diff --git a/backend/library/libraries/soc2_2017_with_rev_2022.yaml b/backend/library/libraries/soc2_2017_with_rev_2022.yaml new file mode 100644 index 000000000..b536e4db6 --- /dev/null +++ b/backend/library/libraries/soc2_2017_with_rev_2022.yaml @@ -0,0 +1,5879 @@ +urn: urn:intuitem:risk:library:soc2-2017-rev-2022 +locale: en +ref_id: SOC2-2017-Rev-2022 +name: 'SOC2-2017 Trust Services Criteria ' +description: "TSP Section 100\n2017 Trust Services Criteria for Security, Availability,\ + \ Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus\ + \ \u2013 2022)\n\nTSC presents control criteria established by the AICPA\u2019s\ + \ Assurance Services Executive Committee (ASEC) for use in attestation or consulting\ + \ engagements to evaluate and report on controls over the security, availability,\ + \ processing integrity, confidentiality, or privacy of information and systems used\ + \ to provide products or services (a) across an entire entity; (b) at a subsidiary,\ + \ division, or operating unit level; (c) within a function relevant to the entity\u2019\ + s operational, reporting, or compliance objectives; and (d) for a particular type\ + \ of information used by the entity. Link: https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022" +copyright: "\xA9 2023 Association of International Certified Professional Accountants\xAE" +version: 1 +publication_date: 2025-01-12 +provider: AICPA +packager: intuitem +translations: + es: + name: 'SOC2-2017 Trust Services Criteria ' + description: "TSP Secci\xF3n 100\n2017 Trust Services Criteria for Security, Availability,\ + \ Processing Integrity, Confidentiality, and Privacy (con puntos de atenci\xF3\ + n revisados - 2022)\n\nTSC presenta criterios de control establecidos por el\ + \ Comit\xE9 Ejecutivo de Servicios de Aseguramiento (ASEC) del AICPA para su\ + \ uso en compromisos de atestaci\xF3n o consultor\xEDa para evaluar e informar\ + \ sobre los controles sobre la seguridad, disponibilidad, integridad de procesamiento,\ + \ confidencialidad o privacidad de la informaci\xF3n y los sistemas utilizados\ + \ para proporcionar productos o servicios (a) en toda una entidad; (b) a nivel\ + \ de subsidiaria, divisi\xF3n o unidad operativa; (c) dentro de una funci\xF3\ + n relevante para los objetivos operativos, de informaci\xF3n o de cumplimiento\ + \ de la entidad; y (d) para un tipo particular de informaci\xF3n utilizada por\ + \ la entidad. Link: https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022" + copyright: "\xA9 2023 Association of International Certified Professional Accountants\xAE" +objects: + framework: + urn: urn:intuitem:risk:framework:soc2-2017-rev-2022 + ref_id: SOC2-2017-Rev-2022 + name: 'SOC2-2017 Trust Services Criteria ' + description: "TSP Section 100\n2017 Trust Services Criteria for Security, Availability,\ + \ Processing Integrity, Confidentiality, and Privacy (with Revised Points of\ + \ Focus \u2013 2022)\n\nTSC presents control criteria established by the AICPA\u2019\ + s Assurance Services Executive Committee (ASEC) for use in attestation or consulting\ + \ engagements to evaluate and report on controls over the security, availability,\ + \ processing integrity, confidentiality, or privacy of information and systems\ + \ used to provide products or services (a) across an entire entity; (b) at a\ + \ subsidiary, division, or operating unit level; (c) within a function relevant\ + \ to the entity\u2019s operational, reporting, or compliance objectives; and\ + \ (d) for a particular type of information used by the entity." + translations: + es: + name: SOC2-2017-Rev-2022 + description: 'SOC2-2017 Trust Services Criteria ' + requirement_nodes: + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1 + assessable: false + depth: 1 + ref_id: CC1 + name: Control Environment + translations: + es: + name: Entorno de control + description: null + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1 + ref_id: CC1.1 + name: COSO Principle 1 + description: The entity demonstrates a commitment to integrity and ethical values. + translations: + es: + name: Principio COSO 1 + description: "La entidad demuestra un compromiso de integridad y valores\ + \ \xE9ticos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.1 + ref_id: CC1.1.1 + description: "[COSO] Sets the Tone at the Top \u2014 The board of directors\ + \ and management, at all levels, demonstrate through their directives, actions,\ + \ and behavior the importance of integrity and ethical values to support the\ + \ functioning of the system of internal control." + translations: + es: + name: null + description: "[COSO] Establece la pauta en fa alta direcci\xF3n: El Consejo\ + \ de Administraci\xF3n y Direcci\xF3n, a todos los niveles, demuestra\ + \ por sus directrices, acciones y comportamiento la importancia de la\ + \ integridad y los valores \xE9ticos para apoyar el funcionamiento del\ + \ sistema de control interno. " + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.1 + ref_id: CC1.1.2 + description: "[COSO] Establishes Standards of Conduct \u2014 The expectations\ + \ of the board of directors and senior management concerning integrity and\ + \ ethical values are defined in the entity\u2019s standards of conduct and\ + \ understood at all levels of the entity and by outsourced service providers\ + \ and business partners." + translations: + es: + name: null + description: "[COSO] Establece est\xE1ndares de conducta: las expectativas\ + \ de la Junta de Administraci\xF3n y la direcci\xF3n senior relativas\ + \ a la integridad y valores \xE9ticos est\xE1 definida en los est\xE1\ + ndares de conducta de la entidad y concierne a todos Jos niveles de la\ + \ entidad y a proveedores de servicios externos, as\xED como a sus socios. " + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.1 + ref_id: CC1.1.3 + description: "[COSO] Evaluates Adherence to Standards of Conduct \u2014 Processes\ + \ are in place to evaluate the performance of individuals and teams against\ + \ the entity\u2019s expected standards of conduct." + translations: + es: + name: null + description: "[COSO] Eval\xFAa la adherencia a los est\xE1ndares de conducta:\ + \ se establecen procesos para evaluar el rendimiento de los individuos\ + \ y equipos contra los est\xE1ndares de conducta esperados por la entidad. " + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.1.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.1 + ref_id: CC1.1.4 + description: "[COSO] Addresses Deviations in a Timely Manner \u2014 Deviations\ + \ from the entity\u2019s expected standards of conduct are identified and\ + \ remedied in a timely and consistent manner." + translations: + es: + name: null + description: "[COSO] Aborda las desviaciones de manera peri\xF3dica: las\ + \ desviaciones de los est\xE1ndares de conducta esperados por la entidad\ + \ est\xE1n definidos y se remedian de manera peri\xF3dica y consistente." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.1.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.1 + ref_id: CC1.1.5 + description: "[TSC] Considers Contractors and Vendor Employees in Demonstrating\ + \ Its Commitment \u2014 Management and the board of directors consider the\ + \ use of contractors and vendor employees in its processes for establishing\ + \ standards of conduct, evaluating adherence to those standards, and addressing\ + \ deviations in a timely manner." + translations: + es: + name: null + description: "[TSC] Considera a los empleados de contratistas y proveedores\ + \ para demostrar su compromiso: la Direcci\xF3n y \nla Junta de Administraci\xF3\ + n considera el uso de empleados de contratistas y proveedores en sus procesos\ + \ \npara establecer los est\xE1ndares de conducta, evaluando la adherencia\ + \ a tales est\xE1ndares y abordando las \ndesviaciones de manera peri\xF3\ + dica." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1 + ref_id: CC1.2 + name: COSO Principle 2 + description: The board of directors demonstrates independence from management + and exercises oversight of the development and performance of internal control. + translations: + es: + name: Principio COSO 2 + description: "El consejo de administraci\xF3n demuestra independencia respecto\ + \ a la direcci\xF3n y supervisa el desarrollo y el funcionamiento del\ + \ control interno." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.2 + ref_id: CC1.2.1 + description: "[COSO] Establishes Oversight Responsibilities \u2014 The board\ + \ of directors identifies and accepts its oversight responsibilities in relation\ + \ to established requirements and expectations." + translations: + es: + name: null + description: "[COSO] Estable responsabilidad de supervisi\xF3n: El Consejo\ + \ de Administraci\xF3n identifica y acepta su responsabilidad de supervisi\xF3\ + n en relaci\xF3n con los requisitos y expectativas establecidas. " + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.2.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.2 + ref_id: CC1.2.2 + description: "[COSO] Applies Relevant Expertise \u2014 The board of directors\ + \ defines, maintains, and periodically evaluates the skills and expertise\ + \ needed among its members to enable them to ask probing questions of senior\ + \ management and take commensurate action." + translations: + es: + name: null + description: "[COSO] Aplica la experiencia relevante: La Junta de Administraci\xF3\ + n define, mantiene y eval\xFAa peri\xF3dicamente las capacidades y experiencia\ + \ necesaria entre sus miembros para permitirles sondear a la Direcci\xF3\ + n Senior y tomar las acciones correspondientes. " + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.2.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.2 + ref_id: CC1.2.3 + description: "[COSO] Operates Independently fn 15 \u2014 The board of directors\ + \ has sufficient members who are independent from management and objective\ + \ in evaluations and decision making." + translations: + es: + name: null + description: "[COSO] Opera independientemente: La Junta de Administraci\xF3\ + n tiene los suficientes miembros, los cuales son independientes de la\ + \ gesti\xF3n y objetivos, en la evaluaci\xF3n y toma de decisiones. " + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.2.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.2 + ref_id: CC1.2.4 + description: "[TSC] Supplements Board Expertise \u2014 The board of directors\ + \ supplements its expertise relevant to security, availability, processing\ + \ integrity, confidentiality, and privacy, as needed, through the use of a\ + \ subcommittee or consultants." + translations: + es: + name: null + description: "[TSC] Complementa la experiencia del Consejo de Administraci\xF3\ + n - El Consejo de Administraci\xF3n complementa su experiencia en materia\ + \ de seguridad, disponibilidad, integridad del procesamiento, confidencialidad\ + \ y privacidad, seg\xFAn sea necesario, mediante el uso de un subcomit\xE9\ + \ o consultores." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1 + ref_id: CC1.3 + name: COSO Principle 3 + description: Management establishes, with board oversight, structures, reporting + lines, and appropriate authorities and responsibilities in the pursuit of + objectives. + translations: + es: + name: Principio COSO 3 + description: "La direcci\xF3n establece, con la supervisi\xF3n del consejo,\ + \ estructuras, l\xEDneas jer\xE1rquicas y autoridades y responsabilidades\ + \ adecuadas para la consecuci\xF3n de los objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.3.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.3 + ref_id: CC1.3.1 + description: "[COSO] Considers All Structures of the Entity \u2014 Management\ + \ and the board of directors consider the multiple structures used (including\ + \ operating units, legal entities, geographic distribution, and outsourced\ + \ service providers) to support the achievement of objectives." + translations: + es: + name: null + description: "[COSO] Considera todas las estructuras de la entidad - La\ + \ direcci\xF3n y el consejo de administraci\xF3n tienen en cuenta las\ + \ m\xFAltiples estructuras utilizadas (incluidas las unidades operativas,\ + \ las entidades jur\xEDdicas, la distribuci\xF3n geogr\xE1fica y los proveedores\ + \ de servicios subcontratados) para respaldar la consecuci\xF3n de los\ + \ objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.3.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.3 + ref_id: CC1.3.2 + description: "[COSO] Establishes Reporting Lines \u2014 Management designs and\ + \ evaluates lines of reporting for each entity structure to enable execution\ + \ of authorities and responsibilities and flow of information to manage the\ + \ activities of the entity." + translations: + es: + name: null + description: "[COSO] Establece l\xEDneas de informaci\xF3n - La direcci\xF3\ + n dise\xF1a y eval\xFAa l\xEDneas de informaci\xF3n para cada estructura\ + \ de la entidad con el fin de permitir la ejecuci\xF3n de las autoridades\ + \ y responsabilidades y el flujo de informaci\xF3n para gestionar las\ + \ actividades de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.3.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.3 + ref_id: CC1.3.3 + description: "[COSO] Defines, Assigns, and Limits Authorities and Responsibilities\ + \ \u2014 Management and the board of directors delegate authority, define\ + \ responsibilities, and use appropriate processes and technology to assign\ + \ responsibility and segregate duties as necessary at the various levels of\ + \ the organization." + translations: + es: + name: null + description: "[COSO] Define, Asigna y Limita Autoridades y Responsabilidades\ + \ - La direcci\xF3n y el consejo de administraci\xF3n delegan autoridad,\ + \ definen responsabilidades y utilizan procesos y tecnolog\xEDa adecuados\ + \ para asignar responsabilidades y segregar funciones seg\xFAn sea necesario\ + \ en los distintos niveles de la organizaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.3.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.3 + ref_id: CC1.3.4 + description: "[TSC] Addresses Specific Requirements When Defining Authorities\ + \ and Responsibilities \u2014 Management and the board of directors consider\ + \ requirements relevant to security, availability, processing integrity, confidentiality,\ + \ and privacy when defining authorities and responsibilities." + translations: + es: + name: null + description: "[TSC] La direcci\xF3n y el consejo de administraci\xF3n tienen\ + \ en cuenta los requisitos relativos a la seguridad, disponibilidad, integridad\ + \ del procesamiento, confidencialidad y privacidad a la hora de definir\ + \ las autoridades y responsabilidades." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.3.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.3 + ref_id: CC1.3.5 + description: "[TSC] Considers Interactions With External Parties When Establishing\ + \ Structures, Reporting Lines, Authorities, and Responsibilities \u2014 Management\ + \ and the board of directors consider the need for the entity to interact\ + \ with and monitor the activities of external parties when establishing structures,\ + \ reporting lines, authorities, and responsibilities." + translations: + es: + name: null + description: "[TSC] La direcci\xF3n y el consejo de administraci\xF3n tienen\ + \ en cuenta la necesidad de que la entidad interact\xFAe con partes externas\ + \ y supervise sus actividades a la hora de establecer estructuras, l\xED\ + neas jer\xE1rquicas, autoridades y responsabilidades." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.3.