outside Canada at least annually. For each transfer, document the destination country, the recipient, the purpose, the categories of personal information involved, and the safeguards applied (contractual commitments, encryption, access controls). Confirm the organization's PIPEDA accountability is preserved regardless of where processing occurs, and update the privacy notice and Personal Information Register where the transfer landscape changes.", + "frequency": "yearly", + "department": "admin", + "createdAt": "2026-04-30 23:48:53.271", + "updatedAt": "2026-04-30 23:48:53.271", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69f3ea63df40dfc906558bb5", + "name": "Appoint or Review Privacy Officer (PIPEDA)", + "description": "Formally designate one or more individuals accountable for the organization's compliance with PIPEDA. Document the Privacy Officer's name, contact details, role description, and authority. Confirm the designation is published so it can be made known on request. Review at least annually or whenever the role changes, and retain the appointment letter or governance record as evidence.", + "frequency": "yearly", + "department": "admin", + "createdAt": "2026-04-30 23:48:50.894", + "updatedAt": "2026-04-30 23:56:40.469", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69f3ea66b653b0af244cf869", + "name": "PIPEDA Access Request Log Review", + "description": "Review the PIPEDA access request log each quarter. \n\nFor each request, verify: identity verification used a method proportionate to the sensitivity of the data, the response was delivered within 30 days (or an extension of up to 30 additional days was communicated in writing), an account of use and disclosure was provided, third-party recipients were identified as specifically as possible, and any refusal cited the specific PIPEDA Section 9 exception in writing along with the right to complain to the OPC. \n\nIdentify SLA breaches or systemic issues and remediate.", + "frequency": "quarterly", + "department": "gov", + "createdAt": "2026-04-30 23:48:54.272", + "updatedAt": "2026-04-30 23:56:41.029", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69f3ea65d5b1a04e9c7e0a91", + "name": "PIPEDA Consent Records Audit", + "description": "Sample consent records each quarter to validate timestamp, method (express vs. implied), the version of the privacy notice presented, and the scope of consent. \n\nFor sensitive personal information (health, financial, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, sex life or sexual orientation), confirm express opt-in consent is on file. Review the consent withdrawal log to confirm withdrawals are propagated across all systems within five business days, and that consequences were communicated to the individual. \n\nRecord sampling results and any remediation.", + "frequency": "quarterly", + "department": "gov", + "createdAt": "2026-04-30 23:48:52.859", + "updatedAt": "2026-04-30 23:56:41.189", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69f3ea640e0ea50dd2ed8efd", + "name": "Annual PIPEDA Privacy Notice Review", + "description": "Review the public-facing PIPEDA privacy notice at least annually, or within 30 days of any material change to collection, use, disclosure, or retention practices. Confirm the notice describes: the Privacy Officer's identity and contact details, categories of personal information collected, purposes, recipients, cross-border transfers, retention periods, individual rights under PIPEDA, and procedures for access requests and complaints. Retain dated versions and evidence of publication.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-30 23:48:51.920", + "updatedAt": "2026-04-30 23:56:40.125", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69f3ea660239b769839c49d4", + "name": "Periodic Personal Information Accuracy Audit", + "description": "Conduct a documented accuracy review at least annually for high-impact personal information categories (e.g. customer profiles used for billing, employee records used for compensation). \n\nValidate that records are accurate, complete, and current to the level required for their use. Where automated synchronization exists, document the cadence. \n\nFor any inaccuracies found, amend the record, communicate the amendment to third parties that received the original information within 30 days, and capture metrics on median time from challenge to amendment.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-30 23:48:53.785", + "updatedAt": "2026-04-30 23:56:40.871", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69f3ea67f1bbe13880b55fa4", + "name": "Annual Information Amendment & Refusal Procedure Review", + "description": "Review the procedure for amending personal information following a substantiated challenge, and for documenting refusals. Confirm: amendments are applied without undue delay, downstream third parties that received the original information are notified within 30 days of amendment, refusals to amend are recorded as a note on the record, and refused amendments are accompanied by clear notice of the individual's recourse — including the right to file a complaint with the OPC. Sample recent amendment and refusal cases to validate compliance.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-30 23:48:54.766", + "updatedAt": "2026-04-30 23:48:54.766", + "automationStatus": "AUTOMATED" + }, + { + "id": "frk_tt_69f3ea63c50892f7c9354dbb", + "name": "Annual Service Provider & Processor Contract Review (PIPEDA)", + "description": "Review every service provider, processor, and contractor agreement that involves personal information at least annually. \n\nConfirm contracts include: limitation of processing to documented purposes, return or secure destruction of personal information on termination, breach notification obligations, sub-processor disclosure, support for the organization's 30-day access-request fulfilment, and a comparable level of privacy protection per Principle 1 (Accountability). \n\nRecord any non-conforming agreements and remediation. \n\nThis can be satisfied in the Vendor section, by creating new tasks for each vendor.", + "frequency": "yearly", + "department": "gov", + "createdAt": "2026-04-30 23:48:51.414", + "updatedAt": "2026-04-30 23:56:40.316", + "automationStatus": "MANUAL" + }, + { + "id": "frk_tt_69f3ea67845abbb56763649f", + "name": "PIPEDA Privacy Complaint Register & Investigation Review", + "description": "Review the PIPEDA privacy complaint register and open investigations each quarter. Confirm every complaint was acknowledged within five business days, was assigned to a competent and impartial reviewer, and is being investigated without undue delay. For each completed investigation, document findings, root causes, corrective action taken, and the outcome communicated to the complainant in writing. Where the complaint was not upheld, confirm the complainant was informed of the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) and provided the OPC's contact details. Where the complaint was upheld, confirm corrective action — policy amendment, record correction, retraining, or termination of non-compliant processing — was completed and tracked to closure. Track median time to acknowledge, investigate, and resolve. Identify systemic issues across multiple complaints and feed findings into the annual review of privacy policies and controls.", + "frequency": "quarterly", + "department": "gov", + "createdAt": "2026-04-30 23:48:55.224", + "updatedAt": "2026-05-01 00:11:09.620", + "automationStatus": "AUTOMATED" } ] \ No newline at end of file diff --git a/packages/db/prisma/seed/relations/_FrameworkEditorControlTemplateToFrameworkEditorPolicyTemplate.json b/packages/db/prisma/seed/relations/_FrameworkEditorControlTemplateToFrameworkEditorPolicyTemplate.json index d34a7f83c9..2d138ae81a 100644 --- a/packages/db/prisma/seed/relations/_FrameworkEditorControlTemplateToFrameworkEditorPolicyTemplate.json +++ b/packages/db/prisma/seed/relations/_FrameworkEditorControlTemplateToFrameworkEditorPolicyTemplate.json @@ -320,25 +320,53 @@ "B": "frk_pt_685e42a3bbd08ad14de297f0" }, { - "A": "frk_ct_68b59a16b172e5c360e57536", - "B": "frk_pt_685e462046667f75a50a2c3e" + "A": "frk_ct_69efd5a163fc3dcd87372ccc", + "B": "frk_pt_69efd9cd0541d8cdb4cae9d1" + }, + { + "A": "frk_ct_69efd5ce50b1ede13c3848f2", + "B": "frk_pt_69efd9ae049ec9c862a64982" }, { "A": "frk_ct_68c1eb1c5f317f452216e2d7", "B": "frk_pt_685e462046667f75a50a2c3e" }, + { + "A": "frk_ct_69f3d98163541c15c34554c0", + "B": "frk_pt_69f3de9fefdbd94ed82d7fb0" + }, { "A": "frk_ct_68c1eb1c5f317f452216e2d7", "B": "frk_pt_685e3f7b4ebcb27b60c51434" }, + { + "A": "frk_ct_69f3d981cefe4efa0efe0847", + "B": "frk_pt_69f3de9f7e48fbcc7752a946" + }, + { + "A": "frk_ct_69f3d97c03fd8213c05dbbde", + "B": "frk_pt_69f3dea01f1406bc00bc3d92" + }, { "A": "frk_ct_68c1eb1c5f317f452216e2d7", "B": "frk_pt_685e40d46e7b1123022bf3e8" }, + { + "A": "frk_ct_69efd5ce50b1ede13c3848f2", + "B": "frk_pt_69efd9b6276adc8d2eb7844c" + }, { "A": "frk_ct_68c1eb1c5f317f452216e2d7", "B": "frk_pt_685e43555493efd5f79c15be" }, + { + "A": "frk_ct_69f3d97b66301a97f6b8e4a3", + "B": "frk_pt_69f3de9f7e48fbcc7752a946" + }, + { + "A": "frk_ct_69f3d98a95c7623e660bf33d", + "B": "frk_pt_69f3de9f7e48fbcc7752a946" + }, { "A": "frk_ct_68c1eb1c5f317f452216e2d7", "B": "frk_pt_685e4319a5bb1d2d411975e6" @@ -351,14 +379,26 @@ "A": "frk_ct_68c1eb1c5f317f452216e2d7", "B": "frk_pt_685e4177d5da489e7c5e1b1b" }, + { + "A": "frk_ct_69f3d97d7c0f6c1d629e8fbf", + "B": "frk_pt_69f3dea01f1406bc00bc3d92" + }, { "A": "frk_ct_68c1eb1c5f317f452216e2d7", "B": "frk_pt_685e42188e2df1c285cca159" }, + { + "A": "frk_ct_69f3d9846258471679ba5a28", + "B": "frk_pt_69f3dea1ba102e2350be4f9b" + }, { "A": "frk_ct_68c1eb1c5f317f452216e2d7", "B": "frk_pt_685e42445c99797321ef051a" }, + { + "A": "frk_ct_69f3d98d61c5a3ef65a23e20", + "B": "frk_pt_69f3dea2fcbd4cc5934aacfa" + }, { "A": "frk_ct_68c1eb1c5f317f452216e2d7", "B": "frk_pt_685e43e23b78127274355980" @@ -428,16 +468,40 @@ "B": "frk_pt_691e4bd04aac53e783cb7c14" }, { - "A": "frk_ct_68b59a16b172e5c360e57536", + "A": "frk_ct_69f3d98f897fe2984e8163e5", + "B": "frk_pt_69f3dea3d44e30408069e513" + }, + { + "A": "frk_ct_69f3d98fd53148ecfa29efa0", + "B": "frk_pt_69f3dea3d44e30408069e513" + }, + { + "A": "frk_ct_69f3d976c53fd192b48e6236", + "B": "frk_pt_685e3f7b4ebcb27b60c51434" + }, + { + "A": "frk_ct_69f3d977f853eaee5ff05fe7", + "B": "frk_pt_685e3f7b4ebcb27b60c51434" + }, + { + "A": "frk_ct_69f3d977f853eaee5ff05fe7", + "B": "frk_pt_685e405054f7c35d89ccccf2" + }, + { + "A": "frk_ct_69f3d9781dacd8da2864fd17", + "B": "frk_pt_69efd9cb30f8a9ef5e517812" + }, + { + "A": "frk_ct_69f3d9808d78f354f8f804b4", "B": "frk_pt_685e40d46e7b1123022bf3e8" }, { - "A": "frk_ct_68b59a16b172e5c360e57536", - "B": "frk_pt_685e4010bde64520b9abaf1d" + "A": "frk_ct_69f3d98163541c15c34554c0", + "B": "frk_pt_685e46557bc14fbddea6468a" }, { - "A": "frk_ct_68b59a16b172e5c360e57536", - "B": "frk_pt_685e410082a807a0274b4531" + "A": "frk_ct_69f3d983dce2e00263034481", + "B": "frk_pt_685e414029124c24387beff0" }, { "A": "frk_ct_68c1eb1c5f317f452216e2d7", @@ -450,5 +514,261 @@ { "A": "frk_ct_68c1eb1c5f317f452216e2d7", "B": "frk_pt_6944570c25631cd097be8119" + }, + { + "A": "frk_ct_69becde6133891181f5fbfe1", + "B": "frk_pt_685e453cad89de25e5aebf4a" + }, + { + "A": "frk_ct_69e639b8c95150ea34dc07bf", + "B": "frk_pt_685e453cad89de25e5aebf4a" + }, + { + "A": "frk_ct_69e639b8c95150ea34dc07bf", + "B": "frk_pt_685e4508d8c0d14ae873e644" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_pt_685e44939f827e6a9f736fd4" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_pt_68e3f39e77b0a823add09bf5" + }, + { + "A": "frk_ct_69e639b9bf66b5a6ffb17d27", + "B": "frk_pt_68bb155d6b8eaafd14904188" + }, + { + "A": "frk_ct_69e639b9bf66b5a6ffb17d27", + "B": "frk_pt_685e462046667f75a50a2c3e" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_pt_685e3fc75bd72cd0745dc5d1" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_pt_685e4010bde64520b9abaf1d" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_pt_685e458a49e1eff0af54e3d2" + }, + { + "A": "frk_ct_69e65ef9c20933590d85cc31", + "B": "frk_pt_685e4508d8c0d14ae873e644" + }, + { + "A": "frk_ct_69e669af7fd9ef27754dc041", + "B": "frk_pt_685e4177d5da489e7c5e1b1b" + }, + { + "A": "frk_ct_69e918e6d72a45b4f933a112", + "B": "frk_pt_685e40d46e7b1123022bf3e8" + }, + { + "A": "frk_ct_69f3d987482f9da8d882e592", + "B": "frk_pt_685e4508d8c0d14ae873e644" + }, + { + "A": "frk_ct_69f3d988421e37ecdc514fc0", + "B": "frk_pt_685e4177d5da489e7c5e1b1b" + }, + { + "A": "frk_ct_69e918e805776785f8f80a14", + "B": "frk_pt_685e40d46e7b1123022bf3e8" + }, + { + "A": "frk_ct_69e918e8cc289b978f31a12a", + "B": "frk_pt_685e40d46e7b1123022bf3e8" + }, + { + "A": "frk_ct_69f3d98847a47dc8f9eacae4", + "B": "frk_pt_685e453cad89de25e5aebf4a" + }, + { + "A": "frk_ct_69f3d98847a47dc8f9eacae4", + "B": "frk_pt_685e45c938ad29ad775a2344" + }, + { + "A": "frk_ct_69f3d98847a47dc8f9eacae4", + "B": "frk_pt_685e45f736049f188c3439b4" + }, + { + "A": "frk_ct_69f3d98847a47dc8f9eacae4", + "B": "frk_pt_685e426ccbb0de15a90cf446" + }, + { + "A": "frk_ct_69f3d9891d140c7d3b7d542c", + "B": "frk_pt_685e43e23b78127274355980" + }, + { + "A": "frk_ct_69f3d98b12951c79a1a1cf36", + "B": "frk_pt_685e410082a807a0274b4531" + }, + { + "A": "frk_ct_69e918e7f403f696c2577de1", + "B": "frk_pt_685e410082a807a0274b4531" + }, + { + "A": "frk_ct_69e918e7f7739946f5034799", + "B": "frk_pt_685e410082a807a0274b4531" + }, + { + "A": "frk_ct_69e918eb724c553d2e5749ea", + "B": "frk_pt_685e410082a807a0274b4531" + }, + { + "A": "frk_ct_69e918eb8f6e80605d3fa3e5", + "B": "frk_pt_685e410082a807a0274b4531" + }, + { + "A": "frk_ct_69e918ea7bd6df3b3cdd2ddc", + "B": "frk_pt_685e4010bde64520b9abaf1d" + }, + { + "A": "frk_ct_69f3d97a7b80d8564339ffc5", + "B": "frk_pt_69f3de9fefdbd94ed82d7fb0" + }, + { + "A": "frk_ct_69f3d97fab711de81e99e786", + "B": "frk_pt_69f3dea01f1406bc00bc3d92" + }, + { + "A": "frk_ct_69f3d98c52d9000ac36cc791", + "B": "frk_pt_69f3dea2fcbd4cc5934aacfa" + }, + { + "A": "frk_ct_69f3d98e0758e358b1f71b49", + "B": "frk_pt_69f3dea2fcbd4cc5934aacfa" + }, + { + "A": "frk_ct_69f3d9793720eec4d4945150", + "B": "frk_pt_685e462046667f75a50a2c3e" + }, + { + "A": "frk_ct_69f3d9793720eec4d4945150", + "B": "frk_pt_68bb155d6b8eaafd14904188" + }, + { + "A": "frk_ct_69f3d982f21bf2e86c1ef98d", + "B": "frk_pt_685e414029124c24387beff0" + }, + { + "A": "frk_ct_69f3d9864551468e007fc4d8", + "B": "frk_pt_69efd9c4a9d86fd3bdc08de1" + }, + { + "A": "frk_ct_69e918e9be6da6eba7d0ea4e", + "B": "frk_pt_685e462046667f75a50a2c3e" + }, + { + "A": "frk_ct_69f3d988421e37ecdc514fc0", + "B": "frk_pt_685e42188e2df1c285cca159" + }, + { + "A": "frk_ct_69e918eaa930d07ea41dd0d0", + "B": "frk_pt_685e462046667f75a50a2c3e" + }, + { + "A": "frk_ct_69f3d988421e37ecdc514fc0", + "B": "frk_pt_685e42445c99797321ef051a" + }, + { + "A": "frk_ct_69f3d988421e37ecdc514fc0", + "B": "frk_pt_685e43997555c7ab39983c21" + }, + { + "A": "frk_ct_69e918e8c57e2f6756c995ca", + "B": "frk_pt_685e458a49e1eff0af54e3d2" + }, + { + "A": "frk_ct_69e918e94e68c0fb15ee98d0", + "B": "frk_pt_685e43e23b78127274355980" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_pt_691e4bd04aac53e783cb7c14" + }, + { + "A": "frk_ct_69efd5a32e52c113f97254db", + "B": "frk_pt_69efd9ae049ec9c862a64982" + }, + { + "A": "frk_ct_69efd5e12d61c6019d213f60", + "B": "frk_pt_69efd9ae049ec9c862a64982" + }, + { + "A": "frk_ct_69efd5ee3eb484fc081cd20a", + "B": "frk_pt_69efd9ae049ec9c862a64982" + }, + { + "A": "frk_ct_69efd5e71ad52c5ab2ec069e", + "B": "frk_pt_69efd9ae049ec9c862a64982" + }, + { + "A": "frk_ct_69efd5a6e66d4c6c92fdd3df", + "B": "frk_pt_69efd9b6276adc8d2eb7844c" + }, + { + "A": "frk_ct_69efd5a87004249e7b6e62af", + "B": "frk_pt_69efd9b6276adc8d2eb7844c" + }, + { + "A": "frk_ct_69efd5aac8f24094878ff701", + "B": "frk_pt_69efd9b6276adc8d2eb7844c" + }, + { + "A": "frk_ct_69efd5ad9dcc82739178f525", + "B": "frk_pt_69efd9b6276adc8d2eb7844c" + }, + { + "A": "frk_ct_69efd5b1e6f19c87845f5939", + "B": "frk_pt_69efd9b6276adc8d2eb7844c" + }, + { + "A": "frk_ct_69efd5b3cdfebf7ee46a5cf7", + "B": "frk_pt_69efd9b6276adc8d2eb7844c" + }, + { + "A": "frk_ct_69efd5e395082fabf04e53b7", + "B": "frk_pt_69efd9b6276adc8d2eb7844c" + }, + { + "A": "frk_ct_69efd5c63e9c6fc1f8bec055", + "B": "frk_pt_69efd9b6276adc8d2eb7844c" + }, + { + "A": "frk_ct_69efd5a87004249e7b6e62af", + "B": "frk_pt_69efd9bf92ab808ec559b766" + }, + { + "A": "frk_ct_69efd5cd34220c6db57b2710", + "B": "frk_pt_69efd9bf92ab808ec559b766" + }, + { + "A": "frk_ct_69efd5c9acbf83b0a500050e", + "B": "frk_pt_69efd9c4a9d86fd3bdc08de1" + }, + { + "A": "frk_ct_69efd5e906d5418ee6b5dc6a", + "B": "frk_pt_69efd9c800ed19d26d6175f4" + }, + { + "A": "frk_ct_69efd5c9acbf83b0a500050e", + "B": "frk_pt_69efd9c800ed19d26d6175f4" + }, + { + "A": "frk_ct_69efd5cb8d9092bd71665722", + "B": "frk_pt_69efd9ca0c5691e9ec1b1241" + }, + { + "A": "frk_ct_69efd5c84ccf6f3f5bbe29bd", + "B": "frk_pt_69efd9cb30f8a9ef5e517812" + }, + { + "A": "frk_ct_69efd5d1c0499ab2c136b759", + "B": "frk_pt_69efd9cfa8d70d31297f025e" } ] \ No newline at end of file diff --git a/packages/db/prisma/seed/relations/_FrameworkEditorControlTemplateToFrameworkEditorRequirement.json b/packages/db/prisma/seed/relations/_FrameworkEditorControlTemplateToFrameworkEditorRequirement.json index 0d7477b581..fd2a33e653 100644 --- a/packages/db/prisma/seed/relations/_FrameworkEditorControlTemplateToFrameworkEditorRequirement.json +++ b/packages/db/prisma/seed/relations/_FrameworkEditorControlTemplateToFrameworkEditorRequirement.json @@ -823,14 +823,6 @@ "A": "frk_ct_68407429371f33886d8ab80d", "B": "frk_rq_683f76a572050393764a447d" }, - { - "A": "frk_ct_68b59a16b172e5c360e57536", - "B": "frk_rq_68b59a381860dff55c1ab1aa" - }, - { - "A": "frk_ct_68b59e50eeb9f92ce425327c", - "B": "frk_rq_68b59f4c9739efdb63dd807e" - }, { "A": "frk_ct_683f4a410cf5bf6d40bf3583", "B": "frk_rq_681fb2e7e7f7686a992f2119" @@ -1059,6 +1051,42 @@ "A": "frk_ct_683f47cc2faa426603d6bee8", "B": "frk_rq_68cc0ff05be924f5d0d58a6f" }, + { + "A": "frk_ct_69e914db8cd2039367ccbf0f", + "B": "frk_rq_69e91593a0551c32d5c99972" + }, + { + "A": "frk_ct_69efd5a163fc3dcd87372ccc", + "B": "frk_rq_69efd572c76b7b41d94b0968" + }, + { + "A": "frk_ct_69e65ef9c20933590d85cc31", + "B": "frk_rq_681ed663b850258024b0b236" + }, + { + "A": "frk_ct_69e65ef9c20933590d85cc31", + "B": "frk_rq_681ed686b626f985dac54c52" + }, + { + "A": "frk_ct_69e65ef9c20933590d85cc31", + "B": "frk_rq_681ed47bac3dee3588290b04" + }, + { + "A": "frk_ct_69e65ef9c20933590d85cc31", + "B": "frk_rq_681ed6347b1e6eea717482ca" + }, + { + "A": "frk_ct_69e65ef9c20933590d85cc31", + "B": "frk_rq_681ed6497c1e390fe89f0dfa" + }, + { + "A": "frk_ct_69e65ef9c20933590d85cc31", + "B": "frk_rq_681ed651d81e6c51934134bc" + }, + { + "A": "frk_ct_69e65ef9c20933590d85cc31", + "B": "frk_rq_681ed65bb490440ea4f3b552" + }, { "A": "frk_ct_684072e06f4a49ee669076cc", "B": "frk_rq_68cc0ff05be924f5d0d58a6f" @@ -1447,6 +1475,34 @@ "A": "frk_ct_691e53f4024ab9cc096bbc70", "B": "frk_rq_691e29c635f28a1b3ca06e04" }, + { + "A": "frk_ct_69e65ef9c20933590d85cc31", + "B": "frk_rq_681ed66d77af963d9763adeb" + }, + { + "A": "frk_ct_69e65ef9c20933590d85cc31", + "B": "frk_rq_681ed6761e8f45c900e60be3" + }, + { + "A": "frk_ct_69e65ef9c20933590d85cc31", + "B": "frk_rq_681ed46ff23ef8614d7f3042" + }, + { + "A": "frk_ct_69e65ef9c20933590d85cc31", + "B": "frk_rq_681ed48f152068a490f317ac" + }, + { + "A": "frk_ct_69e65ef9c20933590d85cc31", + "B": "frk_rq_681ed62a1ad145f4554d4068" + }, + { + "A": "frk_ct_69efd5a32e52c113f97254db", + "B": "frk_rq_69efd574f36aa744a461b0f9" + }, + { + "A": "frk_ct_69e65ef9c20933590d85cc31", + "B": "frk_rq_681ed61f357c7bf776300aa7" + }, { "A": "frk_ct_691e53f4024ab9cc096bbc70", "B": "frk_rq_691e2aab4fefd371003a6a80" @@ -1459,6 +1515,10 @@ "A": "frk_ct_691e53f4024ab9cc096bbc70", "B": "frk_rq_691e29b816512da0f3f146fc" }, + { + "A": "frk_ct_69efd5a6e66d4c6c92fdd3df", + "B": "frk_rq_69efd575c5f8bf35c14f5d69" + }, { "A": "frk_ct_691e53f4024ab9cc096bbc70", "B": "frk_rq_691e2b8edc97c7179946aa7c" @@ -1490,5 +1550,4265 @@ { "A": "frk_ct_691e53f4024ab9cc096bbc70", "B": "frk_rq_691e29d304e34e75472399c0" + }, + { + "A": "frk_ct_683f4457b14856e700c8c25b", + "B": "frk_rq_6840a68d409f43b4d0efd3c1" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69d7f04a624c5b6746879e47" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69d7e73978f57e698ba562fb" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69d7f6ad063694ae9c92b3d8" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69d7e74ab37477b3cb910456" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69d7f069bba09cd6fde415b4" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69d7e725c3b1c5035b646414" + }, + { + "A": "frk_ct_683f4036b541126388e2989a", + "B": "frk_rq_69d7e76988750007ab774faf" + }, + { + "A": "frk_ct_683f4036b541126388e2989a", + "B": "frk_rq_69d7e7dc23b7f38d35c92917" + }, + { + "A": "frk_ct_683f41e775f4ca03d8f6bae2", + "B": "frk_rq_69d7e7b42dea66c8ad0751ea" + }, + { + "A": "frk_ct_683f41e775f4ca03d8f6bae2", + "B": "frk_rq_69d7e76988750007ab774faf" + }, + { + "A": "frk_ct_683f41e775f4ca03d8f6bae2", + "B": "frk_rq_69d7e7dc23b7f38d35c92917" + }, + { + "A": "frk_ct_683f41e775f4ca03d8f6bae2", + "B": "frk_rq_69d7e7a53e9ce2aeac1a4738" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69d7e76988750007ab774faf" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69d7f6a2717be78f524ee2d5" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69d7e7dc23b7f38d35c92917" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69d7f6c0c17faabc4e00be1a" + }, + { + "A": "frk_ct_683f43a65de3b6044e63220f", + "B": "frk_rq_69d7ec749fdfe0889e8e1004" + }, + { + "A": "frk_ct_683f43a65de3b6044e63220f", + "B": "frk_rq_69d7e74ab37477b3cb910456" + }, + { + "A": "frk_ct_683f43a65de3b6044e63220f", + "B": "frk_rq_69d7e7fe5acf93ce81590446" + }, + { + "A": "frk_ct_683f4457b14856e700c8c25b", + "B": "frk_rq_69d7ec749fdfe0889e8e1004" + }, + { + "A": "frk_ct_683f4457b14856e700c8c25b", + "B": "frk_rq_69d7e657b68baf33653627a1" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_rq_69d7e7b42dea66c8ad0751ea" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_rq_69d7e73978f57e698ba562fb" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_rq_69d7f6aa16228e705a19b376" + }, + { + "A": "frk_ct_683f45c5058c486f3fa5b7bc", + "B": "frk_rq_69d7e73978f57e698ba562fb" + }, + { + "A": "frk_ct_683f45c5058c486f3fa5b7bc", + "B": "frk_rq_69d7e757ea97d3f6fc14a16f" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_rq_69d7e73978f57e698ba562fb" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_rq_69d7f6ad063694ae9c92b3d8" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_rq_69d7f6ba36b85d9fcdab3676" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_rq_69d7f6b31a628c6d4a1eefca" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69d7e73978f57e698ba562fb" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69d7e76988750007ab774faf" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69d7f6ab0ce69e3e2743b723" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69d7e7a53e9ce2aeac1a4738" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69d7f6beb47525c0472e5a28" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_rq_69d7f6ab0ce69e3e2743b723" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_rq_69d7e74ab37477b3cb910456" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_rq_69d7e7a53e9ce2aeac1a4738" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_rq_69d7f6beb47525c0472e5a28" + }, + { + "A": "frk_ct_683f484fc7b5506ab97c26af", + "B": "frk_rq_69d7ecc2e48e690433555325" + }, + { + "A": "frk_ct_683f484fc7b5506ab97c26af", + "B": "frk_rq_69d7f07a5dde9e3489417256" + }, + { + "A": "frk_ct_683f484fc7b5506ab97c26af", + "B": "frk_rq_69d7f15174a126ae9318c700" + }, + { + "A": "frk_ct_683f484fc7b5506ab97c26af", + "B": "frk_rq_69d7f6ae46305678b122956f" + }, + { + "A": "frk_ct_683f484fc7b5506ab97c26af", + "B": "frk_rq_69d7f069bba09cd6fde415b4" + }, + { + "A": "frk_ct_683f48ee9534e1e0a088e922", + "B": "frk_rq_69d7f15174a126ae9318c700" + }, + { + "A": "frk_ct_683f48ee9534e1e0a088e922", + "B": "frk_rq_69d7e76988750007ab774faf" + }, + { + "A": "frk_ct_683f48ee9534e1e0a088e922", + "B": "frk_rq_69d7f6a1e9853f081604ebb6" + }, + { + "A": "frk_ct_683f48ee9534e1e0a088e922", + "B": "frk_rq_69d7f069bba09cd6fde415b4" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69d7f6a079d5fe17bb88ddca" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69d7f6a47ba0011b49e504b1" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69d7f6b4775baf784cba6dc5" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69d7f6b5fe119219dd0ddd6d" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69d7f6b2837296fc18c8e05e" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69d7f6b2837296fc18c8e05e" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69d7f6b1f6533b5ebd588a61" + }, + { + "A": "frk_ct_683f4b7614d209f8b6ffd477", + "B": "frk_rq_69d7f6b899f3425ec64a4e78" + }, + { + "A": "frk_ct_683f4b7614d209f8b6ffd477", + "B": "frk_rq_69d7f6ab0ce69e3e2743b723" + }, + { + "A": "frk_ct_683f4b7614d209f8b6ffd477", + "B": "frk_rq_69d7f6b7b4984a3804a9f169" + }, + { + "A": "frk_ct_683f4b7614d209f8b6ffd477", + "B": "frk_rq_69d7f6c4333b851266824b47" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69d7f6a2717be78f524ee2d5" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69d7f6b4cc3364592f0a4b17" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69d7f6b4775baf784cba6dc5" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69d7f6b899f3425ec64a4e78" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69d7f6ab0ce69e3e2743b723" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69d7f6c4333b851266824b47" + }, + { + "A": "frk_ct_683f4dd564057a97ae323c9f", + "B": "frk_rq_69d7f6a36f14aa8d8d69619c" + }, + { + "A": "frk_ct_683f4dd564057a97ae323c9f", + "B": "frk_rq_69d7f6c33da8c8699a30e69a" + }, + { + "A": "frk_ct_683f4dd564057a97ae323c9f", + "B": "frk_rq_69d7f6adeddd2e0c23b6e615" + }, + { + "A": "frk_ct_683f4ef6c6a5481a377be413", + "B": "frk_rq_69d7e576d8b4cc0f5440725d" + }, + { + "A": "frk_ct_683f4ef6c6a5481a377be413", + "B": "frk_rq_69d7e725c3b1c5035b646414" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69d7f6ba36b85d9fcdab3676" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69d7f6b31a628c6d4a1eefca" + }, + { + "A": "frk_ct_68406fc94e08f884cc085ded", + "B": "frk_rq_69d7f6ad063694ae9c92b3d8" + }, + { + "A": "frk_ct_68406fc94e08f884cc085ded", + "B": "frk_rq_69d7f6b5fe119219dd0ddd6d" + }, + { + "A": "frk_ct_68406fc94e08f884cc085ded", + "B": "frk_rq_69d7f6c0c17faabc4e00be1a" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69d7f6b899f3425ec64a4e78" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69d7f6ab0ce69e3e2743b723" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69d7f6c4333b851266824b47" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69d7e73978f57e698ba562fb" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69d7f6b0a7ffde853174b371" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69d7f6b2837296fc18c8e05e" + }, + { + "A": "frk_ct_684072e06f4a49ee669076cc", + "B": "frk_rq_69d7f6b1f6533b5ebd588a61" + }, + { + "A": "frk_ct_6840731ae0b857152b35ca8f", + "B": "frk_rq_69d7f6b1f6533b5ebd588a61" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69d7f6b0a7ffde853174b371" + }, + { + "A": "frk_ct_69ea8dac2ff1cd0bfe0c8614", + "B": "frk_rq_68cc0e5eddc90f9619ae850d" + }, + { + "A": "frk_ct_69ea8daf133ebd28ca732b9d", + "B": "frk_rq_68cc0ecd7ec7814948c7f618" + }, + { + "A": "frk_ct_69ea8db16a12eecb3f3a5ecb", + "B": "frk_rq_68cc0f9de0890c314f870108" + }, + { + "A": "frk_ct_69ea8db2c7ed1af765c5981d", + "B": "frk_rq_68cc588533f95e19633f1adc" + }, + { + "A": "frk_ct_69ea8db4a22bb4f0e4c649e1", + "B": "frk_rq_68cc0fb516f402f740147419" + }, + { + "A": "frk_ct_69e918eb8f6e80605d3fa3e5", + "B": "frk_rq_69eaa7b7f5a7e613f2506e2e" + }, + { + "A": "frk_ct_69efd5a87004249e7b6e62af", + "B": "frk_rq_69efd575c5f8bf35c14f5d69" + }, + { + "A": "frk_ct_69efd5aac8f24094878ff701", + "B": "frk_rq_69efd575c5f8bf35c14f5d69" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69d7e74ab37477b3cb910456" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69d7f6bf60aa81ed491d2fbc" + }, + { + "A": "frk_ct_6840731ae0b857152b35ca8f", + "B": "frk_rq_69d7f6ab0ce69e3e2743b723" + }, + { + "A": "frk_ct_69e918eb8f6e80605d3fa3e5", + "B": "frk_rq_69e918bf7e5efe469442d414" + }, + { + "A": "frk_ct_69ea8dad9910710084d184a2", + "B": "frk_rq_68cc0e89f26cd9c83ed5e882" + }, + { + "A": "frk_ct_69ea8daea335821ba4148123", + "B": "frk_rq_68cc0eadde4caac33efff2ce" + }, + { + "A": "frk_ct_69ea8db0b7f88f1ce0079240", + "B": "frk_rq_68cc0f7b1fe3d0eba7057907" + }, + { + "A": "frk_ct_69ea8db16a12eecb3f3a5ecb", + "B": "frk_rq_68cc58794cb877178071a215" + }, + { + "A": "frk_ct_69ea8db3571415b8485b6976", + "B": "frk_rq_68cc5893f5f46050ad0ea974" + }, + { + "A": "frk_ct_69ea8db4a22bb4f0e4c649e1", + "B": "frk_rq_68cc58aea3157dcac365d9f7" + }, + { + "A": "frk_ct_69e918e7f7739946f5034799", + "B": "frk_rq_69eaa7b832769b4ecf0e9295" + }, + { + "A": "frk_ct_69efd5aac8f24094878ff701", + "B": "frk_rq_69efd57e84aa9eb34fbdb270" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69d7f6b2837296fc18c8e05e" + }, + { + "A": "frk_ct_69ea8db5182a7a6a4ad28ce1", + "B": "frk_rq_68cc58bb7fa931aabc7d29f2" + }, + { + "A": "frk_ct_69ea8db77c8dd4b36c9ac007", + "B": "frk_rq_68cc0ff05be924f5d0d58a6f" + }, + { + "A": "frk_ct_69ea8db865093703fdf71fc7", + "B": "frk_rq_68cc1023e32bf22413738e2f" + }, + { + "A": "frk_ct_69ea8db865093703fdf71fc7", + "B": "frk_rq_68cc1356217bdfd8243f6ffa" + }, + { + "A": "frk_ct_69ea8db92daf193f6aba0348", + "B": "frk_rq_68cc1037f2716f51a47b2a2c" + }, + { + "A": "frk_ct_69ea8db92daf193f6aba0348", + "B": "frk_rq_68cc5a4fd31458ffff814315" + }, + { + "A": "frk_ct_69ea8dbbf19cd6ba156e97bd", + "B": "frk_rq_68cc5a5a379347f5e3eb59bf" + }, + { + "A": "frk_ct_69e918eb724c553d2e5749ea", + "B": "frk_rq_69eaa7b866cb7cb0261b9fe2" + }, + { + "A": "frk_ct_69efd5ad9dcc82739178f525", + "B": "frk_rq_69efd575c5f8bf35c14f5d69" + }, + { + "A": "frk_ct_69efd5b1e6f19c87845f5939", + "B": "frk_rq_69efd575c5f8bf35c14f5d69" + }, + { + "A": "frk_ct_684071e280c4e0f777b957f7", + "B": "frk_rq_69d7f490f8a6458bf15ef544" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69d7f6ab0ce69e3e2743b723" + }, + { + "A": "frk_ct_684073ba24475a83ba048022", + "B": "frk_rq_69d7e576d8b4cc0f5440725d" + }, + { + "A": "frk_ct_68407406644c56d42eac3295", + "B": "frk_rq_69d7f6ad063694ae9c92b3d8" + }, + { + "A": "frk_ct_68407406644c56d42eac3295", + "B": "frk_rq_69d7f6b1f6533b5ebd588a61" + }, + { + "A": "frk_ct_68407406644c56d42eac3295", + "B": "frk_rq_69d7f6c0c17faabc4e00be1a" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69d7f6c0c17faabc4e00be1a" + }, + { + "A": "frk_ct_68407c9513000617776104c7", + "B": "frk_rq_69d7f6ad063694ae9c92b3d8" + }, + { + "A": "frk_ct_68407c9513000617776104c7", + "B": "frk_rq_69d7e74ab37477b3cb910456" + }, + { + "A": "frk_ct_68407c9513000617776104c7", + "B": "frk_rq_69d7e576d8b4cc0f5440725d" + }, + { + "A": "frk_ct_68e8079750107bcc63fc79d9", + "B": "frk_rq_69d7f6ad063694ae9c92b3d8" + }, + { + "A": "frk_ct_68e80a11f225cb2253e31fa0", + "B": "frk_rq_69d7e7dc23b7f38d35c92917" + }, + { + "A": "frk_ct_684070c1f0091d850df02e59", + "B": "frk_rq_69dcffa4409aba79cfbb6863" + }, + { + "A": "frk_ct_684072e06f4a49ee669076cc", + "B": "frk_rq_69dcffa4409aba79cfbb6863" + }, + { + "A": "frk_ct_68407406644c56d42eac3295", + "B": "frk_rq_69dcffa4409aba79cfbb6863" + }, + { + "A": "frk_ct_68407c9513000617776104c7", + "B": "frk_rq_69dcffa4409aba79cfbb6863" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff4c94051eec2eb36978" + }, + { + "A": "frk_ct_683f43a65de3b6044e63220f", + "B": "frk_rq_69dcff4c94051eec2eb36978" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff3ee7b85cd010d78dcc" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_rq_69dcff02f9ade221fa118fbb" + }, + { + "A": "frk_ct_684071e280c4e0f777b957f7", + "B": "frk_rq_69dcff02f9ade221fa118fbb" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcfe7d2e55a7bd0d38374e" + }, + { + "A": "frk_ct_683f4036b541126388e2989a", + "B": "frk_rq_69dcfe7e9c17b826488010fc" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfe7fd9e733b180b8ff84" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfee58e52a2062649dacd" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfee61935b50ba3d0a22c" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfee70753501e66c6e02b" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfee8e213a935800448c6" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfee943bdcd3eef5178b1" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfeea714798633b651170" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfeeb2ca10880083b7f82" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfeec0b624eb54eb28e89" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfeedbe961b4ad3875add" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfeeecdf5ed81b9692fa2" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfeef48700ce37f4b36ee" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfef0b5a41febaa878746" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfef10367e82c5c60ea24" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfef2652e248e46a4d10e" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfef29d9116e66aa52b2a" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfef3ab8a1c333b3b3a7f" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfef47bd26dd287a7ad11" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfef554c52d0a4e141e26" + }, + { + "A": "frk_ct_684072e06f4a49ee669076cc", + "B": "frk_rq_69dcfef554c52d0a4e141e26" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69dcfef3ab8a1c333b3b3a7f" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69dcfef29d9116e66aa52b2a" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69dcfeedbe961b4ad3875add" + }, + { + "A": "frk_ct_683f48ee9534e1e0a088e922", + "B": "frk_rq_69dcfeedbe961b4ad3875add" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69dcfeec0b624eb54eb28e89" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcfeec0b624eb54eb28e89" + }, + { + "A": "frk_ct_6849ba93636ff0155eb89158", + "B": "frk_rq_69dcfeeb2ca10880083b7f82" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcfeeb2ca10880083b7f82" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcfeea714798633b651170" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcfee943bdcd3eef5178b1" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcfee8e213a935800448c6" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69dcfee70753501e66c6e02b" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69dcfee61935b50ba3d0a22c" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcfee58e52a2062649dacd" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcfe7fd9e733b180b8ff84" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcfef6b0e7be6f8e62f448" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcfef6b0e7be6f8e62f448" + }, + { + "A": "frk_ct_683f4036b541126388e2989a", + "B": "frk_rq_69dcfef70c971c9098bf6e14" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcfef70c971c9098bf6e14" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcfef8b4c232559209d742" + }, + { + "A": "frk_ct_683f4ef6c6a5481a377be413", + "B": "frk_rq_69dcfef8b4c232559209d742" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcfef9fc8be55124e1ce08" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcfef9fc8be55124e1ce08" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcfefaf0ce72126bd10d60" + }, + { + "A": "frk_ct_68406fc94e08f884cc085ded", + "B": "frk_rq_69dcfefaf0ce72126bd10d60" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcfefb1b23d778e3f0f70c" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcfefc580593304a75c2a0" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfefc580593304a75c2a0" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcfefd004ff3cd6e459921" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69dcfefd004ff3cd6e459921" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcfefe7539265b071b130b" + }, + { + "A": "frk_ct_68406fc94e08f884cc085ded", + "B": "frk_rq_69dcfefe7539265b071b130b" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfeff9f3ac4d37add4ab0" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcfeff9f3ac4d37add4ab0" + }, + { + "A": "frk_ct_684070c1f0091d850df02e59", + "B": "frk_rq_69dcfeff9f3ac4d37add4ab0" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcfeffce3d8f57d4eadd06" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcfeffce3d8f57d4eadd06" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcfeffce3d8f57d4eadd06" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_rq_69dcff004d2e6d95f036ac58" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcff004d2e6d95f036ac58" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_rq_69dcff004d2e6d95f036ac58" + }, + { + "A": "frk_ct_683f4036b541126388e2989a", + "B": "frk_rq_69dcff01d0e636be71476447" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_rq_69dcff01d0e636be71476447" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_rq_69dcff02f9ade221fa118fbb" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_rq_69dcff035133fef9160ef01e" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69dcff035133fef9160ef01e" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_rq_69dcff0462ae94b7a97d2d2e" + }, + { + "A": "frk_ct_6849c343d7fbe4e71446ce78", + "B": "frk_rq_69dcff05530220c5959ec50c" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff05530220c5959ec50c" + }, + { + "A": "frk_ct_6849c343d7fbe4e71446ce78", + "B": "frk_rq_69dcff06faa8fa63e5c02dfd" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_rq_69dcff0747513fb4a06145e7" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff0aa9d13acc126b2de8" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcff0b6928a6e5169089f5" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff0c1dc0b5e7a8bb40b9" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_rq_69dcff0c1dc0b5e7a8bb40b9" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff0d6ba2d210146b7e0b" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff12f1a473ff1c537988" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff1303e257a95fbe5049" