← Controls / SI

SI-12 Information Output Handling And Retention

System and Information Integrity

Low Moderate High Privacy

Description

The organization handles and retains output from the information system in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

Supplemental Guidance

None.

Changes from Rev 4

Title changed from 'Information Handling and Retention' Control text changes 'information handling' to 'information management' and changes the wording of the list of 'in accordance with' specifics Discussion adds recommendation to coordinate with records management personnel and references numerous other controls Incorporates data retention elements of withdrawn App J control DM-02

Enhancements

(0) None.

MITRE ATT&CK Techniques (34)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Privilege Escalation 2 Defense Evasion 7 Credential Access 13 Discovery 1 Lateral Movement 1 Collection 13 Exfiltration 1 Impact 3
Show all 34 techniques grouped by tactic

Compliance Mappings

ISO 27001:2022

A.5.33A.8.10

ISO 27002:2022

5.338.10

COBIT 2019

APO14

CIS Controls v8

CIS 3CIS 3.1CIS 3.4CIS 3.5

NIST CSF 2.0

ID.AM-07ID.AM-08

SOC 2 TSC

C1.2CC6.5PI1.5

PCI DSS v4.0.1

3.23.3

CSA CCM v4

DSP-02DSP-16

CSA AICM v1

DSP-02DSP-16DSP-21DSP-24

ISO 42001:2023

A.8.5

BSI IT-Grundschutz

CON.6

ANSSI

Hygiene.19Hygiene.8SecNumCloud.9.2

FINMA Circular 2023/1

IV.D(78)IV.D(82)IV.E(83)

OSFI B-13

B-13.3.2

EU GDPR

Art.17(1)Art.32(1)(a)Art.5(1)(e)Art.5(1)(f)

EU DORA

Art.12(3)Art.8(1)

BIO2

5.338.10

RBI CSF

Annex1.15

FISC Security Guidelines

FISC.O9FISC.T5

LGPD + BCB 4893

BCB.Art.20BCB.Art.9LGPD.Art.15-16

HKMA TM-E-1

TME1.6.5TME1.7.2

MLPS 2.0

8.1.4.11

DNB Good Practice

DNB.12.1DNB.12.2DNB.12.3

EU CRA

CRA.I.2gCRA.I.2m

NCA ECC

2-7

CBB TM

TM-9

CBUAE

CR-5

CBE CSF

CTO-2

SA JS2

JS2-8.2

CBN CSF

Part3.4Part7.1

POPIA

s14

IOSCO Cyber Resilience

PROT-3

BCBS 239

Principle 2Principle 4

FFIEC IS

II.C.13II.C.13(c)

NYDFS 500

500.13500.18

HIPAA Security Rule

§164.316(b)(2)(i)

ECB CROE

CROE.2.3.3

SEBI CSCRF

DATALOCPR.DS

BOT Cyber Resilience

Ch2.3Ch9.2

CMMC 2.0

SI

CBEST

CBEST.9

TIBER-EU

TIBER.CONF

Common Criteria

CC Part 2 — FDP

ISAE 3402

Clause 4

Solvency II

Art.49(3)DR.266-DataSecEIOPA-Cloud-GL9Pillar3-Reporting

Lloyd's Minimum Standards

BP2.2MS1.1MS13.2MS2.1MS5.1MS6.1MS7.1MS8.7

NAIC Insurance Data Security

4-asset8

PRA SS1/23

P3.2P5.5

FCA SYSC 13

SYSC 13.G.4

HITRUST CSF v11

06.b13.c

FDA 21 CFR Part 11

§11.10(c)§11.10(k)

NHS DSPT

NDG-5.4

CCSS v9.0

2.02.1

MiCA

Art.82(1)

Basel SCO60

SCO60.70SCO60.71

ISO 17799 (legacy)

10.7.312.2.4

COBIT 4.1 (legacy)

DS11.1DS11.6AC5