← Controls / PL

PL-04 Rules Of Behavior

Planning

Low Moderate High Privacy

Description

The organization establishes and makes readily available to all information system users, a set of rules that describes their responsibilities and expected behavior with regard to information and information system usage. The organization receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system and its resident information.

Supplemental Guidance

Electronic signatures are acceptable for use in acknowledging rules of behavior unless specifically prohibited by organizational policy. NIST Special Publication 800-18 provides guidance on preparing rules of behavior.

Changes from Rev 4

Control text adds privacy and other minor rewording Adds a selection parameter for action to be taken when rules of behavior change Discussion expanded to provide examples Incorporates acceptance of responsibilities elements of withdrawn App J control AR-05

Enhancements

(0) None.

Compliance Mappings

ISO 27001:2022

7.4A.5.10A.5.31A.6.2

ISO 27002:2022

5.105.316.2

COBIT 2019

MEA03

NIST CSF 2.0

GV.OC-03

SOC 2 TSC

CC1.1

PCI DSS v4.0.1

12.2

CSA CCM v4

HRS-02HRS-08HRS-13

CSA AICM v1

HRS-02HRS-08HRS-13

ISO 42001:2023

A.9.2A.9.4

BSI IT-Grundschutz

ORP.5

ANSSI

Hygiene.1Hygiene.3SecNumCloud.8.2

FINMA Circular 2023/1

IV.B.a(48)IV.B.a(49)

OSFI B-13

B-13.1.1

EU GDPR

Art.29Art.39(1)(b)

EU DORA

Art.5(4)

BIO2

5.105.316.2

RBI CSF

ITGRCA.24

LGPD + BCB 4893

BCB.Art.4LGPD.Art.47LGPD.Art.50

MLPS 2.0

8.1.6

DNB Good Practice

DNB.9.1

NCA ECC

1-7

UAE IA

T3T5

Qatar NIA

GVHR

CBUAE

CR-14

CBE CSF

GOV-3

SA JS2

JS2-4

CBN CSF

Part1.3Part7.1

BoG CISD

CISD-COMPCISD-I

IOSCO Cyber Resilience

PROT-4

BCBS 239

Principle 1

CPMI-IOSCO PFMI

CG.GOV

FFIEC IS

I.AI.BII.C.1II.C.7II.C.7(d)

NYDFS 500

500.4

HIPAA Security Rule

§164.308(a)(1)(ii)(C)§164.310(b)§164.316(a)

ECB CROE

CROE.2.1.2CROE.2.3.2

EBA ICT Guidelines

3.4.7

SEBI CSCRF

GV.PO

CMMC 2.0

AT

TIBER-EU

TIBER.CONFTIBER.PREP

ISAE 3402

Clause 2

Lloyd's Minimum Standards

MS8.13

NAIC Insurance Data Security

104-training

PRA SS1/23

P2.3P3.6

FCA SYSC 13

SYSC 13.5.1SYSC 13.6.5

HITRUST CSF v11

00.a02.a02.b04.a

FDA 21 CFR Part 11

§11.10(j)

FDA Cybersecurity Guidance

TR-1TR-3

ISO 27799

18.17.28.39.4

NHS DSPT

NDG-1.3NDG-2.1

OWASP MASVS v2.1

MASVS-PRIVACY-3

Basel SCO60

SCO60.60

ISO 17799 (legacy)

7.1.38.1.315.1.5

COBIT 4.1 (legacy)

PO6.5DS5.2PC4