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff15b5e8ee31c7093b64" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff1629621152913d7324" + }, + { + "A": "frk_ct_69ea8db62ab22968f85f85f6", + "B": "frk_rq_68cc0fd04f279d7a96eacc6f" + }, + { + "A": "frk_ct_69ea8db77c8dd4b36c9ac007", + "B": "frk_rq_68cc1342bdd7f557947e44a2" + }, + { + "A": "frk_ct_69e918eb724c553d2e5749ea", + "B": "frk_rq_69eaa7b867e5acb44fc95468" + }, + { + "A": "frk_ct_69efd5b3cdfebf7ee46a5cf7", + "B": "frk_rq_69efd575c5f8bf35c14f5d69" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff0462ae94b7a97d2d2e" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff091f650503a28195a1" + }, + { + "A": "frk_ct_68407406644c56d42eac3295", + "B": "frk_rq_69dcff091f650503a28195a1" + }, + { + "A": "frk_ct_684072e06f4a49ee669076cc", + "B": "frk_rq_69dcff0aa9d13acc126b2de8" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcff0aa9d13acc126b2de8" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff0b6928a6e5169089f5" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff0d6ba2d210146b7e0b" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff0ff6667eeb439ac92d" + }, + { + "A": "frk_ct_69ea8db92daf193f6aba0348", + "B": "frk_rq_68cc136d293aef7e72dae81a" + }, + { + "A": "frk_ct_69ea8dbdbd2ce5e539a326fa", + "B": "frk_rq_68cc5a771abf96227e04340d" + }, + { + "A": "frk_ct_69ea8dbe99f14797e50f9685", + "B": "frk_rq_68cc104bfdfae778fc876c94" + }, + { + "A": "frk_ct_69ea8dc048654718cfb1d12c", + "B": "frk_rq_68cc106d0cdb75961110d7bd" + }, + { + "A": "frk_ct_69ea8dc5682f9f3146944252", + "B": "frk_rq_68cc5a3a422aaca23633eba8" + }, + { + "A": "frk_ct_69e918eb724c553d2e5749ea", + "B": "frk_rq_69eaa7b8cdabaf034bb4f34e" + }, + { + "A": "frk_ct_69efd5c63e9c6fc1f8bec055", + "B": "frk_rq_69efd57711c3f0a61fe673a4" + }, + { + "A": "frk_ct_6840731ae0b857152b35ca8f", + "B": "frk_rq_69dcff06faa8fa63e5c02dfd" + }, + { + "A": "frk_ct_68406fc94e08f884cc085ded", + "B": "frk_rq_69dcff06faa8fa63e5c02dfd" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff0747513fb4a06145e7" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff084dcf233d1ca149b9" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff0c6466103e02fdec19" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff0edfa877f8fd59e4fa" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff1171ddc363fe1163fd" + }, + { + "A": "frk_ct_69ea8dbccf28e8a000ba1934", + "B": "frk_rq_68cc5a6ca8269484c65f9ec4" + }, + { + "A": "frk_ct_69e918eb724c553d2e5749ea", + "B": "frk_rq_69eaa7b8d85d601c3b8fd630" + }, + { + "A": "frk_ct_69e918eb724c553d2e5749ea", + "B": "frk_rq_69eaa7b8673a4dc99e803097" + }, + { + "A": "frk_ct_69e918eb724c553d2e5749ea", + "B": "frk_rq_69eaa7b859ec0d1cb67baf70" + }, + { + "A": "frk_ct_69efd5c84ccf6f3f5bbe29bd", + "B": "frk_rq_69efd578456ecb3bb27776f6" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff1079df11c41407d594" + }, + { + "A": "frk_ct_69ea8dbfb341d9b1021c8897", + "B": "frk_rq_68cc10611c3b98926aaf2cd5" + }, + { + "A": "frk_ct_69ea8dc1f55bd5e338716f16", + "B": "frk_rq_68cc58dc1ef78d1fe51b83be" + }, + { + "A": "frk_ct_69ea8dc4c401188497d417c2", + "B": "frk_rq_68cc5906894ada4eceff256b" + }, + { + "A": "frk_ct_69ea8dc6f10b53075c3beacb", + "B": "frk_rq_68cc108f1697a1687b11d500" + }, + { + "A": "frk_ct_69e918e805776785f8f80a14", + "B": "frk_rq_69eaa7b8e4e4347bb2b861d5" + }, + { + "A": "frk_ct_69efd5c9acbf83b0a500050e", + "B": "frk_rq_69efd57ab20b0aab665f6d8d" + }, + { + "A": "frk_ct_69efd5cb8d9092bd71665722", + "B": "frk_rq_69efd57cea0d187006ea6b13" + }, + { + "A": "frk_ct_69efd5d1c0499ab2c136b759", + "B": "frk_rq_69efd580bc382953d7136073" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff140e07cd3e7afa53e8" + }, + { + "A": "frk_ct_683f43a65de3b6044e63220f", + "B": "frk_rq_69dcff1629621152913d7324" + }, + { + "A": "frk_ct_68406fc94e08f884cc085ded", + "B": "frk_rq_69dcff177062f35e09be9e5c" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcff177062f35e09be9e5c" + }, + { + "A": "frk_ct_683f4036b541126388e2989a", + "B": "frk_rq_69dcff1881e1bebb12a5c6eb" + }, + { + "A": "frk_ct_68406fc94e08f884cc085ded", + "B": "frk_rq_69dcff1881e1bebb12a5c6eb" + }, + { + "A": "frk_ct_68406fc94e08f884cc085ded", + "B": "frk_rq_69dcff19a50ef3f4cc515dba" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff19a50ef3f4cc515dba" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff1a165baf0394644b51" + }, + { + "A": "frk_ct_68406fc94e08f884cc085ded", + "B": "frk_rq_69dcff1a165baf0394644b51" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff1b3c019806a66495aa" + }, + { + "A": "frk_ct_68406fc94e08f884cc085ded", + "B": "frk_rq_69dcff1b3c019806a66495aa" + }, + { + "A": "frk_ct_68406fc94e08f884cc085ded", + "B": "frk_rq_69dcff1cb3c3a0c1bcf6346b" + }, + { + "A": "frk_ct_684071e280c4e0f777b957f7", + "B": "frk_rq_69dcff1cb3c3a0c1bcf6346b" + }, + { + "A": "frk_ct_684072e06f4a49ee669076cc", + "B": "frk_rq_69dcff1d859fd998bac7948e" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcff1d859fd998bac7948e" + }, + { + "A": "frk_ct_683f4036b541126388e2989a", + "B": "frk_rq_69dcff1d6e8e06f38769eb37" + }, + { + "A": "frk_ct_684072e06f4a49ee669076cc", + "B": "frk_rq_69dcff1d6e8e06f38769eb37" + }, + { + "A": "frk_ct_684072e06f4a49ee669076cc", + "B": "frk_rq_69dcff1eb2e612067cc06689" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69dcff1eb2e612067cc06689" + }, + { + "A": "frk_ct_684072e06f4a49ee669076cc", + "B": "frk_rq_69dcff1f913a3851412e6152" + }, + { + "A": "frk_ct_684072e06f4a49ee669076cc", + "B": "frk_rq_69dcff20b57ba3362e33b03b" + }, + { + "A": "frk_ct_683f484fc7b5506ab97c26af", + "B": "frk_rq_69dcff20b57ba3362e33b03b" + }, + { + "A": "frk_ct_683f484fc7b5506ab97c26af", + "B": "frk_rq_69dcff2178ae451953e6ccad" + }, + { + "A": "frk_ct_68407406644c56d42eac3295", + "B": "frk_rq_69dcff2178ae451953e6ccad" + }, + { + "A": "frk_ct_68407406644c56d42eac3295", + "B": "frk_rq_69dcff22146c8825df44cba4" + }, + { + "A": "frk_ct_68407406644c56d42eac3295", + "B": "frk_rq_69dcff23517e30660b32e82a" + }, + { + "A": "frk_ct_68407406644c56d42eac3295", + "B": "frk_rq_69dcff249c8cac39dc053355" + }, + { + "A": "frk_ct_68407406644c56d42eac3295", + "B": "frk_rq_69dcff25f930412d8f4a7fdc" + }, + { + "A": "frk_ct_68407406644c56d42eac3295", + "B": "frk_rq_69dcff26e497c0d93bb8b841" + }, + { + "A": "frk_ct_68407406644c56d42eac3295", + "B": "frk_rq_69dcff276033713e3105e596" + }, + { + "A": "frk_ct_68407406644c56d42eac3295", + "B": "frk_rq_69dcff287f85466efc21f5ef" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69dcff2905d5e8bf0f39d088" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcff2905d5e8bf0f39d088" + }, + { + "A": "frk_ct_683f4036b541126388e2989a", + "B": "frk_rq_69dcff2a6b628ffc40d594cb" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69dcff2a6b628ffc40d594cb" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69dcff2bdb1b55a1c3806a0f" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69dcff2cc3942cb41ecd6889" + }, + { + "A": "frk_ct_683f43a65de3b6044e63220f", + "B": "frk_rq_69dcff2cc3942cb41ecd6889" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69dcff2de69d0de80dc895c7" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff2de69d0de80dc895c7" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69dcff2e1bf5bf4be8c2b03e" + }, + { + "A": "frk_ct_684073ba24475a83ba048022", + "B": "frk_rq_69dcff2e1bf5bf4be8c2b03e" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69dcff2f9a128163f0f0394e" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff2f9a128163f0f0394e" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff307f0939472c98b0d8" + }, + { + "A": "frk_ct_684073d541bfb8b8b777e529", + "B": "frk_rq_69dcff307f0939472c98b0d8" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff313299b5055bf4a37a" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69dcff313299b5055bf4a37a" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcff32217541c6335876d7" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff32217541c6335876d7" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_681f965d3ddb6537459de9a0" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_681f965d3ddb6537459de9a0" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69dcff34a4d5d4d838e9354d" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff34a4d5d4d838e9354d" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69dcff35ebe7f0f919be1220" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcff35ebe7f0f919be1220" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcff36a0de7399adf64cb1" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcff3772ddda25fa510528" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcff3772ddda25fa510528" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff3772ddda25fa510528" + }, + { + "A": "frk_ct_684073ba24475a83ba048022", + "B": "frk_rq_69dcff38d92835591f6d33e1" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff38d92835591f6d33e1" + }, + { + "A": "frk_ct_684073ba24475a83ba048022", + "B": "frk_rq_69dcff39f841d3b959277a95" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff39f841d3b959277a95" + }, + { + "A": "frk_ct_6849c343d7fbe4e71446ce78", + "B": "frk_rq_69dcff3a4e59825c6b2bf8a4" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69dcff3a4e59825c6b2bf8a4" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcff3a6999fa45c9973ba1" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69dcff3a6999fa45c9973ba1" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff3bd6eab0cabf8e5143" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff3c7b813604dd33848b" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff3d7eff2daf7d1eecb6" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff3f412d52f5b06ca705" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff408cc7a841ed94e038" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff41955f84ea0e563041" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff42de2711fed58334d5" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff43e91cb5685c511c93" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff454540cdc67ec5cc55" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff4683b09426d28bd353" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff463d117670a150959e" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcff47dcbb3e7cf896a31f" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcff47dcbb3e7cf896a31f" + }, + { + "A": "frk_ct_683f4036b541126388e2989a", + "B": "frk_rq_69dcff48933a909e70ec59f1" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcff48933a909e70ec59f1" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcff49428742555a80f331" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff49428742555a80f331" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff4a4a17963ebdb7e8db" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcff4a4a17963ebdb7e8db" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcff4bb1fdf4c5a72375ce" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcff4deaf158a194b31651" + }, + { + "A": "frk_ct_683f48ee9534e1e0a088e922", + "B": "frk_rq_69dcff4eef4d973db6749aaa" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcff5459bbc24b82e95346" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcff5be046e7444d27c470" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69dcff5be046e7444d27c470" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcff5c4e2e039756c30c04" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff5c4e2e039756c30c04" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff633226b6615536612b" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff7240318f3d092f02a6" + }, + { + "A": "frk_ct_69dd3265dadac07cd88ae96c", + "B": "frk_rq_69dcff73fd64fa5ccce46aa9" + }, + { + "A": "frk_ct_69dd3265dadac07cd88ae96c", + "B": "frk_rq_69dcff7462dbb18b93e55650" + }, + { + "A": "frk_ct_69ea8dc2e0fd4e97481baafd", + "B": "frk_rq_68cc58e8ea648286acddda43" + }, + { + "A": "frk_ct_69ea8dc3a37b3f833dc7d6f3", + "B": "frk_rq_68cc58f88bcbeef356b5081c" + }, + { + "A": "frk_ct_69ea8dcd4cffcf9dd949ca02", + "B": "frk_rq_68cc5ab9b661ac977104733b" + }, + { + "A": "frk_ct_69e918e7f403f696c2577de1", + "B": "frk_rq_69eaa7b8ebe34c5dbee1528f" + }, + { + "A": "frk_ct_69efd5cd34220c6db57b2710", + "B": "frk_rq_69efd57d8ecf1576f93a0603" + }, + { + "A": "frk_ct_69efd5d2b0758b1e1c1b6d87", + "B": "frk_rq_69efd581f8bf5b44eeecd048" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcff4a4a17963ebdb7e8db" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff4bb1fdf4c5a72375ce" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcff4fcd6918d1cb665e86" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcff53f0d3e72346c35750" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcff558d7ef3b5791eb24f" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcff56d1dc19e437dcc6da" + }, + { + "A": "frk_ct_6840731ae0b857152b35ca8f", + "B": "frk_rq_69dcff580c8abb1ed5c36b09" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcff5a0689e9848805617c" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff5fdc280eb94be0039d" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff5fdc280eb94be0039d" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff6707ec7913810857e4" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_rq_69dcff6707ec7913810857e4" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_rq_69dcff6b75060bf37b99db11" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_rq_69dcff6da2df8cba3c6adc88" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69dcff6eebcdcef1b3719bf7" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_rq_69dcff70db9f49439ea3a578" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff718575d135791b7d6e" + }, + { + "A": "frk_ct_683f43a65de3b6044e63220f", + "B": "frk_rq_69dcff73fd64fa5ccce46aa9" + }, + { + "A": "frk_ct_69ea8dc667172a41022fcf27", + "B": "frk_rq_68cc124496843ba357887e21" + }, + { + "A": "frk_ct_69ea8dc718a407d992cda795", + "B": "frk_rq_68cc126823caf86fae495b66" + }, + { + "A": "frk_ct_69ea8dc8ec4ced8e76b114c0", + "B": "frk_rq_68cc12d0f52f5c1d91f117f1" + }, + { + "A": "frk_ct_69ea8dc8ec4ced8e76b114c0", + "B": "frk_rq_68cc12e9ccf8c0f87b0ab7ed" + }, + { + "A": "frk_ct_69ea8dc8ec4ced8e76b114c0", + "B": "frk_rq_68cc12fe773e2545f63bbb68" + }, + { + "A": "frk_ct_69ea8dcb210958cb72f499f2", + "B": "frk_rq_68cc5a9d72bacbed2987c4b8" + }, + { + "A": "frk_ct_69ea8dccd7c01c6d2503448b", + "B": "frk_rq_68cc5aaaeb5095fd2da1a92c" + }, + { + "A": "frk_ct_69e918e7f7739946f5034799", + "B": "frk_rq_69eaa7b8ebe34c5dbee1528f" + }, + { + "A": "frk_ct_69e918e8c57e2f6756c995ca", + "B": "frk_rq_69eaa7b707e431b82960342c" + }, + { + "A": "frk_ct_69efd5ce50b1ede13c3848f2", + "B": "frk_rq_69efd57e84aa9eb34fbdb270" + }, + { + "A": "frk_ct_684073617d0706858cceb8c7", + "B": "frk_rq_69dcff4c94051eec2eb36978" + }, + { + "A": "frk_ct_69ea8dcaa9b51a2b1e5f2abd", + "B": "frk_rq_68cc131dece6bc88bea70bea" + }, + { + "A": "frk_ct_69ea8dd8aa91ceac379fa2c3", + "B": "frk_rq_68cc5b5f0af0a89e2ddbc059" + }, + { + "A": "frk_ct_69e918e6d72a45b4f933a112", + "B": "frk_rq_69eaa7b733cf653074d17a7f" + }, + { + "A": "frk_ct_69efd5e12d61c6019d213f60", + "B": "frk_rq_69efd583f4e5404bcb066b56" + }, + { + "A": "frk_ct_69efd5e395082fabf04e53b7", + "B": "frk_rq_69efd583f4e5404bcb066b56" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff4deaf158a194b31651" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff4eef4d973db6749aaa" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcff505832b24179f594da" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcff512f1643822ffc40e9" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_rq_69dcff5244a445e2083124bb" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcff56d1dc19e437dcc6da" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff56d1dc19e437dcc6da" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff57a27eda29d28d1a51" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcff57a27eda29d28d1a51" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcff57a27eda29d28d1a51" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcff580c8abb1ed5c36b09" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcff59093f80b6b5f93ede" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff5a0689e9848805617c" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff5d5419b9e6dd0fecda" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcff5d5419b9e6dd0fecda" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff5e675b23b53711e58a" + }, + { + "A": "frk_ct_683f4036b541126388e2989a", + "B": "frk_rq_69dcff5e675b23b53711e58a" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69dcff60aaa239198fc1a3d0" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff60aaa239198fc1a3d0" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff618eb41f404917d281" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff622b60baca6c5cb4cd" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff63a09efbccfe305a95" + }, + { + "A": "frk_ct_68407406644c56d42eac3295", + "B": "frk_rq_69dcff63a09efbccfe305a95" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff64fea13841683f18bb" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff65403b9e40cecd10ed" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff66b9c46103ddf77fd9" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_rq_69dcff68a147f3de0eea37e4" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff68a147f3de0eea37e4" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_rq_69dcff696445afd56ff3c2e0" + }, + { + "A": "frk_ct_683f484fc7b5506ab97c26af", + "B": "frk_rq_69dcff696445afd56ff3c2e0" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_rq_69dcff6ad323e7481a2a947b" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_rq_69dcff6b75060bf37b99db11" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_rq_69dcff6cce53eb27962c728d" + }, + { + "A": "frk_ct_683f41e775f4ca03d8f6bae2", + "B": "frk_rq_69dcff6cce53eb27962c728d" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69dcff6da2df8cba3c6adc88" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_rq_69dcff6eebcdcef1b3719bf7" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_rq_69dcff6f571248c093ade975" + }, + { + "A": "frk_ct_69dd3265dadac07cd88ae96c", + "B": "frk_rq_69dcff718575d135791b7d6e" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69dcff718575d135791b7d6e" + }, + { + "A": "frk_ct_69dd3265dadac07cd88ae96c", + "B": "frk_rq_69dcff7240318f3d092f02a6" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69dcff7462dbb18b93e55650" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff75b6b39b136c68f7ef" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff76e8f6202ef0251616" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff76214ca4507aeb9676" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff770e9408ee767d7d61" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff78e9f10b1a12834a54" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff79046ad91bb49f4bc6" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff7af382be7a8fddd851" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff7bca5070a954e4b926" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff7c6886d812e3bca1a2" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff7dd59284f830693a8e" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff7e6837c1fdcc088bee" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff7f641df666a0c22817" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff8066ac2874e0cafac8" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff81e3687caf7f1bd030" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69dcff81e3687caf7f1bd030" + }, + { + "A": "frk_ct_6849ba93636ff0155eb89158", + "B": "frk_rq_69dcff824662a071ea30b728" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff824662a071ea30b728" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69dcff83f48edc965b711dd3" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff83f48edc965b711dd3" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69dcff84eb2f0175af1a5a4a" + }, + { + "A": "frk_ct_683f484fc7b5506ab97c26af", + "B": "frk_rq_69dcff84eb2f0175af1a5a4a" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69dcff85c4d2a8dae74164a1" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69dcff86ca9ca870073fc2d8" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_rq_69dcff86a14a58f051949e0b" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69dcff86a14a58f051949e0b" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff8794897fee8d23e907" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_rq_69dcff8794897fee8d23e907" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff888d17e2a40c5ade06" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcff888d17e2a40c5ade06" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_rq_69dcff89e8f8db6da78dca7a" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff89e8f8db6da78dca7a" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_rq_69dcff8a58ad310935d80fad" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcff8a58ad310935d80fad" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69dcff8b10fa6474b498b5f6" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_rq_69dcff8b10fa6474b498b5f6" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_rq_69dcff8cb4d4d1d377d3a9fc" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff8dccf4c2d977dd9998" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff8e7a4db0d82942a727" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff8f197c76085dff0f70" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff90072c1b750388be26" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69dcff90072c1b750388be26" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff91b7e21c99696af30c" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff92f25a500690ecb1d2" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcff92f25a500690ecb1d2" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff936bcdd3953dd57be7" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff944cc63873ea85c709" + }, + { + "A": "frk_ct_69dd33a74b6fd1d459c4af20", + "B": "frk_rq_69dcff95ecf248dcbe4462f7" + }, + { + "A": "frk_ct_683f4c9db20e7cf4a303af1f", + "B": "frk_rq_69dcff95ecf248dcbe4462f7" + }, + { + "A": "frk_ct_69dd33a74b6fd1d459c4af20", + "B": "frk_rq_69dcff965d4daf381dbebb56" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff977f23cf8501f592c3" + }, + { + "A": "frk_ct_69dd33a74b6fd1d459c4af20", + "B": "frk_rq_69dcff9833b29ae89c1eb64f" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcff9833b29ae89c1eb64f" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff9974c7634956ba7f0a" + }, + { + "A": "frk_ct_683f484fc7b5506ab97c26af", + "B": "frk_rq_69dcff9a172f64b803d4f523" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcff9b7b0dfdd22bc2d410" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff9c8daaf57bbf28b8ef" + }, + { + "A": "frk_ct_683f48ee9534e1e0a088e922", + "B": "frk_rq_69dcff9c8daaf57bbf28b8ef" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_rq_69dcff9efe92caf1c8f48290" + }, + { + "A": "frk_ct_69dd33a73264cb77236367ba", + "B": "frk_rq_69dcff9f2a32fccc4bdee381" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_rq_69dcff9f2a32fccc4bdee381" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69dcffa89c6236dea8c3797d" + }, + { + "A": "frk_ct_69ea8dcef8ff3c2ed55ea14a", + "B": "frk_rq_68cc5aca98f03da8f8367cba" + }, + { + "A": "frk_ct_69e918ea7bd6df3b3cdd2ddc", + "B": "frk_rq_69eaa7b735898b1be6a9ebf2" + }, + { + "A": "frk_ct_69efd5e71ad52c5ab2ec069e", + "B": "frk_rq_69efd583f4e5404bcb066b56" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff965d4daf381dbebb56" + }, + { + "A": "frk_ct_69ea8dcfcba021703a55bf97", + "B": "frk_rq_68cc5ad9f59cea7dc12cb935" + }, + { + "A": "frk_ct_69ea8dd0de2f746bb95acd4b", + "B": "frk_rq_68cc5ae5ff5cddebb560aa22" + }, + { + "A": "frk_ct_69ea8dd28d9b23fd806840e7", + "B": "frk_rq_68cc5afff58160f9f1c4dd20" + }, + { + "A": "frk_ct_69ea8dd44d3b368f85df728c", + "B": "frk_rq_68cc5b1b6a671e5fdb9e83f8" + }, + { + "A": "frk_ct_69ea8dd5a750b30e2eb69d18", + "B": "frk_rq_68cc5b28c6250d5e578180f9" + }, + { + "A": "frk_ct_69e918ea7bd6df3b3cdd2ddc", + "B": "frk_rq_69eaa7b7b237bc35bb52c10d" + }, + { + "A": "frk_ct_69efd5e906d5418ee6b5dc6a", + "B": "frk_rq_69efd583f4e5404bcb066b56" + }, + { + "A": "frk_ct_69dd33a74b6fd1d459c4af20", + "B": "frk_rq_69dcff977f23cf8501f592c3" + }, + { + "A": "frk_ct_69dd33a74b6fd1d459c4af20", + "B": "frk_rq_69dcff9974c7634956ba7f0a" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff9b08ac85014f447336" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcff9b08ac85014f447336" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff9b7b0dfdd22bc2d410" + }, + { + "A": "frk_ct_6849ba93636ff0155eb89158", + "B": "frk_rq_69dcff9efe92caf1c8f48290" + }, + { + "A": "frk_ct_69ea8dd148f84ea6656bce7d", + "B": "frk_rq_68cc5af0bf60b2e58133ff53" + }, + { + "A": "frk_ct_69e918ea7bd6df3b3cdd2ddc", + "B": "frk_rq_69eaa7b76c115a489f4f4b08" + }, + { + "A": "frk_ct_69efd5e906d5418ee6b5dc6a", + "B": "frk_rq_69efd57ab20b0aab665f6d8d" + }, + { + "A": "frk_ct_683f484fc7b5506ab97c26af", + "B": "frk_rq_69dcff977f23cf8501f592c3" + }, + { + "A": "frk_ct_69ea8dd38d7945cd54758b49", + "B": "frk_rq_68cc5b0cffc0c85df3924feb" + }, + { + "A": "frk_ct_69ea8dd54053dfd453b9dc4a", + "B": "frk_rq_68cc5b347ac42a6ed8a90c67" + }, + { + "A": "frk_ct_69ea8dd6097d1766ac51e294", + "B": "frk_rq_68cc5b41171a8cadfef58dd7" + }, + { + "A": "frk_ct_69ea8dd7f551ad7a56706b46", + "B": "frk_rq_68cc5b4f01de903a82db622d" + }, + { + "A": "frk_ct_69ea8dd9462f30b929260abf", + "B": "frk_rq_68cc5b76ac80dbc2af7ee28b" + }, + { + "A": "frk_ct_69ea8dda97d0010af0cf826d", + "B": "frk_rq_68cc5b81b072f6717d2acfc5" + }, + { + "A": "frk_ct_69ea8ddbb737f1f09bbcd82e", + "B": "frk_rq_68cc5b8c4bbc9a2326ce718a" + }, + { + "A": "frk_ct_69e918e9be6da6eba7d0ea4e", + "B": "frk_rq_69eaa7b77bf5981d7557e448" + }, + { + "A": "frk_ct_69efd5ee3eb484fc081cd20a", + "B": "frk_rq_69efd583f4e5404bcb066b56" + }, + { + "A": "frk_ct_69efd5ee3eb484fc081cd20a", + "B": "frk_rq_69efd574f36aa744a461b0f9" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff9833b29ae89c1eb64f" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_rq_69dcff9974c7634956ba7f0a" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_rq_69dcff9a172f64b803d4f523" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_rq_69dcff9d4484fa6ab009ad50" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcffa0cd7071a70c25eff6" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcffa119474a2d5739cad6" + }, + { + "A": "frk_ct_683f41e775f4ca03d8f6bae2", + "B": "frk_rq_69dcffa34047058834cd7552" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_rq_69dcffa72b879950a33ff8ff" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcffa72b879950a33ff8ff" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_rq_69dcffa89c6236dea8c3797d" + }, + { + "A": "frk_ct_683f41e775f4ca03d8f6bae2", + "B": "frk_rq_69dcffa91626c1563c561918" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcffaa44f250f4729f4ae0" + }, + { + "A": "frk_ct_69ea8ddce361e7f7eb0fc2b9", + "B": "frk_rq_68cc5b9f143db7a8e8f2fd99" + }, + { + "A": "frk_ct_69e918eaa930d07ea41dd0d0", + "B": "frk_rq_69eaa7b71e2f3c4710aa383f" + }, + { + "A": "frk_ct_69e918e8cc289b978f31a12a", + "B": "frk_rq_69eaa7b7da0c92ffd26e6f7e" + }, + { + "A": "frk_ct_69f3d976c53fd192b48e6236", + "B": "frk_rq_69f3d8f9325e9331eb352d02" + }, + { + "A": "frk_ct_69f3d9793720eec4d4945150", + "B": "frk_rq_69f3d8f9325e9331eb352d02" + }, + { + "A": "frk_ct_69f3d97b66301a97f6b8e4a3", + "B": "frk_rq_69f3d8f97b102c78dd60613e" + }, + { + "A": "frk_ct_69f3d983dce2e00263034481", + "B": "frk_rq_69f3d8fab461cfff700cd0fc" + }, + { + "A": "frk_ct_69f3d9846258471679ba5a28", + "B": "frk_rq_69f3d8fb5e54d4c7ab693e1a" + }, + { + "A": "frk_ct_69f3d9854a029af0a24299a3", + "B": "frk_rq_69f3d8fb5e54d4c7ab693e1a" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_rq_69dcff9d4484fa6ab009ad50" + }, + { + "A": "frk_ct_6849ba93636ff0155eb89158", + "B": "frk_rq_69dcff9f2a32fccc4bdee381" + }, + { + "A": "frk_ct_683f41e775f4ca03d8f6bae2", + "B": "frk_rq_69dcffa0cd7071a70c25eff6" + }, + { + "A": "frk_ct_683f4036b541126388e2989a", + "B": "frk_rq_69dcffa2854a8978069abc2e" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcffa4409aba79cfbb6863" + }, + { + "A": "frk_ct_683f4c9db20e7cf4a303af1f", + "B": "frk_rq_69dcffa5bbe2ac63ba382ae6" + }, + { + "A": "frk_ct_683f484fc7b5506ab97c26af", + "B": "frk_rq_69dcffa5bbe2ac63ba382ae6" + }, + { + "A": "frk_ct_683f484fc7b5506ab97c26af", + "B": "frk_rq_69dcffa63136b4e7a84d10fc" + }, + { + "A": "frk_ct_69ea8dddda00d3522c538085", + "B": "frk_rq_68cc5bb1b016fed3f0f73d6f" + }, + { + "A": "frk_ct_69e918e94e68c0fb15ee98d0", + "B": "frk_rq_69eaa7b7f31a0487875d4020" + }, + { + "A": "frk_ct_69f3d977f853eaee5ff05fe7", + "B": "frk_rq_69f3d8f9325e9331eb352d02" + }, + { + "A": "frk_ct_69f3d9781dacd8da2864fd17", + "B": "frk_rq_69f3d8f9325e9331eb352d02" + }, + { + "A": "frk_ct_69f3d97a7b80d8564339ffc5", + "B": "frk_rq_69f3d8f97b102c78dd60613e" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcffa2854a8978069abc2e" + }, + { + "A": "frk_ct_683f4036b541126388e2989a", + "B": "frk_rq_69dcffa34047058834cd7552" + }, + { + "A": "frk_ct_683f4f59dea367ca96145e14", + "B": "frk_rq_69dcffa63136b4e7a84d10fc" + }, + { + "A": "frk_ct_69dd33a6c094ddd8a7268013", + "B": "frk_rq_69dcffa91626c1563c561918" + }, + { + "A": "frk_ct_683f41e775f4ca03d8f6bae2", + "B": "frk_rq_69dcffaa44f250f4729f4ae0" + }, + { + "A": "frk_ct_69dd33a6d12ae294a95e9ac1", + "B": "frk_rq_69dcffab5b3ab140e35b2a8f" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69dcffab5b3ab140e35b2a8f" + }, + { + "A": "frk_ct_69dd33a6d12ae294a95e9ac1", + "B": "frk_rq_69dcffac9c60c52edbd56fef" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_rq_69dcffac9c60c52edbd56fef" + }, + { + "A": "frk_ct_69dd33a6d12ae294a95e9ac1", + "B": "frk_rq_69dcffad14c5796fac50382b" + }, + { + "A": "frk_ct_683f43a65de3b6044e63220f", + "B": "frk_rq_69dcffaebee28285f81befad" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_rq_69dcffaebee28285f81befad" + }, + { + "A": "frk_ct_683f43a65de3b6044e63220f", + "B": "frk_rq_69dcffafdd6076fb6394fab2" + }, + { + "A": "frk_ct_683f43a65de3b6044e63220f", + "B": "frk_rq_69dcffb0d294a6b409bf2777" + }, + { + "A": "frk_ct_683f43a65de3b6044e63220f", + "B": "frk_rq_69dcffb1c482f1b4c9faa676" + }, + { + "A": "frk_ct_683f43a65de3b6044e63220f", + "B": "frk_rq_69dcffb221021671f9e15650" + }, + { + "A": "frk_ct_683f43a65de3b6044e63220f", + "B": "frk_rq_69dcffb3bb48dd2bca628d6a" + }, + { + "A": "frk_ct_683f48ee9534e1e0a088e922", + "B": "frk_rq_69dcffb4bfef6f7f83a002a5" + }, + { + "A": "frk_ct_683f48ee9534e1e0a088e922", + "B": "frk_rq_69dcffb5976c9bf607b589bf" + }, + { + "A": "frk_ct_683f48ee9534e1e0a088e922", + "B": "frk_rq_69dcffb652f1be5f58bda75d" + }, + { + "A": "frk_ct_683f48ee9534e1e0a088e922", + "B": "frk_rq_69dcffb7c9bb0dab205bcd0f" + }, + { + "A": "frk_ct_683f48ee9534e1e0a088e922", + "B": "frk_rq_69dcffb80d9e0ce7eccf5b66" + }, + { + "A": "frk_ct_683f48ee9534e1e0a088e922", + "B": "frk_rq_69dcffb936d930f67bf2acc9" + }, + { + "A": "frk_ct_683f48ee9534e1e0a088e922", + "B": "frk_rq_69dcffbae18a11fa1fefd5cc" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_rq_69dcffbbae320285dfd82b59" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_rq_69dcffbcc00c2a8335362cd9" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_rq_69dcffbd079e9609d8754451" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_rq_69dcffbd5a29f5ca49f033a2" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_rq_69dcffbe8febb9ad32cee3ac" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_rq_69dcffbfa920236e68274c8a" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_rq_69dcffc0f183d6d459f7374d" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_rq_69dcffc0f183d6d459f7374d" + }, + { + "A": "frk_ct_69dd3265dadac07cd88ae96c", + "B": "frk_rq_681fbad250580796989c2740" + }, + { + "A": "frk_ct_69dd3265dadac07cd88ae96c", + "B": "frk_rq_681fbb0582eaf9324e47bf66" + }, + { + "A": "frk_ct_69dd3265dadac07cd88ae96c", + "B": "frk_rq_681fbae74869a7453e32ca50" + }, + { + "A": "frk_ct_69dd3265dadac07cd88ae96c", + "B": "frk_rq_681fbb1b006e7a70070d2530" + }, + { + "A": "frk_ct_69dd3265dadac07cd88ae96c", + "B": "frk_rq_681fbabb950f98ecf6a87401" + }, + { + "A": "frk_ct_69dd33a6c094ddd8a7268013", + "B": "frk_rq_6820cffa8b186b46aeba463e" + }, + { + "A": "frk_ct_69dd33a6c094ddd8a7268013", + "B": "frk_rq_6820cfff003be02cf6f1a966" + }, + { + "A": "frk_ct_69dd33a6c094ddd8a7268013", + "B": "frk_rq_681fd69f2811265875854c99" + }, + { + "A": "frk_ct_69dd33a6c094ddd8a7268013", + "B": "frk_rq_681fd6b64760a2a0e22dca94" + }, + { + "A": "frk_ct_69dd33a6c094ddd8a7268013", + "B": "frk_rq_69dcffb936d930f67bf2acc9" + }, + { + "A": "frk_ct_69dd33a6c094ddd8a7268013", + "B": "frk_rq_69dcffbae18a11fa1fefd5cc" + }, + { + "A": "frk_ct_69ea8dde7453dbed221162e8", + "B": "frk_rq_68cc5bba0a7d17f5e4e79ffc" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_rq_681fe258330b292af74be717" + }, + { + "A": "frk_ct_69f3d97c03fd8213c05dbbde", + "B": "frk_rq_69f3d8fa35b14429dc6a5ae2" + }, + { + "A": "frk_ct_69f3d9808d78f354f8f804b4", + "B": "frk_rq_69f3d8faaaa018c49827ba66" + }, + { + "A": "frk_ct_69f3d981cefe4efa0efe0847", + "B": "frk_rq_69f3d8faaaa018c49827ba66" + }, + { + "A": "frk_ct_69f3d98163541c15c34554c0", + "B": "frk_rq_69f3d8fab461cfff700cd0fc" + }, + { + "A": "frk_ct_69f3d982f21bf2e86c1ef98d", + "B": "frk_rq_69f3d8fab461cfff700cd0fc" + }, + { + "A": "frk_ct_69f3d98d61c5a3ef65a23e20", + "B": "frk_rq_69f3d8fc64fbb4b8bd63a0f7" + }, + { + "A": "frk_ct_69f3d98fd53148ecfa29efa0", + "B": "frk_rq_69f3d8fd143d9729bbe92c18" + }, + { + "A": "frk_ct_69ea8ddf8ba2e517ab4a366d", + "B": "frk_rq_68cc5bc95fa70354cb5631c6" + }, + { + "A": "frk_ct_69ea8ddf2226651c7382d81c", + "B": "frk_rq_68cc5bd5e8781f93897c507f" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_rq_681fe27650feb9e1decf9b8e" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_rq_681fe3516e9d623341576827" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_rq_681fe373eec04bb563a58ebc" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_rq_681fe3e05e9443385b5f512a" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_rq_681fe40489876e2fe301c757" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_rq_681fe569c808990634c7168b" + }, + { + "A": "frk_ct_69f3d97d7c0f6c1d629e8fbf", + "B": "frk_rq_69f3d8fa35b14429dc6a5ae2" + }, + { + "A": "frk_ct_69f3d97fab711de81e99e786", + "B": "frk_rq_69f3d8fa35b14429dc6a5ae2" + }, + { + "A": "frk_ct_69ea8de02be9da8bf00ad0aa", + "B": "frk_rq_68cc5be2faf1c4c90a37c8bc" + }, + { + "A": "frk_ct_69ea8de1bd41309fdbe08e20", + "B": "frk_rq_68cc139ce4e9397e774a970b" + }, + { + "A": "frk_ct_69ea8de302274112e7ccc264", + "B": "frk_rq_68cc13f34b88f4b16f70a060" + }, + { + "A": "frk_ct_69ea8de302274112e7ccc264", + "B": "frk_rq_68cc1424b567f1f8cb7c31f0" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_rq_681fe28e3e639ff197fed198" + }, + { + "A": "frk_ct_69f3d9864551468e007fc4d8", + "B": "frk_rq_69f3d8fb285f6ce15ead0408" + }, + { + "A": "frk_ct_69f3d987482f9da8d882e592", + "B": "frk_rq_69f3d8fb285f6ce15ead0408" + }, + { + "A": "frk_ct_69f3d98847a47dc8f9eacae4", + "B": "frk_rq_69f3d8fb285f6ce15ead0408" + }, + { + "A": "frk_ct_69f3d9891d140c7d3b7d542c", + "B": "frk_rq_69f3d8fb285f6ce15ead0408" + }, + { + "A": "frk_ct_69f3d98b12951c79a1a1cf36", + "B": "frk_rq_69f3d8fca6daba5a2eaddaaa" + }, + { + "A": "frk_ct_69e639b9bf66b5a6ffb17d27", + "B": "frk_rq_681ed29613b703c7f368ffdc" + }, + { + "A": "frk_ct_69e639b9bf66b5a6ffb17d27", + "B": "frk_rq_681ed2a8bda2e236fbc46492" + }, + { + "A": "frk_ct_69e639b9bf66b5a6ffb17d27", + "B": "frk_rq_681ed2be08112d94334bd319" + }, + { + "A": "frk_ct_69e639b9bf66b5a6ffb17d27", + "B": "frk_rq_681ed2c844494f7d1b01fa45" + }, + { + "A": "frk_ct_69ea8de2d97d1f09cc61b896", + "B": "frk_rq_68cc13aebd1f91aa8a6e2288" + }, + { + "A": "frk_ct_69ea8de2d97d1f09cc61b896", + "B": "frk_rq_68cc13c78fe780fd336736f8" + }, + { + "A": "frk_ct_69ea8de302274112e7ccc264", + "B": "frk_rq_68cc13d7452ced814c6e99f0" + }, + { + "A": "frk_ct_69ea8de5cc73e611573e6db4", + "B": "frk_rq_68cc1484d319859ad5a42fc1" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_rq_681fe2c0b70c40a7af7538c1" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_rq_681fe315f94ce26cea6c87de" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_rq_681fe3bfba9f2b5679d07384" + }, + { + "A": "frk_ct_69f3d988421e37ecdc514fc0", + "B": "frk_rq_69f3d8fb285f6ce15ead0408" + }, + { + "A": "frk_ct_69f3d98a95c7623e660bf33d", + "B": "frk_rq_69f3d8fca6daba5a2eaddaaa" + }, + { + "A": "frk_ct_69f3d98c52d9000ac36cc791", + "B": "frk_rq_69f3d8fc64fbb4b8bd63a0f7" + }, + { + "A": "frk_ct_69f3d98e0758e358b1f71b49", + "B": "frk_rq_69f3d8fc64fbb4b8bd63a0f7" + }, + { + "A": "frk_ct_69f3d98f897fe2984e8163e5", + "B": "frk_rq_69f3d8fd143d9729bbe92c18" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed417c678d6e4a72ecc21" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed173c4617d8242804d37" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ecca11f8e93d33110f582" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681eccda0b0048baacc8384f" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681eccf8ea16a6a8c71b2043" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ecea78867657c2a877498" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ecec3bacaf5ec71310399" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681eced25693b9ef01953cda" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ecee267499cb4e89dd597" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ecf02da21ed278b8719a3" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ecef18eb5fc1de4b36922" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ecf0edd81451c5d7f942e" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed058cb46f0ca43f4ac04" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed06702eb40f21d9c3280" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed079b20c266ed3bcae4e" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed083826218fefed135f7" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed09f0d780a205029c6f8" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed0aa105e90005119af94" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed0bfb77656558d34e07c" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed0d7a55af6c0b644188b" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed0e87f1d7e373d990d48" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed0f93b445441d7092481" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed1090eab65d82db8ba3e" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed11ec29b25b1192e96f6" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed1295a639db1210e9237" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed13272f6276ce54c2e23" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed1433a712ae09dc7633b" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed1525f18dab66c1a2203" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed16583aa68b76c80917a" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed1946de8b1beb5d5b987" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed17f36423e887ec130f6" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed1ac19e3e7e1aef48517" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed1d5f29a33fa8735d51c" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed1e1ad96b7f5e1659cab" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed1f09741eeebee147fcb" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed1fe624cd14c34876ee8" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed20a3f7335dd1ec64b6c" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed2170cb1b15f842b6f6d" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed2229fa221e338501d51" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed2314f568a3e5c3f1fbf" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed23c61c97af7967b50c2" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed24aa0809f09c4d22256" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed261918bb47df6590dac" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed277348377c5b5f81649" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed2893326942f0ac88d81" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed29613b703c7f368ffdc" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed2a8bda2e236fbc46492" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed2be08112d94334bd319" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed2c844494f7d1b01fa45" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed2e32d00654588c5103f" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed2f378d4fbe2e39f5f76" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed30003a95e3808397d6d" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed3455f6b6695283a7c72" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed35d6330398a089100c1" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed36f9d1446b067a4990d" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed37df872af70c5430e7f" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed38c0abdd2731880fa6e" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed39e1c2f759d433992a7" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed3ad17d5f7844774977a" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed3b87e88e0a249c2098a" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed3c23adb2d4461dc09da" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed3d0342b5d531935cd62" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed3dc1663fa62052ef548" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed3e78e9b73cb6b279906" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed3f78f28fba67dedc302" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed40ec3b505552b76ce5f" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed423b43ec990bbd5f3b5" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed4316c72a80ff5d1fdc6" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed43f84399c54accb82b9" + }, + { + "A": "frk_ct_69e639b958a20954c4afa186", + "B": "frk_rq_681ed417c678d6e4a72ecc21" + }, + { + "A": "frk_ct_69ea8de6018b6b80d862c906", + "B": "frk_rq_68cc1499a406e703a08e8d8a" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_rq_681fe413d1788e6d2a2e0e70" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_rq_681fecb74a602ca1480b819a" + }, + { + "A": "frk_ct_69eb876ec7f4fc346ff10b12", + "B": "frk_rq_681fe50a602bee19cc6c58de" + }, + { + "A": "frk_ct_69eb876ec7f4fc346ff10b12", + "B": "frk_rq_681fe525546b5f5cbaa4caba" + }, + { + "A": "frk_ct_69eb876f6362393759ecd351", + "B": "frk_rq_681fe614fa8f4da199b1ab38" + }, + { + "A": "frk_ct_69eb876f6362393759ecd351", + "B": "frk_rq_681fe694c60456dba73c3560" + }, + { + "A": "frk_ct_69eb876f3270ed0b11233ece", + "B": "frk_rq_681fe6d4eca9ce895d67b372" + }, + { + "A": "frk_ct_69eb876f3270ed0b11233ece", + "B": "frk_rq_681fe6e799239e3a7cbe2dec" + }, + { + "A": "frk_ct_69eb876f3270ed0b11233ece", + "B": "frk_rq_681fe75f468516745997ca4f" + }, + { + "A": "frk_ct_69f897d2abcbb2cff15807ac", + "B": "frk_rq_681feb51b84ba0badd659fe4" + }, + { + "A": "frk_ct_69e639b958a20954c4afa186", + "B": "frk_rq_681ed3f78f28fba67dedc302" + }, + { + "A": "frk_ct_69e639b958a20954c4afa186", + "B": "frk_rq_681ed40ec3b505552b76ce5f" + }, + { + "A": "frk_ct_69e639b958a20954c4afa186", + "B": "frk_rq_681ed423b43ec990bbd5f3b5" + }, + { + "A": "frk_ct_69e639b958a20954c4afa186", + "B": "frk_rq_681ed4316c72a80ff5d1fdc6" + }, + { + "A": "frk_ct_69e639b958a20954c4afa186", + "B": "frk_rq_681ed43f84399c54accb82b9" + }, + { + "A": "frk_ct_69e639b958a20954c4afa186", + "B": "frk_rq_681ed448a7cfe00afd2b0a19" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_rq_681feccc0a6b9c390f81ccab" + }, + { + "A": "frk_ct_69eb876ec7f4fc346ff10b12", + "B": "frk_rq_681fe4f2409a61f406391e27" + }, + { + "A": "frk_ct_69eb876ec7f4fc346ff10b12", + "B": "frk_rq_681fe87de28c10ea32f74832" + }, + { + "A": "frk_ct_69eb876f6362393759ecd351", + "B": "frk_rq_681fe539da6767ccaa42fd4f" + }, + { + "A": "frk_ct_69eb876f6362393759ecd351", + "B": "frk_rq_681fe62d157ad538df0ac0b7" + }, + { + "A": "frk_ct_69eb876f3270ed0b11233ece", + "B": "frk_rq_681fe74bab9fd5739de31a2c" + }, + { + "A": "frk_ct_69eb87701093fde54e1169dc", + "B": "frk_rq_681fe8577f4153ab83dbedf2" + }, + { + "A": "frk_ct_69eb87701093fde54e1169dc", + "B": "frk_rq_681fe8697bff206f287d79cb" + }, + { + "A": "frk_ct_69eb87703649e5234a56d529", + "B": "frk_rq_681fe89fa3aa895de49e995e" + }, + { + "A": "frk_ct_69eb87703649e5234a56d529", + "B": "frk_rq_681fe8aa3d80a91789ce36c6" + }, + { + "A": "frk_ct_69eb87703649e5234a56d529", + "B": "frk_rq_681fe8b819b58da63cf250ac" + }, + { + "A": "frk_ct_69eb87703649e5234a56d529", + "B": "frk_rq_681fec08c1179a2bfe677069" + }, + { + "A": "frk_ct_69eb87703649e5234a56d529", + "B": "frk_rq_681fec1b32de927d4dbeb093" + }, + { + "A": "frk_ct_69eb87703649e5234a56d529", + "B": "frk_rq_681fec55c16831a6cd91f592" + }, + { + "A": "frk_ct_69eb877091d96bcaeae40219", + "B": "frk_rq_681fe924a5f99c526e7a2e01" + }, + { + "A": "frk_ct_69eb877091d96bcaeae40219", + "B": "frk_rq_681fe96d757fb6b5c75cdf76" + }, + { + "A": "frk_ct_69eb87717ae82d509fb927ed", + "B": "frk_rq_681fea39308dba0a946b8ec8" + }, + { + "A": "frk_ct_69eb87717ae82d509fb927ed", + "B": "frk_rq_681fea57826a6f30eba2db5c" + }, + { + "A": "frk_ct_69e639b958a20954c4afa186", + "B": "frk_rq_681ed4019aa553be924ee291" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed448a7cfe00afd2b0a19" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed45b92c3b3f329d3858f" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed46ff23ef8614d7f3042" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed47bac3dee3588290b04" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed48f152068a490f317ac" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed61f357c7bf776300aa7" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed62a1ad145f4554d4068" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed6347b1e6eea717482ca" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed6497c1e390fe89f0dfa" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed651d81e6c51934134bc" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed65bb490440ea4f3b552" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed663b850258024b0b236" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed66d77af963d9763adeb" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed6761e8f45c900e60be3" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed686b626f985dac54c52" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed69ce5f84cf315240f7a" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed6a5d1683d54c08f7084" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed6afecd253fe6c3c060a" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed6ba79910ff5b9c7d76f" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed6c7eee985561d1f4d9b" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed6d277a609269207598d" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed6dc2a941d8ed887fa01" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed6eab8348ae42e9622d2" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed6f360678a6cf25345b2" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed6fbb7447647d630bfac" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed70245119fe4e1943d4a" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed70cd5e3fc570dd75770" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed713c378baffc34d25f5" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed71f9deddd61109308dd" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed7326db82252ea6faa67" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed739dc6d14f4ad5d95d2" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed74124bbe51a72d0c154" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed748dab9fd6d58f20964" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed7532959ec62c8ae815c" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed76e19cca49a6ac49bf8" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed7794b363009725bab5b" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed781b79f824466be5394" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed789b359f075b12e20c0" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed7901ab04aa5a1d27890" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed799ca7b40e2d8ed55ba" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed7b407395dfc68ff955d" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed7c75e421b346480e046" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed7ce83ab2029a9dc414c" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed7d719388daff946a68d" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed7de305465fe226fc39d" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed4019aa553be924ee291" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed7e50f718eb161dd5605" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed80ab572359972e06ace" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed813388d3297b3ed3e73" + }, + { + "A": "frk_ct_69e639b90a3bf8c1443cbf5b", + "B": "frk_rq_681ed81d5e01d43ada52ffae" + }, + { + "A": "frk_ct_69eb87703649e5234a56d529", + "B": "frk_rq_681feb8df6c8f41d44a9e287" + }, + { + "A": "frk_ct_69eb87703649e5234a56d529", + "B": "frk_rq_681febd6a160cdcafacbc30a" + }, + { + "A": "frk_ct_69eb87703649e5234a56d529", + "B": "frk_rq_681febf659324baa56a6a189" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ecec3bacaf5ec71310399" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681eced25693b9ef01953cda" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ecee267499cb4e89dd597" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ecf02da21ed278b8719a3" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ecef18eb5fc1de4b36922" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ecf0edd81451c5d7f942e" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed058cb46f0ca43f4ac04" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed06702eb40f21d9c3280" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed079b20c266ed3bcae4e" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed083826218fefed135f7" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed09f0d780a205029c6f8" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed0aa105e90005119af94" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed0bfb77656558d34e07c" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed0d7a55af6c0b644188b" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed0e87f1d7e373d990d48" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed0f93b445441d7092481" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed1090eab65d82db8ba3e" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed11ec29b25b1192e96f6" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed1295a639db1210e9237" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed13272f6276ce54c2e23" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed1433a712ae09dc7633b" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed1525f18dab66c1a2203" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed16583aa68b76c80917a" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed1946de8b1beb5d5b987" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed17f36423e887ec130f6" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed1ac19e3e7e1aef48517" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed1d5f29a33fa8735d51c" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed1e1ad96b7f5e1659cab" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed1f09741eeebee147fcb" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed1fe624cd14c34876ee8" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed20a3f7335dd1ec64b6c" + }, + { + "A": "frk_ct_69eb877091d96bcaeae40219", + "B": "frk_rq_681fe90ba7477425a75f2993" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_rq_681ed781b79f824466be5394" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_rq_681ed789b359f075b12e20c0" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_rq_681ed7901ab04aa5a1d27890" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_rq_681ed799ca7b40e2d8ed55ba" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_rq_681ed7b407395dfc68ff955d" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_rq_681ed7c75e421b346480e046" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_rq_681ed7ce83ab2029a9dc414c" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_rq_681ed7d719388daff946a68d" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_rq_681ed7de305465fe226fc39d" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_rq_681ed4019aa553be924ee291" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_rq_681ed7e50f718eb161dd5605" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_rq_681ed80ab572359972e06ace" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_rq_681ed813388d3297b3ed3e73" + }, + { + "A": "frk_ct_69e639b9d5ced482c12ae932", + "B": "frk_rq_681ed81d5e01d43ada52ffae" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed417c678d6e4a72ecc21" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed173c4617d8242804d37" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ecca11f8e93d33110f582" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681eccda0b0048baacc8384f" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681eccf8ea16a6a8c71b2043" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ecea78867657c2a877498" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ecec3bacaf5ec71310399" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681eced25693b9ef01953cda" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ecee267499cb4e89dd597" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ecf02da21ed278b8719a3" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ecef18eb5fc1de4b36922" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ecf0edd81451c5d7f942e" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed058cb46f0ca43f4ac04" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed06702eb40f21d9c3280" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed079b20c266ed3bcae4e" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed083826218fefed135f7" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed09f0d780a205029c6f8" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed0aa105e90005119af94" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed0bfb77656558d34e07c" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed0d7a55af6c0b644188b" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed0e87f1d7e373d990d48" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed0f93b445441d7092481" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed1090eab65d82db8ba3e" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed11ec29b25b1192e96f6" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed2170cb1b15f842b6f6d" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed2229fa221e338501d51" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed2314f568a3e5c3f1fbf" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed23c61c97af7967b50c2" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed24aa0809f09c4d22256" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed261918bb47df6590dac" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed277348377c5b5f81649" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed2893326942f0ac88d81" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed29613b703c7f368ffdc" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed2a8bda2e236fbc46492" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed2be08112d94334bd319" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed2c844494f7d1b01fa45" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed2e32d00654588c5103f" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed2f378d4fbe2e39f5f76" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed30003a95e3808397d6d" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed3455f6b6695283a7c72" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed35d6330398a089100c1" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed36f9d1446b067a4990d" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed37df872af70c5430e7f" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed38c0abdd2731880fa6e" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed39e1c2f759d433992a7" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed3ad17d5f7844774977a" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed3b87e88e0a249c2098a" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed3c23adb2d4461dc09da" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed3d0342b5d531935cd62" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed3dc1663fa62052ef548" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed3e78e9b73cb6b279906" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed3f78f28fba67dedc302" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed40ec3b505552b76ce5f" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed423b43ec990bbd5f3b5" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed4316c72a80ff5d1fdc6" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed43f84399c54accb82b9" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed448a7cfe00afd2b0a19" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed45b92c3b3f329d3858f" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed46ff23ef8614d7f3042" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed47bac3dee3588290b04" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed48f152068a490f317ac" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed61f357c7bf776300aa7" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed62a1ad145f4554d4068" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed6347b1e6eea717482ca" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed6497c1e390fe89f0dfa" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed651d81e6c51934134bc" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed65bb490440ea4f3b552" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed663b850258024b0b236" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed66d77af963d9763adeb" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed6761e8f45c900e60be3" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed686b626f985dac54c52" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed69ce5f84cf315240f7a" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed6a5d1683d54c08f7084" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed6afecd253fe6c3c060a" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed6ba79910ff5b9c7d76f" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed6c7eee985561d1f4d9b" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed6d277a609269207598d" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed6dc2a941d8ed887fa01" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed6eab8348ae42e9622d2" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed6f360678a6cf25345b2" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed6fbb7447647d630bfac" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed70245119fe4e1943d4a" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed70cd5e3fc570dd75770" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed713c378baffc34d25f5" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed71f9deddd61109308dd" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed7326db82252ea6faa67" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed739dc6d14f4ad5d95d2" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed74124bbe51a72d0c154" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed748dab9fd6d58f20964" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed7532959ec62c8ae815c" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed76e19cca49a6ac49bf8" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed7794b363009725bab5b" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed781b79f824466be5394" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed789b359f075b12e20c0" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed7901ab04aa5a1d27890" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed799ca7b40e2d8ed55ba" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed7b407395dfc68ff955d" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed7c75e421b346480e046" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed7ce83ab2029a9dc414c" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed7d719388daff946a68d" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed7de305465fe226fc39d" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed4019aa553be924ee291" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed7e50f718eb161dd5605" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed80ab572359972e06ace" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed813388d3297b3ed3e73" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_rq_681ed81d5e01d43ada52ffae" + }, + { + "A": "frk_ct_69eb877091d96bcaeae40219", + "B": "frk_rq_681fe936fa81524e6aeca7c5" + }, + { + "A": "frk_ct_69eb877091d96bcaeae40219", + "B": "frk_rq_681fe9465c707c6339b9b335" + }, + { + "A": "frk_ct_69eb87717ae82d509fb927ed", + "B": "frk_rq_681fea2c2d9331380c8b215f" + }, + { + "A": "frk_ct_68406fc94e08f884cc085ded", + "B": "frk_rq_681feb3ed01dfe41d1902a2b" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed1295a639db1210e9237" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed13272f6276ce54c2e23" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed1433a712ae09dc7633b" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed1525f18dab66c1a2203" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed16583aa68b76c80917a" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed1946de8b1beb5d5b987" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed17f36423e887ec130f6" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed1ac19e3e7e1aef48517" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed1d5f29a33fa8735d51c" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed1e1ad96b7f5e1659cab" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed1f09741eeebee147fcb" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed1fe624cd14c34876ee8" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed20a3f7335dd1ec64b6c" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed2170cb1b15f842b6f6d" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed2229fa221e338501d51" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed2314f568a3e5c3f1fbf" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed23c61c97af7967b50c2" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed24aa0809f09c4d22256" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed261918bb47df6590dac" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed277348377c5b5f81649" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed2893326942f0ac88d81" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed29613b703c7f368ffdc" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed2a8bda2e236fbc46492" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed2be08112d94334bd319" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed2c844494f7d1b01fa45" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed2e32d00654588c5103f" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed2f378d4fbe2e39f5f76" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed30003a95e3808397d6d" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed3455f6b6695283a7c72" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed35d6330398a089100c1" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed36f9d1446b067a4990d" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed37df872af70c5430e7f" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed38c0abdd2731880fa6e" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed39e1c2f759d433992a7" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed3ad17d5f7844774977a" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed3b87e88e0a249c2098a" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed3c23adb2d4461dc09da" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed3d0342b5d531935cd62" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed3dc1663fa62052ef548" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed3e78e9b73cb6b279906" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed3f78f28fba67dedc302" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed40ec3b505552b76ce5f" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed423b43ec990bbd5f3b5" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed4316c72a80ff5d1fdc6" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed43f84399c54accb82b9" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed448a7cfe00afd2b0a19" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed45b92c3b3f329d3858f" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed46ff23ef8614d7f3042" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed47bac3dee3588290b04" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed48f152068a490f317ac" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed61f357c7bf776300aa7" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed62a1ad145f4554d4068" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed6347b1e6eea717482ca" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed6497c1e390fe89f0dfa" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed651d81e6c51934134bc" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed65bb490440ea4f3b552" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed663b850258024b0b236" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed66d77af963d9763adeb" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed6761e8f45c900e60be3" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed686b626f985dac54c52" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed69ce5f84cf315240f7a" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed6a5d1683d54c08f7084" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed6afecd253fe6c3c060a" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed6ba79910ff5b9c7d76f" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed6c7eee985561d1f4d9b" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed6d277a609269207598d" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed6dc2a941d8ed887fa01" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed6eab8348ae42e9622d2" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed6f360678a6cf25345b2" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed6fbb7447647d630bfac" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed70245119fe4e1943d4a" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed70cd5e3fc570dd75770" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed713c378baffc34d25f5" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed71f9deddd61109308dd" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed7326db82252ea6faa67" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed739dc6d14f4ad5d95d2" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed74124bbe51a72d0c154" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed748dab9fd6d58f20964" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed7532959ec62c8ae815c" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed76e19cca49a6ac49bf8" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed7794b363009725bab5b" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed781b79f824466be5394" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed789b359f075b12e20c0" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed7901ab04aa5a1d27890" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed799ca7b40e2d8ed55ba" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed7b407395dfc68ff955d" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed7c75e421b346480e046" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed7ce83ab2029a9dc414c" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed7d719388daff946a68d" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed7de305465fe226fc39d" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed4019aa553be924ee291" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed7e50f718eb161dd5605" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed80ab572359972e06ace" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed813388d3297b3ed3e73" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_rq_681ed81d5e01d43ada52ffae" + }, + { + "A": "frk_ct_683f43a65de3b6044e63220f", + "B": "frk_rq_69efa5b70d056f596dc2a7ae" } ] \ No newline at end of file diff --git a/packages/db/prisma/seed/relations/_FrameworkEditorControlTemplateToFrameworkEditorTaskTemplate.json b/packages/db/prisma/seed/relations/_FrameworkEditorControlTemplateToFrameworkEditorTaskTemplate.json index accdeed941..b0cf084daf 100644 --- a/packages/db/prisma/seed/relations/_FrameworkEditorControlTemplateToFrameworkEditorTaskTemplate.json +++ b/packages/db/prisma/seed/relations/_FrameworkEditorControlTemplateToFrameworkEditorTaskTemplate.json @@ -27,13 +27,17 @@ "A": "frk_ct_683f4dd564057a97ae323c9f", "B": "frk_tt_68406e7abae2a9b16c2cc197" }, + { + "A": "frk_ct_69e918e7f403f696c2577de1", + "B": "frk_tt_69e92cc75996378b01b27ec9" + }, { "A": "frk_ct_684071e280c4e0f777b957f7", "B": "frk_tt_6840791cac0a7b780dbaf932" }, { - "A": "frk_ct_684070f0b4f6c2036306e23c", - "B": "frk_tt_6849aad98c50d734dd904d98" + "A": "frk_ct_69e918e7f7739946f5034799", + "B": "frk_tt_69e92cc75996378b01b27ec9" }, { "A": "frk_ct_6849c343d7fbe4e71446ce78", @@ -55,10 +59,6 @@ "A": "frk_ct_683f4ae4acbd63d0e558a6f5", "B": "frk_tt_68406cd9dde2d8cd4c463fe0" }, - { - "A": "frk_ct_683f4d7360a876b972aba39a", - "B": "frk_tt_68406e353df3bc002994acef" - }, { "A": "frk_ct_683f50aae46f5e4e096e6bb3", "B": "frk_tt_68406eedf0f0ddd220ea19c2" @@ -80,44 +80,40 @@ "B": "frk_tt_6849c1a1038c3f18cfff47bf" }, { - "A": "frk_ct_68b59e50eeb9f92ce425327c", - "B": "frk_tt_68b59e7a29bec89c57014868" - }, - { - "A": "frk_ct_68b59a16b172e5c360e57536", - "B": "frk_tt_68b5ce9b5393ae083c3beadf" + "A": "frk_ct_69e918eb724c553d2e5749ea", + "B": "frk_tt_69e92cc75996378b01b27ec9" }, { - "A": "frk_ct_68b59a16b172e5c360e57536", - "B": "frk_tt_68b5ce9d508cacf8e4517b56" + "A": "frk_ct_69ea8db0b7f88f1ce0079240", + "B": "frk_tt_69ea9161097ef7eb142b70ff" }, { - "A": "frk_ct_68b59a16b172e5c360e57536", - "B": "frk_tt_68b5ce9c6c1bdb171870f623" + "A": "frk_ct_69ea8db2c7ed1af765c5981d", + "B": "frk_tt_69ea916227fbbb6a722126b6" }, { - "A": "frk_ct_68b59a16b172e5c360e57536", - "B": "frk_tt_68406b4f40c87c12ae0479ce" + "A": "frk_ct_69ea8db62ab22968f85f85f6", + "B": "frk_tt_69ea9164c6574221a69e1107" }, { - "A": "frk_ct_68b59a16b172e5c360e57536", - "B": "frk_tt_6840791cac0a7b780dbaf932" + "A": "frk_ct_69ea8dc2e0fd4e97481baafd", + "B": "frk_tt_69ea9166fd0793a689981939" }, { - "A": "frk_ct_68b59a16b172e5c360e57536", - "B": "frk_tt_6849aad98c50d734dd904d98" + "A": "frk_ct_69ea8dd44d3b368f85df728c", + "B": "frk_tt_69ea9166fd0793a689981939" }, { - "A": "frk_ct_68b59a16b172e5c360e57536", - "B": "frk_tt_68406e353df3bc002994acef" + "A": "frk_ct_69ea8dc3a37b3f833dc7d6f3", + "B": "frk_tt_69ea9167679a59212c7db16f" }, { - "A": "frk_ct_68b59a16b172e5c360e57536", - "B": "frk_tt_68406af04a4acb93083413b9" + "A": "frk_ct_69ea8dc667172a41022fcf27", + "B": "frk_tt_69ea91684c77e2310a928a7a" }, { - "A": "frk_ct_68b59a16b172e5c360e57536", - "B": "frk_tt_68406d2e86acc048d1774ea6" + "A": "frk_ct_69ea8dc6f10b53075c3beacb", + "B": "frk_tt_69ea916984bd6ff9ec7fd09b" }, { "A": "frk_ct_68c1eb1c5f317f452216e2d7", @@ -171,10 +167,6 @@ "A": "frk_ct_68c1eb1c5f317f452216e2d7", "B": "frk_tt_68407ae5274a64092c305104" }, - { - "A": "frk_ct_68c1eb1c5f317f452216e2d7", - "B": "frk_tt_6849aad98c50d734dd904d98" - }, { "A": "frk_ct_68c1eb1c5f317f452216e2d7", "B": "frk_tt_6849c1a1038c3f18cfff47bf" @@ -191,14 +183,6 @@ "A": "frk_ct_68c1eb1c5f317f452216e2d7", "B": "frk_tt_68c332c3bc6d696bb61e7351" }, - { - "A": "frk_ct_683f41e775f4ca03d8f6bae2", - "B": "frk_tt_68c8309516fdbc514404988d" - }, - { - "A": "frk_ct_683f4036b541126388e2989a", - "B": "frk_tt_68c8309516fdbc514404988d" - }, { "A": "frk_ct_68cc25ac90e3fe79c1beb98d", "B": "frk_tt_68cc25658bacb2ccff56adf9" @@ -279,14 +263,6 @@ "A": "frk_ct_68e1364141d03b5e6d70e728", "B": "frk_tt_68e1d5667f2b14a9b0c2daf8" }, - { - "A": "frk_ct_68e1364141d03b5e6d70e728", - "B": "frk_tt_68e1d619944625cc1876540c" - }, - { - "A": "frk_ct_68e1364141d03b5e6d70e728", - "B": "frk_tt_68b59e7a29bec89c57014868" - }, { "A": "frk_ct_68e1364141d03b5e6d70e728", "B": "frk_tt_68d28f68f117d45c0adcba33" @@ -323,14 +299,6 @@ "A": "frk_ct_68b59e50eeb9f92ce425327c", "B": "frk_tt_68e52b26b166e2c0a0d11956" }, - { - "A": "frk_ct_68b59e50eeb9f92ce425327c", - "B": "frk_tt_68e52b274a7c38c62db08e80" - }, - { - "A": "frk_ct_68b59e50eeb9f92ce425327c", - "B": "frk_tt_68e52b27c4bdbf1b24051b8b" - }, { "A": "frk_ct_68b59e50eeb9f92ce425327c", "B": "frk_tt_68e52a484cad0014de7a628f" @@ -339,33 +307,33 @@ "A": "frk_ct_683f4a410cf5bf6d40bf3583", "B": "frk_tt_68e805457c2dcc784e72e3cc" }, - { - "A": "frk_ct_683f4a410cf5bf6d40bf3583", - "B": "frk_tt_68e80544d9734e0402cfa807" - }, { "A": "frk_ct_68e8079750107bcc63fc79d9", "B": "frk_tt_68e52b26bf0e656af9e4e9c3" }, { - "A": "frk_ct_68e80a11f225cb2253e31fa0", - "B": "frk_tt_68e52b274a7c38c62db08e80" + "A": "frk_ct_69ea8dcaa9b51a2b1e5f2abd", + "B": "frk_tt_68cc25658bacb2ccff56adf9" }, { - "A": "frk_ct_68e80a11f225cb2253e31fa0", - "B": "frk_tt_68e52b27c4bdbf1b24051b8b" + "A": "frk_ct_69ea8dc8ec4ced8e76b114c0", + "B": "frk_tt_69ea916a881ab0d59e67c930" }, { "A": "frk_ct_683f47cc2faa426603d6bee8", "B": "frk_tt_68e52b269db179c434734766" }, { - "A": "frk_ct_683f47cc2faa426603d6bee8", - "B": "frk_tt_68e80545a8b432bc59eb8037" + "A": "frk_ct_69ea8dcb210958cb72f499f2", + "B": "frk_tt_69ea916b05b146a8a544c406" }, { - "A": "frk_ct_683f484fc7b5506ab97c26af", - "B": "frk_tt_69033a6bfeb4759be36257bc" + "A": "frk_ct_69ea8dcd4cffcf9dd949ca02", + "B": "frk_tt_69ea916c7b0b9487da3dbe78" + }, + { + "A": "frk_ct_69ea8dcfcba021703a55bf97", + "B": "frk_tt_69ea916f42193436fb7b55de" }, { "A": "frk_ct_68407122565b1968676d93db", @@ -384,8 +352,8 @@ "B": "frk_tt_6901e0aa6d3f2bbab1ea5b84" }, { - "A": "frk_ct_683f42c71eea99f22f9df060", - "B": "frk_tt_69033a6bfeb4759be36257bc" + "A": "frk_ct_69ea8dd5a750b30e2eb69d18", + "B": "frk_tt_69ea9173e73c9a96895468c8" }, { "A": "frk_ct_684070f0b4f6c2036306e23c", @@ -416,8 +384,8 @@ "B": "frk_tt_691e6d9c3d9e14f014b75a7b" }, { - "A": "frk_ct_691e53f4024ab9cc096bbc70", - "B": "frk_tt_691e6d9df70eabe2354b444d" + "A": "frk_ct_69ea8ddce361e7f7eb0fc2b9", + "B": "frk_tt_69ea9178aaa6c6a7058c0fcf" }, { "A": "frk_ct_691e53f4024ab9cc096bbc70", @@ -430,5 +398,861 @@ { "A": "frk_ct_691e53f4024ab9cc096bbc70", "B": "frk_tt_691e6d9cb17ea23bfc68c57b" + }, + { + "A": "frk_ct_69becde6133891181f5fbfe1", + "B": "frk_tt_68406cd9dde2d8cd4c463fe0" + }, + { + "A": "frk_ct_69ea8dddda00d3522c538085", + "B": "frk_tt_69ea91794c21fc8f347cdddd" + }, + { + "A": "frk_ct_69ea8ddf8ba2e517ab4a366d", + "B": "frk_tt_69ea917abdbda1fa183386d2" + }, + { + "A": "frk_ct_69dd33a6d12ae294a95e9ac1", + "B": "frk_tt_68406903839203801ac8041a" + }, + { + "A": "frk_ct_69dd33a6d12ae294a95e9ac1", + "B": "frk_tt_69dd3f6094fc732d635210ae" + }, + { + "A": "frk_ct_69dd33a6c094ddd8a7268013", + "B": "frk_tt_69dd3f8f62639b078e7cc061" + }, + { + "A": "frk_ct_69dd3265dadac07cd88ae96c", + "B": "frk_tt_69dd3fb7c4f015f0b5851eb0" + }, + { + "A": "frk_ct_69dd33a73264cb77236367ba", + "B": "frk_tt_69dd3fe1317ecf573a463bbb" + }, + { + "A": "frk_ct_69dd33a74b6fd1d459c4af20", + "B": "frk_tt_69dd400bdc718337e0354ff7" + }, + { + "A": "frk_ct_69e639b9148c96a37c8936fc", + "B": "frk_tt_68d28f68f117d45c0adcba33" + }, + { + "A": "frk_ct_69e639b96ad6c5e729676acb", + "B": "frk_tt_68e52b2618cb9d9722c6edfd" + }, + { + "A": "frk_ct_69e639b958a20954c4afa186", + "B": "frk_tt_68406951bd282273ebe286cc" + }, + { + "A": "frk_ct_69e639b958a20954c4afa186", + "B": "frk_tt_68e52b27c4bdbf1b24051b8b" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_tt_68407ae5274a64092c305104" + }, + { + "A": "frk_ct_69e669af7fd9ef27754dc041", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_69ea8de302274112e7ccc264", + "B": "frk_tt_69ea917c23d26cfe23eb8fca" + }, + { + "A": "frk_ct_69ea8dbfb341d9b1021c8897", + "B": "frk_tt_68cc301a8fd914534ab95b11" + }, + { + "A": "frk_ct_69ea8dc048654718cfb1d12c", + "B": "frk_tt_68cc30fbbeabb8a4c2f56082" + }, + { + "A": "frk_ct_69e918e805776785f8f80a14", + "B": "frk_tt_68406d2e86acc048d1774ea6" + }, + { + "A": "frk_ct_69ea8dc718a407d992cda795", + "B": "frk_tt_68cc327ff5d3130a1b42420b" + }, + { + "A": "frk_ct_69ea8dcaa9b51a2b1e5f2abd", + "B": "frk_tt_68cc395b90e179fe3209b795" + }, + { + "A": "frk_ct_69ea8dbccf28e8a000ba1934", + "B": "frk_tt_68cc3ffab3fb703917f51e19" + }, + { + "A": "frk_ct_69ea8de5cc73e611573e6db4", + "B": "frk_tt_68cc459ed57b70a4cb631e72" + }, + { + "A": "frk_ct_69ea8dd148f84ea6656bce7d", + "B": "frk_tt_68406af04a4acb93083413b9" + }, + { + "A": "frk_ct_69ea8de1bd41309fdbe08e20", + "B": "frk_tt_68406af04a4acb93083413b9" + }, + { + "A": "frk_ct_69ea8dc5682f9f3146944252", + "B": "frk_tt_68406951bd282273ebe286cc" + }, + { + "A": "frk_ct_69ea8db16a12eecb3f3a5ecb", + "B": "frk_tt_6840791cac0a7b780dbaf932" + }, + { + "A": "frk_ct_69ea8dd9462f30b929260abf", + "B": "frk_tt_6840791cac0a7b780dbaf932" + }, + { + "A": "frk_ct_69ea8ddbb737f1f09bbcd82e", + "B": "frk_tt_6840791cac0a7b780dbaf932" + }, + { + "A": "frk_ct_69ea8de02be9da8bf00ad0aa", + "B": "frk_tt_68406a514e90bb6e32e0b107" + }, + { + "A": "frk_ct_69ea8dccd7c01c6d2503448b", + "B": "frk_tt_68406d64f09f13271c14dd01" + }, + { + "A": "frk_ct_69ea8dc4c401188497d417c2", + "B": "frk_tt_68406d2e86acc048d1774ea6" + }, + { + "A": "frk_ct_69e918ea7bd6df3b3cdd2ddc", + "B": "frk_tt_68b5ce9b5393ae083c3beadf" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_tt_69eb875e9567b702dbb7f05e" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_tt_69eb87606cb315ebeb98ea49" + }, + { + "A": "frk_ct_69eb876ec7f4fc346ff10b12", + "B": "frk_tt_69eb875d77ef6407785a500f" + }, + { + "A": "frk_ct_69eb876f6362393759ecd351", + "B": "frk_tt_68406ca292d9fffb264991b9" + }, + { + "A": "frk_ct_69eb876f6362393759ecd351", + "B": "frk_tt_68e805457c2dcc784e72e3cc" + }, + { + "A": "frk_ct_69eb876f3270ed0b11233ece", + "B": "frk_tt_69eb8761ff2b2d874ae2a4da" + }, + { + "A": "frk_ct_69eb87701093fde54e1169dc", + "B": "frk_tt_68e52b269db179c434734766" + }, + { + "A": "frk_ct_69eb87703649e5234a56d529", + "B": "frk_tt_69eb875e71616f3b8a9fadde" + }, + { + "A": "frk_ct_69eb877091d96bcaeae40219", + "B": "frk_tt_6901e041bb02b41fa3b7dca9" + }, + { + "A": "frk_ct_69efd5d2b0758b1e1c1b6d87", + "B": "frk_tt_69efd9de89f2f4d93e527127" + }, + { + "A": "frk_ct_69efd5c84ccf6f3f5bbe29bd", + "B": "frk_tt_69efd9e2f40bdd1dd45c057e" + }, + { + "A": "frk_ct_69e918ea7bd6df3b3cdd2ddc", + "B": "frk_tt_68b5ce9c6c1bdb171870f623" + }, + { + "A": "frk_ct_69e918eaa930d07ea41dd0d0", + "B": "frk_tt_68b5ce9c6c1bdb171870f623" + }, + { + "A": "frk_ct_69efd5a6e66d4c6c92fdd3df", + "B": "frk_tt_69efd9e45e6f00c44f622173" + }, + { + "A": "frk_ct_69efd5a87004249e7b6e62af", + "B": "frk_tt_69efd9e45e6f00c44f622173" + }, + { + "A": "frk_ct_69efd5b3cdfebf7ee46a5cf7", + "B": "frk_tt_69efd9e45e6f00c44f622173" + }, + { + "A": "frk_ct_69efd5aac8f24094878ff701", + "B": "frk_tt_69efd9ef3ff6e8fed0fc0028" + }, + { + "A": "frk_ct_69efd5e12d61c6019d213f60", + "B": "frk_tt_69efd9f81f073e643fb5a19d" + }, + { + "A": "frk_ct_69efd5e395082fabf04e53b7", + "B": "frk_tt_69efd9f81f073e643fb5a19d" + }, + { + "A": "frk_ct_69efd5ee3eb484fc081cd20a", + "B": "frk_tt_69efd9f81f073e643fb5a19d" + }, + { + "A": "frk_ct_69e918e94e68c0fb15ee98d0", + "B": "frk_tt_68406af04a4acb93083413b9" + }, + { + "A": "frk_ct_69e918e8c57e2f6756c995ca", + "B": "frk_tt_68406af04a4acb93083413b9" + }, + { + "A": "frk_ct_69efd5b3cdfebf7ee46a5cf7", + "B": "frk_tt_69efd9f81f073e643fb5a19d" + }, + { + "A": "frk_ct_69efd5a6e66d4c6c92fdd3df", + "B": "frk_tt_69efdbcee1d3e72ee6873ed1" + }, + { + "A": "frk_ct_69efd5a87004249e7b6e62af", + "B": "frk_tt_69efdbcee1d3e72ee6873ed1" + }, + { + "A": "frk_ct_69ea8daea335821ba4148123", + "B": "frk_tt_69ea915ebae9e6858fa4fa07" + }, + { + "A": "frk_ct_69ea8daf133ebd28ca732b9d", + "B": "frk_tt_69ea915f44950702d9f7733c" + }, + { + "A": "frk_ct_69ea8db3571415b8485b6976", + "B": "frk_tt_69ea9163eb166db383bb2140" + }, + { + "A": "frk_ct_69ea8dbdbd2ce5e539a326fa", + "B": "frk_tt_69ea9165056eb451ccc79c0f" + }, + { + "A": "frk_ct_69ea8dcef8ff3c2ed55ea14a", + "B": "frk_tt_69ea916e273fdb8732d89fc6" + }, + { + "A": "frk_ct_69ea8dd148f84ea6656bce7d", + "B": "frk_tt_69ea917069457debb719152e" + }, + { + "A": "frk_ct_69ea8dd28d9b23fd806840e7", + "B": "frk_tt_69ea917139f2541637597cc4" + }, + { + "A": "frk_ct_69e918e94e68c0fb15ee98d0", + "B": "frk_tt_68406b4f40c87c12ae0479ce" + }, + { + "A": "frk_ct_69ea8dd38d7945cd54758b49", + "B": "frk_tt_69ea91725a27f56747512056" + }, + { + "A": "frk_ct_69ea8dd54053dfd453b9dc4a", + "B": "frk_tt_69ea9174fe7e40c0405cd057" + }, + { + "A": "frk_ct_69ea8dd6097d1766ac51e294", + "B": "frk_tt_69ea9175640d0bbbddde05a7" + }, + { + "A": "frk_ct_69ea8dd7f551ad7a56706b46", + "B": "frk_tt_69ea91761c04c37d4f867908" + }, + { + "A": "frk_ct_69ea8dde7453dbed221162e8", + "B": "frk_tt_69ea91773112b091b458de8d" + }, + { + "A": "frk_ct_69ea8ddf2226651c7382d81c", + "B": "frk_tt_69ea917b78c7fc9f3c659a90" + }, + { + "A": "frk_ct_69ea8dac2ff1cd0bfe0c8614", + "B": "frk_tt_68cc25658bacb2ccff56adf9" + }, + { + "A": "frk_ct_69ea8dad9910710084d184a2", + "B": "frk_tt_68cc27431d1266e3c77d7c0f" + }, + { + "A": "frk_ct_69e918e7f7739946f5034799", + "B": "frk_tt_6840791cac0a7b780dbaf932" + }, + { + "A": "frk_ct_69ea8db4a22bb4f0e4c649e1", + "B": "frk_tt_68cc2ce9cb0d2a4774975ace" + }, + { + "A": "frk_ct_69ea8db92daf193f6aba0348", + "B": "frk_tt_68cc2f30b51920e5515465e6" + }, + { + "A": "frk_ct_69ea8dbe99f14797e50f9685", + "B": "frk_tt_68cc2fa423533e602e4dee25" + }, + { + "A": "frk_ct_69ea8dc1f55bd5e338716f16", + "B": "frk_tt_68cc30fbbeabb8a4c2f56082" + }, + { + "A": "frk_ct_69ea8db77c8dd4b36c9ac007", + "B": "frk_tt_68cc39efd7916e240451cae5" + }, + { + "A": "frk_ct_69ea8db865093703fdf71fc7", + "B": "frk_tt_68cc3f427e309607f1ad5ba4" + }, + { + "A": "frk_ct_69ea8dbbf19cd6ba156e97bd", + "B": "frk_tt_68cc3ffab3fb703917f51e19" + }, + { + "A": "frk_ct_69e918eb724c553d2e5749ea", + "B": "frk_tt_6840791cac0a7b780dbaf932" + }, + { + "A": "frk_ct_69ea8de2d97d1f09cc61b896", + "B": "frk_tt_68cc4190caf0b458effcee6e" + }, + { + "A": "frk_ct_69e918e6d72a45b4f933a112", + "B": "frk_tt_68b5ce9d508cacf8e4517b56" + }, + { + "A": "frk_ct_69ea8de2d97d1f09cc61b896", + "B": "frk_tt_68cc41ad7cbd2839c0bc7104" + }, + { + "A": "frk_ct_69ea8dda97d0010af0cf826d", + "B": "frk_tt_68406b4f40c87c12ae0479ce" + }, + { + "A": "frk_ct_69ea8de6018b6b80d862c906", + "B": "frk_tt_68406b4f40c87c12ae0479ce" + }, + { + "A": "frk_ct_69ea8dd8aa91ceac379fa2c3", + "B": "frk_tt_6840791cac0a7b780dbaf932" + }, + { + "A": "frk_ct_69ea8db5182a7a6a4ad28ce1", + "B": "frk_tt_68406a514e90bb6e32e0b107" + }, + { + "A": "frk_ct_69ea8dd0de2f746bb95acd4b", + "B": "frk_tt_68406d64f09f13271c14dd01" + }, + { + "A": "frk_ct_69e918eaa930d07ea41dd0d0", + "B": "frk_tt_68b5ce9d508cacf8e4517b56" + }, + { + "A": "frk_ct_69e918e8cc289b978f31a12a", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_69eb876ec7f4fc346ff10b12", + "B": "frk_tt_68e52b2618cb9d9722c6edfd" + }, + { + "A": "frk_ct_69eb876f6362393759ecd351", + "B": "frk_tt_69eb875d089573be3295269e" + }, + { + "A": "frk_ct_69eb876f6362393759ecd351", + "B": "frk_tt_69eb876033531483191663a1" + }, + { + "A": "frk_ct_69e918e805776785f8f80a14", + "B": "frk_tt_68406e353df3bc002994acef" + }, + { + "A": "frk_ct_69eb876f3270ed0b11233ece", + "B": "frk_tt_698cacc0f06de04786d097ca" + }, + { + "A": "frk_ct_69eb87701093fde54e1169dc", + "B": "frk_tt_69eb8760d56cb8d18c53df13" + }, + { + "A": "frk_ct_69e918e6d72a45b4f933a112", + "B": "frk_tt_69e928283390c5483dccbcde" + }, + { + "A": "frk_ct_69e918e8cc289b978f31a12a", + "B": "frk_tt_69e92828297806545638eed7" + }, + { + "A": "frk_ct_69e918e8c57e2f6756c995ca", + "B": "frk_tt_69e92829b6aa752b0dfba9a8" + }, + { + "A": "frk_ct_69e918e9be6da6eba7d0ea4e", + "B": "frk_tt_69e92829ac42d6ca48bc6cd9" + }, + { + "A": "frk_ct_69e918eb724c553d2e5749ea", + "B": "frk_tt_69e92829e97f5a494f13d67b" + }, + { + "A": "frk_ct_69eb877091d96bcaeae40219", + "B": "frk_tt_69eb875fa49f13b4b81e9f3b" + }, + { + "A": "frk_ct_69eb877091d96bcaeae40219", + "B": "frk_tt_6901e0aa49fb834934748c93" + }, + { + "A": "frk_ct_69eb877091d96bcaeae40219", + "B": "frk_tt_6901e040a21d5e8fdc9736e8" + }, + { + "A": "frk_ct_69eb87717ae82d509fb927ed", + "B": "frk_tt_69eb875ffe511e3ce5298e21" + }, + { + "A": "frk_ct_69eb87717ae82d509fb927ed", + "B": "frk_tt_6840796f77d8a0dff53f947a" + }, + { + "A": "frk_ct_69eb87717ae82d509fb927ed", + "B": "frk_tt_6901e0aa6d3f2bbab1ea5b84" + }, + { + "A": "frk_ct_69efd5a32e52c113f97254db", + "B": "frk_tt_69efd9e081684a02f1207ee0" + }, + { + "A": "frk_ct_69efd5ee3eb484fc081cd20a", + "B": "frk_tt_69efd9e081684a02f1207ee0" + }, + { + "A": "frk_ct_69efd5b1e6f19c87845f5939", + "B": "frk_tt_69efd9e45e6f00c44f622173" + }, + { + "A": "frk_ct_69efd5cd34220c6db57b2710", + "B": "frk_tt_69efd9e45e6f00c44f622173" + }, + { + "A": "frk_ct_69efd5a163fc3dcd87372ccc", + "B": "frk_tt_69efd9e7f46963f71debd961" + }, + { + "A": "frk_ct_69efd5cb8d9092bd71665722", + "B": "frk_tt_69efd9ed795877621cdbd56d" + }, + { + "A": "frk_ct_69efd5ce50b1ede13c3848f2", + "B": "frk_tt_69efd9ef3ff6e8fed0fc0028" + }, + { + "A": "frk_ct_69efd5e906d5418ee6b5dc6a", + "B": "frk_tt_69efd9f0124f63db79cb50b0" + }, + { + "A": "frk_ct_69efd5c63e9c6fc1f8bec055", + "B": "frk_tt_69efd9f2322df1e829df8087" + }, + { + "A": "frk_ct_69efd5e71ad52c5ab2ec069e", + "B": "frk_tt_69efd9f81f073e643fb5a19d" + }, + { + "A": "frk_ct_69efd5e395082fabf04e53b7", + "B": "frk_tt_69efdbcee1d3e72ee6873ed1" + }, + { + "A": "frk_ct_69efd5c63e9c6fc1f8bec055", + "B": "frk_tt_69efdbcee1d3e72ee6873ed1" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_tt_69f0d514d103c34ca40ad332" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_tt_69f0d514d103c34ca40ad332" + }, + { + "A": "frk_ct_69f3d9808d78f354f8f804b4", + "B": "frk_tt_69e92828297806545638eed7" + }, + { + "A": "frk_ct_69f3d982f21bf2e86c1ef98d", + "B": "frk_tt_69e92828297806545638eed7" + }, + { + "A": "frk_ct_69f3d983dce2e00263034481", + "B": "frk_tt_69e92828297806545638eed7" + }, + { + "A": "frk_ct_69f3d98d61c5a3ef65a23e20", + "B": "frk_tt_69efd9f2322df1e829df8087" + }, + { + "A": "frk_ct_69f3d9864551468e007fc4d8", + "B": "frk_tt_68e52b2618cb9d9722c6edfd" + }, + { + "A": "frk_ct_69f3d98847a47dc8f9eacae4", + "B": "frk_tt_68406951bd282273ebe286cc" + }, + { + "A": "frk_ct_69f3d98b12951c79a1a1cf36", + "B": "frk_tt_6840791cac0a7b780dbaf932" + }, + { + "A": "frk_ct_69f3d987482f9da8d882e592", + "B": "frk_tt_6901e041bb02b41fa3b7dca9" + }, + { + "A": "frk_ct_69f3d987482f9da8d882e592", + "B": "frk_tt_6901e0aa6d3f2bbab1ea5b84" + }, + { + "A": "frk_ct_69f3d988421e37ecdc514fc0", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_69f3d988421e37ecdc514fc0", + "B": "frk_tt_68406cd9dde2d8cd4c463fe0" + }, + { + "A": "frk_ct_69f3d988421e37ecdc514fc0", + "B": "frk_tt_68406af04a4acb93083413b9" + }, + { + "A": "frk_ct_69f3d9891d140c7d3b7d542c", + "B": "frk_tt_68406b4f40c87c12ae0479ce" + }, + { + "A": "frk_ct_69f3d976c53fd192b48e6236", + "B": "frk_tt_69f3ea63df40dfc906558bb5" + }, + { + "A": "frk_ct_69f3d9793720eec4d4945150", + "B": "frk_tt_69f3ea63c50892f7c9354dbb" + }, + { + "A": "frk_ct_69f3d97b66301a97f6b8e4a3", + "B": "frk_tt_69f3ea640e0ea50dd2ed8efd" + }, + { + "A": "frk_ct_69f3d98a95c7623e660bf33d", + "B": "frk_tt_69f3ea640e0ea50dd2ed8efd" + }, + { + "A": "frk_ct_69f3d97b66301a97f6b8e4a3", + "B": "frk_tt_69f3ea6497e3c0fbd6726ea5" + }, + { + "A": "frk_ct_69f3d98a95c7623e660bf33d", + "B": "frk_tt_69f3ea6497e3c0fbd6726ea5" + }, + { + "A": "frk_ct_69f3d97c03fd8213c05dbbde", + "B": "frk_tt_69f3ea65d5b1a04e9c7e0a91" + }, + { + "A": "frk_ct_69f3d97d7c0f6c1d629e8fbf", + "B": "frk_tt_69f3ea65d5b1a04e9c7e0a91" + }, + { + "A": "frk_ct_69f3d97fab711de81e99e786", + "B": "frk_tt_69f3ea65d5b1a04e9c7e0a91" + }, + { + "A": "frk_ct_69f3d98163541c15c34554c0", + "B": "frk_tt_69f3ea65dd312f6d70654ac4" + }, + { + "A": "frk_ct_69f3d9846258471679ba5a28", + "B": "frk_tt_69f3ea660239b769839c49d4" + }, + { + "A": "frk_ct_69f3d9854a029af0a24299a3", + "B": "frk_tt_69f3ea660239b769839c49d4" + }, + { + "A": "frk_ct_69f3d98c52d9000ac36cc791", + "B": "frk_tt_69f3ea66b653b0af244cf869" + }, + { + "A": "frk_ct_69f3d98e0758e358b1f71b49", + "B": "frk_tt_69f3ea67f1bbe13880b55fa4" + }, + { + "A": "frk_ct_69f3d98f897fe2984e8163e5", + "B": "frk_tt_69f3ea67845abbb56763649f" + }, + { + "A": "frk_ct_69f3d98fd53148ecfa29efa0", + "B": "frk_tt_69f3ea67845abbb56763649f" + }, + { + "A": "frk_ct_68406fc94e08f884cc085ded", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_684072e06f4a49ee669076cc", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_683f4dd564057a97ae323c9f", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_69eb876ea13506b36fd63a3e", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_69eb876ec7f4fc346ff10b12", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_69eb876f6362393759ecd351", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_69eb876f3270ed0b11233ece", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_69eb87703649e5234a56d529", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_69eb877091d96bcaeae40219", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_69eb87717ae82d509fb927ed", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_69eb87701093fde54e1169dc", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_69f897d2abcbb2cff15807ac", + "B": "frk_tt_68e52b26bf0e656af9e4e9c3" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_tt_68fa2a852e70f757188f0c39" + }, + { + "A": "frk_ct_683f4dd564057a97ae323c9f", + "B": "frk_tt_68406d2e86acc048d1774ea6" + }, + { + "A": "frk_ct_69eb87701093fde54e1169dc", + "B": "frk_tt_68406d2e86acc048d1774ea6" + }, + { + "A": "frk_ct_69eb876f6362393759ecd351", + "B": "frk_tt_684069a3a0dd8322b2ac3f03" + }, + { + "A": "frk_ct_69eb876f6362393759ecd351", + "B": "frk_tt_68406951bd282273ebe286cc" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_tt_68406eedf0f0ddd220ea19c2" + }, + { + "A": "frk_ct_68406fc94e08f884cc085ded", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_684071e280c4e0f777b957f7", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_68407429371f33886d8ab80d", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_6840738800f98fa3c0f3a3ae", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_684072e06f4a49ee669076cc", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_684070831cc83c4ab4c2c4d8", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_6840731ae0b857152b35ca8f", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_684073ba24475a83ba048022", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_68407c9513000617776104c7", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f4ae4acbd63d0e558a6f5", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f4b7614d209f8b6ffd477", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f4c30e2d3f1117fa58e13", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f4ef6c6a5481a377be413", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f50aae46f5e4e096e6bb3", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_68407122565b1968676d93db", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_68407406644c56d42eac3295", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f4036b541126388e2989a", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f43a65de3b6044e63220f", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f4457b14856e700c8c25b", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f44c8074680be528353c1", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f45c5058c486f3fa5b7bc", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f464bec8bea67de7b9c31", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f46f3f181af3f93773c1d", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f47cc2faa426603d6bee8", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f48ee9534e1e0a088e922", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_68e8079750107bcc63fc79d9", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_68e80a11f225cb2253e31fa0", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f4a410cf5bf6d40bf3583", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_684070f0b4f6c2036306e23c", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f42c71eea99f22f9df060", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f4dd564057a97ae323c9f", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f41e775f4ca03d8f6bae2", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f3ecd42e62fde624c59c1", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f484fc7b5506ab97c26af", + "B": "frk_tt_68e52a484cad0014de7a628f" + }, + { + "A": "frk_ct_683f4d7360a876b972aba39a", + "B": "frk_tt_68e52a484cad0014de7a628f" } ] \ No newline at end of file From 11d1c1194c009b831980e7395dc36e263ea167a3 Mon Sep 17 00:00:00 2001 From: Mariano Date: Wed, 6 May 2026 12:43:00 +0100 Subject: [PATCH 04/18] fix(treatment-plan): hide linked work for non-mitigate + drop Avoid as a new selection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reverts two changes I introduced for Cubic findings #36 / #37 — they were technically correct readings of "ENG-221 keeps controls/tasks visible" but the user-intent was the opposite: Linked Work and the Avoid strategy are Mitigate-shaped concerns and shouldn't surface for treatments that aren't operational reductions. - TreatmentPlanTab: `showLinkedWorkColumn` is gated on `isMitigate && hasLinkedWork` again. Accept ("live with the risk"), Transfer (insurance / contractual instruments), and Avoid (discontinue the activity) are not control-driven mitigations, so the column adds noise and a misread when shown. - StrategyPicker: Avoid is back to legacy-only — never offered as a new selection, but rendered for risks that are already set to Avoid so existing state isn't dropped silently. - ScoreExplainer: dropped the Avoid bullet and the Avoid mention in the coverage-gate paragraph, matching what the picker now offers. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../risks/treatment-plan/ScoreExplainer.tsx | 14 +++------ .../risks/treatment-plan/StrategyPicker.tsx | 30 +++++++++++-------- .../risks/treatment-plan/TreatmentPlanTab.tsx | 12 ++++---- 3 files changed, 27 insertions(+), 29 deletions(-) diff --git a/apps/app/src/components/risks/treatment-plan/ScoreExplainer.tsx b/apps/app/src/components/risks/treatment-plan/ScoreExplainer.tsx index d0dbc485a3..5fcbdf2317 100644 --- a/apps/app/src/components/risks/treatment-plan/ScoreExplainer.tsx +++ b/apps/app/src/components/risks/treatment-plan/ScoreExplainer.tsx @@ -50,20 +50,14 @@ export function ScoreExplainer() { residual equals inherent. No reduction; rationale is documented on the plan. -
  • - Avoid — - the activity that produces the risk is discontinued, so once - execution is in place the residual pins to the floor (likelihood - and impact both at their lowest). -
    • - Strategies that require operational evidence (Mitigate, Transfer, - Avoid) only project a target reduction when at least one task is - linked to the risk. Without linked work, the target collapses back - to inherent — the strategy alone isn't audit evidence. Accept is + Strategies that require operational evidence (Mitigate, Transfer) + only project a target reduction when at least one task is linked + to the risk. Without linked work, the target collapses back to + inherent — the strategy alone isn't audit evidence. Accept is unaffected (its target is inherent by definition).
    diff --git a/apps/app/src/components/risks/treatment-plan/StrategyPicker.tsx b/apps/app/src/components/risks/treatment-plan/StrategyPicker.tsx index f3b7f00744..454d2c2c0e 100644 --- a/apps/app/src/components/risks/treatment-plan/StrategyPicker.tsx +++ b/apps/app/src/components/risks/treatment-plan/StrategyPicker.tsx @@ -18,12 +18,12 @@ interface StrategyOption { Icon: CarbonIconType; } -// All four ISO/NIST risk treatment strategies are first-class options. -// Order: Mitigate (the workhorse + default), Accept, Transfer, Avoid. -// Per ENG-221, Avoid must be selectable from the start — not gated behind -// "only show if already chosen" — so users can pick it as a deliberate -// strategy (e.g. discontinuing a high-risk feature). -const STRATEGY_OPTIONS: StrategyOption[] = [ +// Mitigate first (default + the workhorse). Accept and Transfer follow. +// Avoid is intentionally not offered as a new selection — too rarely used in +// SaaS GRC programs to be worth the cognitive load. Existing risks already +// set to `avoid` still render the option (see `LEGACY_AVOID_OPTION` below) +// so users aren't surprised by missing state. +const PRIMARY_OPTIONS: StrategyOption[] = [ { value: RiskTreatmentType.mitigate, label: 'Mitigate', @@ -42,14 +42,15 @@ const STRATEGY_OPTIONS: StrategyOption[] = [ blurb: 'Shift the impact (e.g. cyber insurance, contractual indemnity).', Icon: ArrowsHorizontal, }, - { - value: RiskTreatmentType.avoid, - label: 'Avoid', - blurb: 'Eliminate the activity that causes the risk. Residual pins to the minimum once mitigation is in place.', - Icon: CloseOutline, - }, ]; +const LEGACY_AVOID_OPTION: StrategyOption = { + value: RiskTreatmentType.avoid, + label: 'Avoid', + blurb: 'Eliminate the activity that causes the risk. Residual pins to the minimum.', + Icon: CloseOutline, +}; + interface StrategyPickerProps { value: RiskTreatmentType; onChange: (next: RiskTreatmentType) => void; @@ -57,7 +58,10 @@ interface StrategyPickerProps { } export function StrategyPicker({ value, onChange, disabled }: StrategyPickerProps) { - const options = STRATEGY_OPTIONS; + const options = + value === RiskTreatmentType.avoid + ? [...PRIMARY_OPTIONS, LEGACY_AVOID_OPTION] + : PRIMARY_OPTIONS; return (
    Date: Wed, 6 May 2026 12:56:52 +0100 Subject: [PATCH 05/18] fix(treatment-plan): url tabs, regen refresh, scroll caps, 4-per-page MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit UX fixes layered into a single commit so they ship together. - RiskPageClient + VendorDetailTabs: active tab is now URL-backed via useQueryState('tab'), and only the active panel is mounted. This bookmarks the current tab in `?tab=...` (refresh keeps the view) and eliminates the visible "both panels stacked" flash on switch (base-ui keeps the outgoing panel at full opacity for the duration of the incoming `fade-in-0 duration-200` animation). - TreatmentPlanTab: drop the AutoMitigationPlaceholder ("AI is preparing your treatment plan…"). Its heuristic stayed true forever whenever the AI mitigation never wrote a description, so users sat on an indefinite spinner. Falling through to DescriptionEditor gives them the explicit "Generate treatment plan" button. - DescriptionEditor: regen-completion now bypasses the in-edit draft-resync guard. When the user clicks "Regenerate with AI" while in edit mode, they're explicitly opting into an overwrite, but the existing guard kept the textarea showing the old draft until refresh. Tracking regenRun's prev state and forcing preview + setDraft(value) on transition fixes it. - ScoreExplainer: cap the popover body at max-h-[70vh] with overflow-y-auto. The narrative + formulas + references could exceed the viewport on shorter screens with no way to reach the bottom. - AutoLinkSuggestions.sections: PAGE_SIZE 10 → 4 to match the new LinkedWork pagination. Selection UI now feels consistent with the post-apply view. - LinkedWork: explicit list-none + pl-0 on the Tasks/Controls `
      ` to defeat an inherited list-style coming from somewhere (random bullet + ~40px left padding on each row). Co-Authored-By: Claude Opus 4.7 (1M context) --- .../[riskId]/components/RiskPageClient.tsx | 160 ++++++++++-------- .../components/VendorDetailTabs.tsx | 63 ++++--- .../AutoLinkSuggestions.sections.tsx | 4 +- .../treatment-plan/DescriptionEditor.tsx | 16 ++ .../risks/treatment-plan/LinkedWork.tsx | 4 +- .../risks/treatment-plan/ScoreExplainer.tsx | 2 +- .../risks/treatment-plan/TreatmentPlanTab.tsx | 36 ---- 7 files changed, 156 insertions(+), 129 deletions(-) diff --git a/apps/app/src/app/(app)/[orgId]/risk/[riskId]/components/RiskPageClient.tsx b/apps/app/src/app/(app)/[orgId]/risk/[riskId]/components/RiskPageClient.tsx index bef36be8ec..e58fa9b684 100644 --- a/apps/app/src/app/(app)/[orgId]/risk/[riskId]/components/RiskPageClient.tsx +++ b/apps/app/src/app/(app)/[orgId]/risk/[riskId]/components/RiskPageClient.tsx @@ -24,7 +24,7 @@ import { Text, } from '@trycompai/design-system'; import Link from 'next/link'; -import { useSearchParams } from 'next/navigation'; +import { useQueryState } from 'nuqs'; import { useCallback, useMemo, useState } from 'react'; import { toast } from 'sonner'; @@ -71,8 +71,16 @@ export function RiskPageClient({ discardRiskAutoLinkRun, } = useRiskActions(); const { hasPermission } = usePermissions(); - const searchParams = useSearchParams(); - const defaultTab = searchParams.get('tab') || 'overview'; + // URL-backed tab state — bookmarks the active tab in `?tab=...` so a + // refresh keeps the same view. Control the value so we can conditionally + // render only the active panel below: base-ui's Tabs.Panel keeps the + // outgoing panel mounted at full opacity for the duration of the + // incoming panel's `fade-in-0 duration-200` animation, which produces + // a visible "both panels stacked" flash. Mounting only the active panel + // sidesteps the transition window entirely. + const [activeTab, setActiveTab] = useQueryState('tab', { + defaultValue: 'overview', + }); const isViewingTask = Boolean(taskItemId); const canUpdate = hasPermission('risk', 'update'); const canUpdateTask = hasPermission('task', 'update'); @@ -307,7 +315,7 @@ export function RiskPageClient({ {isViewingTask ? ( ) : ( - + void setActiveTab(String(next))}> Overview @@ -319,77 +327,91 @@ export function RiskPageClient({ Settings - - - + {activeTab === 'overview' && ( + + + + )} - - > - | null - | undefined ?? null, - // Fall through to the server-rendered initial risk so the - // Linked Work column doesn't blink empty between SSR and - // the first SWR resolution. (Cubic finding #28.) - tasks: - swrRisk?.tasks ?? - (initialRisk as unknown as { tasks?: RiskLinkedTask[] }) - .tasks ?? - [], - }} - canUpdate={canUpdate} - onUpdateStrategy={handleUpdateStrategy} - onUpdateDescription={handleUpdateDescription} - onRegenerate={handleRegenerateMitigation} - regenerating={isRegenerating} - onSuggest={handleSuggest} - onApply={handleApply} - // Gate the unlink affordance behind risk:update so the trash - // button doesn't render for read-only users. The Next API - // route enforces the same check server-side as defense in - // depth. (Cubic finding on PR #2671.) - onUnlinkTask={canUpdate ? handleUnlinkTask : undefined} - onResumeAutoLink={handleResumeAutoLink} - onDiscardAutoLinkRun={handleDiscardAutoLinkRun} - regenRun={regenRun} - onRegenSettled={handleRegenSettled} - /> - + {activeTab === 'treatment-plan' && ( + + > + | null + | undefined ?? null, + // Fall through to the server-rendered initial risk so the + // Linked Work column doesn't blink empty between SSR and + // the first SWR resolution. (Cubic finding #28.) + tasks: + swrRisk?.tasks ?? + (initialRisk as unknown as { tasks?: RiskLinkedTask[] }) + .tasks ?? + [], + }} + canUpdate={canUpdate} + onUpdateStrategy={handleUpdateStrategy} + onUpdateDescription={handleUpdateDescription} + onRegenerate={handleRegenerateMitigation} + regenerating={isRegenerating} + onSuggest={handleSuggest} + onApply={handleApply} + // Gate the unlink affordance behind risk:update so the trash + // button doesn't render for read-only users. The Next API + // route enforces the same check server-side as defense in + // depth. (Cubic finding on PR #2671.) + onUnlinkTask={canUpdate ? handleUnlinkTask : undefined} + onResumeAutoLink={handleResumeAutoLink} + onDiscardAutoLinkRun={handleDiscardAutoLinkRun} + regenRun={regenRun} + onRegenSettled={handleRegenSettled} + /> + + )} - - - - - - + {activeTab === 'risk-matrix' && ( + + + + + + + )} - - - + {activeTab === 'tasks' && ( + + + + )} - - - + {activeTab === 'comments' && ( + + + + )} - - t.id) || []} /> - + {activeTab === 'activity' && ( + + t.id) || []} /> + + )} - - No settings yet. - + {activeTab === 'settings' && ( + + No settings yet. + + )} )} diff --git a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/components/VendorDetailTabs.tsx b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/components/VendorDetailTabs.tsx index da5d0603cd..1fc0f69235 100644 --- a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/components/VendorDetailTabs.tsx +++ b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/components/VendorDetailTabs.tsx @@ -36,6 +36,7 @@ import { } from '@trycompai/design-system'; import Link from 'next/link'; import { useSearchParams } from 'next/navigation'; +import { useQueryState } from 'nuqs'; import { useCallback, useEffect, useMemo, useState } from 'react'; import { toast } from 'sonner'; @@ -76,7 +77,6 @@ export function VendorDetailTabs({ isViewingTask, }: VendorDetailTabsProps) { const searchParams = useSearchParams(); - const defaultTab = searchParams.get('tab') || 'overview'; const taskItemId = searchParams.get('taskItemId'); const { vendor: swrVendor, mutate: refreshVendor } = useVendor(vendorId); @@ -107,7 +107,14 @@ export function VendorDetailTabs({ } | null>(null); const [isAssessmentLoading, setIsAssessmentLoading] = useState(false); const [isRegenerating, setIsRegenerating] = useState(false); - const [activeTab, setActiveTab] = useState(defaultTab); + // URL-backed tab state — bookmarks the active tab in `?tab=...` so a + // refresh keeps the same view. Conditional rendering below mounts only + // the active panel, sidestepping base-ui's transition window where the + // outgoing panel stays at full opacity during the incoming fade-in + // (visible "both panels stacked" flash on tab switch). + const [activeTab, setActiveTab] = useQueryState('tab', { + defaultValue: 'overview', + }); const { data: taskItemsData, mutate: refreshTaskItems } = useTaskItems( vendorId, 'vendor', 1, 50, 'createdAt', 'desc', {}, @@ -338,7 +345,7 @@ export function VendorDetailTabs({ toast.success('Assessment regeneration triggered.'); if (result.runId && result.publicAccessToken) { setIsRegenerating(true); - setActiveTab('risk-assessment'); + void setActiveTab('risk-assessment'); handleAssessmentTriggered(result.runId, result.publicAccessToken); } refreshVendor(); @@ -472,7 +479,7 @@ export function VendorDetailTabs({ {isViewingTask ? ( ) : ( - + void setActiveTab(String(next))}> Overview @@ -485,10 +492,13 @@ export function VendorDetailTabs({ Settings - - - + {activeTab === 'overview' && ( + + + + )} + {activeTab === 'treatment-plan' && ( + )} + {activeTab === 'risk-matrix' && ( + )} + {activeTab === 'risk-assessment' && ( @@ -580,19 +594,27 @@ export function VendorDetailTabs({ - - - - - - - - - - - t.id) || []} /> - - + )} + + {activeTab === 'tasks' && ( + + + + )} + + {activeTab === 'comments' && ( + + + + )} + + {activeTab === 'activity' && ( + + t.id) || []} /> + + )} + + {activeTab === 'settings' && ( {canUpdate && ( @@ -616,6 +638,7 @@ export function VendorDetailTabs({ )} + )} )} diff --git a/apps/app/src/components/risks/treatment-plan/AutoLinkSuggestions.sections.tsx b/apps/app/src/components/risks/treatment-plan/AutoLinkSuggestions.sections.tsx index 0cc17dfb51..3800e96519 100644 --- a/apps/app/src/components/risks/treatment-plan/AutoLinkSuggestions.sections.tsx +++ b/apps/app/src/components/risks/treatment-plan/AutoLinkSuggestions.sections.tsx @@ -10,7 +10,9 @@ import { type SuggestedTask, } from './AutoLinkSuggestions.types'; -const PAGE_SIZE = 10; +// Match the LinkedWork list pagination so the selection UI feels consistent +// with the post-apply view (also 4 per page). +const PAGE_SIZE = 4; function Pagination({ page, diff --git a/apps/app/src/components/risks/treatment-plan/DescriptionEditor.tsx b/apps/app/src/components/risks/treatment-plan/DescriptionEditor.tsx index d3a95757e1..acd55266b4 100644 --- a/apps/app/src/components/risks/treatment-plan/DescriptionEditor.tsx +++ b/apps/app/src/components/risks/treatment-plan/DescriptionEditor.tsx @@ -110,6 +110,22 @@ export function DescriptionEditor({ if (value.trim().length === 0) setMode('edit'); }, [value, mode, saving]); + // Regenerate-with-AI bypasses the in-edit guard above. When a regen run + // terminates (`regenRun` flips from set → null), the user explicitly + // asked to overwrite whatever they had — keeping the stale draft and + // requiring a refresh to see the new prose was confusing. Force a + // preview reset so the new value lands immediately. + const prevRegenRunRef = useRef(regenRun); + useEffect(() => { + const wasRunning = prevRegenRunRef.current !== null && prevRegenRunRef.current !== undefined; + const isRunning = regenRun !== null && regenRun !== undefined; + prevRegenRunRef.current = regenRun; + if (wasRunning && !isRunning) { + setDraft(value); + if (value.trim().length > 0) setMode('preview'); + } + }, [regenRun, value]); + // Auto-grow the textarea to fit content, but cap at TEXTAREA_MAX_PX so a // long draft doesn't stretch the Treatment plan column past the Strategy // / Linked Work columns. Internal scroll kicks in past the cap. diff --git a/apps/app/src/components/risks/treatment-plan/LinkedWork.tsx b/apps/app/src/components/risks/treatment-plan/LinkedWork.tsx index e99f859747..21f5b60281 100644 --- a/apps/app/src/components/risks/treatment-plan/LinkedWork.tsx +++ b/apps/app/src/components/risks/treatment-plan/LinkedWork.tsx @@ -189,7 +189,7 @@ export function LinkedWork({ orgId, tasks, onUnlinkTask }: LinkedWorkProps) {

      ) : ( <> -
        +
          {visibleTasks.map((t, i) => { const taskDone = isTaskDone(t.status); const isUnlinking = unlinking === t.id; @@ -258,7 +258,7 @@ export function LinkedWork({ orgId, tasks, onUnlinkTask }: LinkedWorkProps) {

          ) : ( <> -
            +
              {visibleControls.map((c, i) => (
            • +
              How this score is calculated
              diff --git a/apps/app/src/components/risks/treatment-plan/TreatmentPlanTab.tsx b/apps/app/src/components/risks/treatment-plan/TreatmentPlanTab.tsx index 020b398b47..19e1365521 100644 --- a/apps/app/src/components/risks/treatment-plan/TreatmentPlanTab.tsx +++ b/apps/app/src/components/risks/treatment-plan/TreatmentPlanTab.tsx @@ -126,13 +126,6 @@ export function TreatmentPlanTab({ const isMitigate = strategy === RiskTreatmentType.mitigate; const hasPlan = description.trim().length > 0; const hasLinkedWork = entity.tasks.length > 0; - // Heuristic: tasks were auto-linked during onboarding but the AI plan - // hasn't filled in yet → mitigation is in flight (or just queued). Show - // a generating placeholder so the user knows the system is working - // rather than seeing an unexplained empty editor. Polling refreshes the - // entity; when description fills in, this condition naturally fails. - const isAutoMitigationInFlight = - isMitigate && hasLinkedWork && !hasPlan && !regenRun && !regenerating; // While Mitigate has no linked work, render only the kick-off CTA panel — // the user picks "Draft plan & suggest links" / "Suggest tasks & controls" @@ -209,11 +202,6 @@ export function TreatmentPlanTab({ onResume={onResumeAutoLink} onDiscardRun={onDiscardAutoLinkRun} /> - ) : isAutoMitigationInFlight ? ( - <> - - - ) : ( <> @@ -260,30 +248,6 @@ export function TreatmentPlanTab({ ); } -function AutoMitigationPlaceholder() { - return ( -
              -
              - ); -} - interface ColumnHeaderProps { number: string; title: string; From f9bd0bbefeec621371dba8421988f0f55432157c Mon Sep 17 00:00:00 2001 From: Mariano Date: Wed, 6 May 2026 12:59:02 +0100 Subject: [PATCH 06/18] fix(treatment-plan): drop orphan dot + checkbox-spacer indent on control rows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two visual bugs in the Controls list of AutoLinkSuggestions: - When `c.code` is empty (some frameworks ship controls without a code, e.g. "PCI"), the row rendered "· PCI" because the prefix format was unconditional `${c.code} · ${c.name}`. Now we only prepend the "code · " segment when a code exists. - Each row had a 16x16 invisible spacer meant to align the control text with the task text below the task-row checkbox. In practice it just pushed controls ~24px to the right (spacer + gap), making them look indented relative to the section header and the Tasks rows above. Dropped the spacer so controls now align to the left edge of the column. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../treatment-plan/AutoLinkSuggestions.sections.tsx | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/apps/app/src/components/risks/treatment-plan/AutoLinkSuggestions.sections.tsx b/apps/app/src/components/risks/treatment-plan/AutoLinkSuggestions.sections.tsx index 3800e96519..83b0b37508 100644 --- a/apps/app/src/components/risks/treatment-plan/AutoLinkSuggestions.sections.tsx +++ b/apps/app/src/components/risks/treatment-plan/AutoLinkSuggestions.sections.tsx @@ -194,6 +194,11 @@ export function ControlsSection({
              {visible.map((c) => { const isDerived = isControlDerived(c, checkedTaskIds); + // Show "code · name" when the framework provides a code + // (e.g. "1.2.7 · Credential Management"); fall back to just + // the name when code is empty so we don't render a leading + // "· " orphan separator. + const heading = c.code ? `${c.code} · ${c.name}` : c.name; return (
              -