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.3 + ref_id: CC1.3.6 + description: "[P] Establishes Structures, Reporting Lines, and Authorities to\ + \ Support Compliance With Legal and Contractual Privacy Requirements \u2014\ + \ When establishing structures, reporting lines, and authorities, management\ + \ considers legal and contractual privacy requirements and objectives." + translations: + es: + name: null + description: "[P] Establece estructuras, l\xEDneas jer\xE1rquicas y autoridades\ + \ para apoyar el cumplimiento de los requisitos legales y contractuales\ + \ de privacidad - Al establecer estructuras, l\xEDneas jer\xE1rquicas\ + \ y autoridades, la direcci\xF3n tiene en cuenta los requisitos y objetivos\ + \ legales y contractuales de privacidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1 + ref_id: CC1.4 + name: COSO Principle 4 + description: The entity demonstrates a commitment to attract, develop, and retain + competent individuals in alignment with objectives. + translations: + es: + name: Principio COSO 4 + description: La entidad demuestra un compromiso para atraer, desarrollar + y retener a personas competentes en consonancia con los objetivos. + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.4.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.4 + ref_id: CC1.4.1 + description: "[COSO] Establishes Policies and Practices \u2014 Policies and\ + \ practices reflect expectations of competence necessary to support the achievement\ + \ of objectives." + translations: + es: + name: null + description: "[COSO] Establece pol\xEDticas y pr\xE1cticas - Las pol\xED\ + ticas y pr\xE1cticas reflejan las expectativas de competencia necesarias\ + \ para apoyar la consecuci\xF3n de los objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.4.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.4 + ref_id: CC1.4.2 + description: "[COSO] Evaluates Competence and Addresses Shortcomings \u2014\ + \ The board of directors and management evaluate competence across the entity\ + \ and in outsourced service providers in relation to established policies\ + \ and practices and act as necessary to address shortcomings." + translations: + es: + name: null + description: "[COSO] Eval\xFAa la competencia y aborda las deficiencias\ + \ - El consejo de administraci\xF3n y la direcci\xF3n eval\xFAan la competencia\ + \ en toda la entidad y en los proveedores de servicios subcontratados\ + \ en relaci\xF3n con las pol\xEDticas y pr\xE1cticas establecidas y act\xFA\ + an seg\xFAn sea necesario para abordar las deficiencias." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.4.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.4 + ref_id: CC1.4.3 + description: "[COSO] Attracts, Develops, and Retains Individuals \u2014 The\ + \ entity provides the mentoring and training needed to attract, develop, and\ + \ retain sufficient and competent personnel and outsourced service providers\ + \ to support the achievement of objectives." + translations: + es: + name: null + description: "[COSO] Atrae, desarrolla y retiene a las personas - La entidad\ + \ proporciona la tutor\xEDa y la formaci\xF3n necesarias para atraer,\ + \ desarrollar y retener a personal suficiente y competente y a proveedores\ + \ de servicios subcontratados para apoyar la consecuci\xF3n de los objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.4.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.4 + ref_id: CC1.4.4 + description: "[COSO] Plans and Prepares for Succession \u2014 Senior management\ + \ and the board of directors develop contingency plans for assignments of\ + \ responsibility important for internal control." + translations: + es: + name: null + description: "[COSO] Planifica y prepara la sucesi\xF3n - La alta direcci\xF3\ + n y el consejo de administraci\xF3n elaboran planes de contingencia para\ + \ la asignaci\xF3n de responsabilidades relevantes para el control interno." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.4.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.4 + ref_id: CC1.4.5 + description: "[TSC] Considers the Background of Individuals \u2014 The entity\ + \ considers the background of potential and existing personnel, contractors,\ + \ and vendor employees when determining whether to employ and retain the individuals." + translations: + es: + name: null + description: '[TSC] Considera los antecedentes de los individuos - La entidad + considera los antecedentes del personal potencial y existente, contratistas + y empleados de proveedores al determinar si emplear y retener a los individuos.' + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.4.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.4 + ref_id: CC1.4.6 + description: "[TSC] Considers the Technical Competency of Individuals \u2014\ + \ The entity considers the technical competency of potential and existing\ + \ personnel, contractors, and vendor employees when determining whether to\ + \ employ and retain the individuals." + translations: + es: + name: null + description: "[TSC] Considera la competencia t\xE9cnica de los individuos\ + \ - La entidad considera la competencia t\xE9cnica del personal potencial\ + \ y existente, proveedores y contratistas para determinar si procede la\ + \ contrataci\xF3n y/o retener a las personas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.4.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.4 + ref_id: CC1.4.7 + description: "[TSC] Provides Training to Maintain Technical Competencies \u2014\ + \ The entity provides training programs, including continuing education and\ + \ training, to ensure skill sets and technical competency of existing personnel,\ + \ contractors, and vendor employees are developed and maintained." + translations: + es: + name: null + description: "[TSC] Proporciona formaci\xF3n para mantener las competencias\ + \ t\xE9cnicas - La entidad proporciona programas de formaci\xF3n, incluida\ + \ la educaci\xF3n y formaci\xF3n continuas, para garantizar el desarrollo\ + \ y el mantenimiento de las habilidades y la competencia t\xE9cnica del\ + \ personal existente, los contratistas y los empleados de los proveedores." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1 + ref_id: CC1.5 + name: COSO Principle 5 + description: The entity holds individuals accountable for their internal control + responsibilities in the pursuit of objectives. + translations: + es: + name: Principio COSO 5 + description: "La entidad responsabiliza a las personas de sus funciones\ + \ de control interno en la consecuci\xF3n de los objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.5.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.5 + ref_id: CC1.5.1 + description: "[COSO] Enforces Accountability Through Structures, Authorities,\ + \ and Responsibilities \u2014 Management and the board of directors establish\ + \ the mechanisms to communicate and hold individuals accountable for performance\ + \ of internal control responsibilities across the entity and implement corrective\ + \ action as necessary." + translations: + es: + name: null + description: "[COSO] Exige la rendici\xF3n de cuentas a trav\xE9s de estructuras,\ + \ autoridades y responsabilidades - La direcci\xF3n y el consejo de administraci\xF3\ + n establecen los mecanismos para comunicar y exigir a las personas que\ + \ rindan cuentas del desempe\xF1o de las responsabilidades de control\ + \ interno en toda la entidad y aplicar las medidas correctoras necesarias." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.5.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.5 + ref_id: CC1.5.2 + description: "[COSO] Establishes Performance Measures, Incentives, and Rewards\ + \ \u2014 Management and the board of directors establish performance measures,\ + \ incentives, and other rewards appropriate for responsibilities at all levels\ + \ of the entity, reflecting appropriate dimensions of performance and expected\ + \ standards of conduct, and considering the achievement of both short-term\ + \ and longer-term objectives." + translations: + es: + name: null + description: "[COSO] Establece medidas de rendimiento, incentivos y recompensas\ + \ - La direcci\xF3n y el consejo de administraci\xF3n establecen medidas\ + \ de rendimiento, incentivos y otras recompensas apropiadas para las responsabilidades\ + \ a todos los niveles de la entidad, que reflejen las dimensiones adecuadas\ + \ de rendimiento y las normas de conducta esperadas, y que tengan en cuenta\ + \ la consecuci\xF3n de objetivos tanto a corto como a largo plazo." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.5.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.5 + ref_id: CC1.5.3 + description: "[COSO] Evaluates Performance Measures, Incentives, and Rewards\ + \ for Ongoing Relevance \u2014 Management and the board of directors align\ + \ incentives and rewards with the fulfillment of internal control responsibilities\ + \ in the achievement of objectives." + translations: + es: + name: null + description: "[COSO] Eval\xFAa las medidas de rendimiento, los incentivos\ + \ y las recompensas para que sigan siendo pertinentes - La direcci\xF3\ + n y el consejo de administraci\xF3n alinean los incentivos y las recompensas\ + \ con el cumplimiento de las responsabilidades de control interno en la\ + \ consecuci\xF3n de los objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.5.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.5 + ref_id: CC1.5.4 + description: "[COSO] Considers Excessive Pressures \u2014 Management and the\ + \ board of directors evaluate and adjust pressures associated with the achievement\ + \ of objectives as they assign responsibilities, develop performance measures,\ + \ and evaluate performance." + translations: + es: + name: null + description: "[COSO] Eval\xFAa las medidas de rendimiento, los incentivos\ + \ y las recompensas para que sigan siendo pertinentes - La direcci\xF3\ + n y el consejo de administraci\xF3n alinean los incentivos y las recompensas\ + \ con el cumplimiento de las responsabilidades de control interno en la\ + \ consecuci\xF3n de los objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.5.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.5 + ref_id: CC1.5.5 + description: "[COSO] Evaluates Performance and Rewards or Disciplines Individuals\ + \ \u2014 Management and the board of directors evaluate performance of internal\ + \ control responsibilities, including adherence to standards of conduct and\ + \ expected levels of competence, and provide rewards or exercise disciplinary\ + \ action, as appropriate." + translations: + es: + name: null + description: "[COSO] Eval\xFAa el rendimiento y recompensa o disciplina\ + \ a los individuos - La direcci\xF3n y el consejo de administraci\xF3\ + n eval\xFAan el rendimiento de las responsabilidades de control interno,\ + \ incluido el cumplimiento de las normas de conducta y los niveles de\ + \ competencia esperados, y ofrecen recompensas o ejercen medidas disciplinarias,\ + \ seg\xFAn proceda." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.5.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc1.5 + ref_id: CC1.5.6 + description: "[P] Takes Disciplinary Actions \u2014 A sanctions process is defined,\ + \ and applied as needed, when an employee violates the entity\u2019s privacy\ + \ policies or when an employee\u2019s negligent behavior causes a privacy\ + \ incident." + translations: + es: + name: null + description: "[P] Toma de medidas disciplinarias - Se define un proceso\ + \ de sanciones, que se aplica seg\xFAn sea necesario, cuando un empleado\ + \ viola las pol\xEDticas de privacidad de la entidad o cuando el comportamiento\ + \ negligente de un empleado causa un incidente de privacidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2 + assessable: false + depth: 1 + ref_id: CC2 + name: Information & Communication + translations: + es: + name: "Informaci\xF3n y Comunicaci\xF3n" + description: null + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2 + ref_id: CC2.1 + name: COSO Principle 13 + description: The entity obtains or generates and uses relevant, quality information + to support the functioning of internal control. + translations: + es: + name: Principio COSO 13 + description: "La entidad obtiene o genera y utiliza informaci\xF3n relevante\ + \ y de calidad para apoyar el funcionamiento del control interno." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1 + ref_id: CC2.1.1 + description: "[COSO] Identifies Information Requirements \u2014 A process is\ + \ in place to identify the information required and expected to support the\ + \ functioning of the other components of internal control and the achievement\ + \ of the entity\u2019s objectives." + translations: + es: + name: null + description: "[COSO] Identifica los requisitos de informaci\xF3n - Existe\ + \ un proceso para identificar la informaci\xF3n necesaria y esperada para\ + \ apoyar el funcionamiento de los dem\xE1s componentes del control interno\ + \ y la consecuci\xF3n de los objetivos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1 + ref_id: CC2.1.2 + description: "[COSO] Captures Internal and External Sources of Data \u2014 Information\ + \ systems capture internal and external sources of data." + translations: + es: + name: null + description: "[COSO] Capta fuentes de datos internas y externas - Los sistemas\ + \ de informaci\xF3n captan fuentes de datos internas y externas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1 + ref_id: CC2.1.3 + description: "[COSO] Processes Relevant Data Into Information \u2014 Information\ + \ systems process and transform relevant data into information." + translations: + es: + name: null + description: "[COSO] Procesa los datos relevantes en informaci\xF3n - Los\ + \ sistemas de informaci\xF3n procesan y transforman los datos relevantes\ + \ en informaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1 + ref_id: CC2.1.4 + description: "[COSO] Maintains Quality Throughout Processing \u2014 Information\ + \ systems produce information that is timely, current, accurate, complete,\ + \ accessible, protected, verifiable, and retained. Information is reviewed\ + \ to assess its relevance in supporting the internal control components." + translations: + es: + name: null + description: "[COSO] Mantiene la calidad durante todo el proceso - Los sistemas\ + \ de informaci\xF3n producen informaci\xF3n oportuna, actual, precisa,\ + \ completa, accesible, protegida, verificable y conservada. La informaci\xF3\ + n se revisa para evaluar su relevancia en el apoyo a los componentes de\ + \ control interno." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1 + ref_id: CC2.1.5 + description: "[TSC] Documents Data Flow \u2014 The entity documents and uses\ + \ internal and external information and data flows to support the design and\ + \ operation of controls." + translations: + es: + name: null + description: "[TSC] Documenta el flujo de datos - La entidad documenta y\ + \ utiliza la informaci\xF3n interna y externa y los flujos de datos para\ + \ apoyar el dise\xF1o y el funcionamiento de los controles." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1 + ref_id: CC2.1.6 + description: "[TSC] Manages Assets \u2014 The entity identifies, documents,\ + \ and maintains records of system components such as infrastructure, software,\ + \ and other information assets. Information assets include physical endpoint\ + \ devices and systems, virtual systems, data and data flows, external information\ + \ systems, and organizational roles." + translations: + es: + name: null + description: "[TSC] Gestiona Activos - La entidad identifica, documenta\ + \ y mantiene registros de los componentes del sistema tales como infraestructura,\ + \ software y otros activos de informaci\xF3n. Los activos de informaci\xF3\ + n incluyen dispositivos y sistemas finales f\xEDsicos, sistemas virtuales,\ + \ datos y flujos de datos, sistemas de informaci\xF3n externos y roles\ + \ organizativos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1 + ref_id: CC2.1.7 + description: "[TSC] Classifies Information \u2014 The entity classifies information\ + \ by its relevant characteristics (for example, personally identifiable information,\ + \ confidential customer information, and intellectual property) to support\ + \ identification of threats to the information and the design and operation\ + \ of controls." + translations: + es: + name: null + description: "[TSC] Clasifica la informaci\xF3n - La entidad clasifica la\ + \ informaci\xF3n por sus caracter\xEDsticas relevantes (por ejemplo, informaci\xF3\ + n personal identificable, informaci\xF3n confidencial de clientes y propiedad\ + \ intelectual) para apoyar la identificaci\xF3n de amenazas a la informaci\xF3\ + n y el dise\xF1o y operaci\xF3n de controles." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1 + ref_id: CC2.1.8 + description: "[TSC] Uses Information That Is Complete and Accurate \u2014 The\ + \ entity uses information and reports that are complete, accurate, current,\ + \ and valid in the operation of controls." + translations: + es: + name: null + description: "[TSC] La entidad utiliza informaci\xF3n e informes que son\ + \ completos, precisos, actuales y v\xE1lidos en el funcionamiento de los\ + \ controles." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1.9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.1 + ref_id: CC2.1.9 + description: "[TSC] Manages the Location of Assets \u2014 The entity identifies,\ + \ documents, and maintains records of physical location and custody of information\ + \ assets, particularly for those stored outside the physical security control\ + \ of the entity (for example, software and data stored on vendor devices or\ + \ employee mobile phones under a bring-yourown-device policy)." + translations: + es: + name: null + description: "[TSC] Gestiona la ubicaci\xF3n de los activos - La entidad\ + \ identifica, documenta y mantiene registros de la ubicaci\xF3n f\xED\ + sica y la custodia de los activos de informaci\xF3n, en particular para\ + \ aquellos almacenados fuera del control de seguridad f\xEDsica de la\ + \ entidad (por ejemplo, software y datos almacenados en dispositivos de\ + \ proveedores o tel\xE9fonos m\xF3viles de empleados bajo una pol\xED\ + tica de \xABtraiga su propio dispositivo\xBB)." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2 + ref_id: CC2.2 + name: COSO Principle 14 + description: The entity internally communicates information, including objectives + and responsibilities for internal control, necessary to support the functioning + of internal control. + translations: + es: + name: Principio COSO 14 + description: "La entidad comunica internamente la informaci\xF3n, incluidos\ + \ los objetivos y las responsabilidades en materia de control interno,\ + \ necesaria para apoyar el funcionamiento del control interno." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2 + ref_id: CC2.2.1 + description: "[COSO] Communicates Internal Control Information \u2014 A process\ + \ is in place to communicate required information to enable all personnel\ + \ to understand and carry out their internal control responsibilities." + translations: + es: + name: null + description: "[COSO] Comunica la informaci\xF3n de control interno - Existe\ + \ un proceso para comunicar la informaci\xF3n necesaria para que todo\ + \ el personal pueda comprender y desempe\xF1ar sus responsabilidades de\ + \ control interno." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2 + ref_id: CC2.2.2 + description: "[COSO] Communicates With the Board of Directors \u2014 Communication\ + \ exists between management and the board of directors so that both have information\ + \ needed to fulfill their roles with respect to the entity\u2019s objectives." + translations: + es: + name: null + description: "[COSO] Se comunica con el consejo de administraci\xF3n - Existe\ + \ comunicaci\xF3n entre la direcci\xF3n y el consejo de administraci\xF3\ + n de modo que ambos dispongan de la informaci\xF3n necesaria para desempe\xF1\ + ar sus funciones con respecto a los objetivos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2 + ref_id: CC2.2.3 + description: "[COSO] Provides Separate Communication Lines \u2014 Separate communication\ + \ channels, such as whistle-blower hotlines, are in place and serve as fail-safe\ + \ mechanisms to enable anonymous or confidential communication when normal\ + \ channels are inoperative or ineffective." + translations: + es: + name: null + description: "[COSO] Proporciona l\xEDneas de comunicaci\xF3n separadas\ + \ - Existen canales de comunicaci\xF3n separados, como l\xEDneas directas\ + \ de denuncia de irregularidades, que sirven como mecanismos a prueba\ + \ de fallos para permitir la comunicaci\xF3n an\xF3nima o confidencial\ + \ cuando los canales normales son inoperantes o ineficaces." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2 + ref_id: CC2.2.4 + description: "[COSO] Selects Relevant Method of Communication \u2014 The method\ + \ of communication considers the timing, audience, and nature of the information." + translations: + es: + name: null + description: "[COSO] Selecciona el m\xE9todo de comunicaci\xF3n pertinente\ + \ - El m\xE9todo de comunicaci\xF3n tiene en cuenta el momento, la audiencia\ + \ y la naturaleza de la informaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2 + ref_id: CC2.2.5 + description: "[TSC] Communicates Responsibilities \u2014 Entity personnel with\ + \ responsibility for designing, developing, implementing, operating, maintaining,\ + \ or monitoring system controls receive communications about their responsibilities,\ + \ including changes in their responsibilities, and have the information necessary\ + \ to carry out those responsibilities." + translations: + es: + name: null + description: "[TSC] Comunica Responsabilidades - El personal de la entidad\ + \ con responsabilidad para dise\xF1ar, desarrollar, implementar, operar,\ + \ mantener o monitorizar los controles del sistema recibe comunicaciones\ + \ sobre sus responsabilidades, incluyendo cambios en sus responsabilidades,\ + \ y tiene la informaci\xF3n necesaria para llevar a cabo dichas responsabilidades." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2 + ref_id: CC2.2.6 + description: "[TSC] Communicates Information on Reporting Failures, Incidents,\ + \ Concerns, and Other Matters \u2014 Entity personnel are provided with information\ + \ on how to report systems failures, incidents, concerns, and other complaints." + translations: + es: + name: null + description: "[TSC] Comunica informaci\xF3n sobre la notificaci\xF3n de\ + \ fallos, incidentes, preocupaciones y otras cuestiones - El personal\ + \ de la entidad recibe informaci\xF3n sobre c\xF3mo notificar fallos,\ + \ incidentes, preocupaciones y otras quejas sobre los sistemas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2 + ref_id: CC2.2.7 + description: "[TSC] Communicates Objectives and Changes to Objectives \u2014\ + \ The entity communicates its objectives and changes to those objectives to\ + \ personnel in a timely manner." + translations: + es: + name: null + description: '[TSC] Comunica objetivos y cambios en los objetivos - La entidad + comunica oportunamente al personal sus objetivos y los cambios en los + mismos.' + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2 + ref_id: CC2.2.8 + description: "[TSC] Communicates Information to Improve Security Knowledge and\ + \ Awareness \u2014 The entity communicates information to improve security\ + \ knowledge and awareness and to model approprite security behaviors to personnel\ + \ through a security awareness training program." + translations: + es: + name: null + description: "[TSC] Comunica informaci\xF3n para mejorar el conocimiento\ + \ y la concienciaci\xF3n de la seguridad - La entidad comunica informaci\xF3\ + n para mejorar el conocimiento y la concienciaci\xF3n de la seguridad\ + \ y para modelar comportamientos de seguridad adecuados para el personal\ + \ a trav\xE9s de un programa de formaci\xF3n de concienciaci\xF3n de la\ + \ seguridad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2.9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2 + ref_id: CC2.2.9 + description: "[P] Communicates Information to Improve Privacy Knowledge and\ + \ Awareness \u2014 The entity communicates information to improve privacy\ + \ knowledge and awareness and to model appropriate behaviors to personnel\ + \ through a privacy awareness training program." + translations: + es: + name: null + description: "[P] Comunica informaci\xF3n para mejorar el conocimiento y\ + \ la concienciaci\xF3n sobre la privacidad - La entidad comunica informaci\xF3\ + n para mejorar el conocimiento y la concienciaci\xF3n sobre la privacidad\ + \ y para modelar comportamientos adecuados para el personal a trav\xE9\ + s de un programa de formaci\xF3n sobre concienciaci\xF3n sobre la privacidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2.10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2 + ref_id: CC2.2.10 + description: "[P] Communicates Incident Reporting Methods \u2014 The entity\ + \ has communicated to employees and others within the entity the process used\ + \ to report a suspected privacy incident." + translations: + es: + name: null + description: "[P] Comunica m\xE9todos de notificaci\xF3n de incidentes -\ + \ La entidad ha comunicado a los empleados y a otras personas de la entidad\ + \ el proceso utilizado para notificar un presunto incidente relacionado\ + \ con la privacidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2.11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2 + ref_id: CC2.2.11 + description: "[SYSTEM LEVEL] Communicates Information About System Operation\ + \ and Boundaries \u2014 The entity prepares and communicates information about\ + \ the design and operation of the system and its boundaries to authorized\ + \ personnel to enable them to understand their role in the system and the\ + \ results of system operation." + translations: + es: + name: null + description: "[SYSTEM LEVEL] Comunica informaci\xF3n sobre el funcionamiento\ + \ y los l\xEDmites del sistema - La entidad prepara y comunica informaci\xF3\ + n sobre el dise\xF1o y el funcionamiento del sistema y sus l\xEDmites\ + \ al personal autorizado para permitirle comprender su papel en el sistema\ + \ y los resultados de su funcionamiento." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2.12 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2 + ref_id: CC2.2.12 + description: "[SYSTEM LEVEL] Communicates System Objectives \u2014 The entity\ + \ communicates its objectives to personnel to enable them to carry out their\ + \ responsibilities." + translations: + es: + name: null + description: "[SYSTEM LEVEL] Comunica los objetivos del sistema - La entidad\ + \ comunica sus objetivos al personal para permitirle desempe\xF1ar sus\ + \ responsabilidades." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2.13 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.2 + ref_id: CC2.2.13 + description: "[SYSTEM LEVEL] Communicates System Changes \u2014 System changes\ + \ that affect responsibilities or the achievement of the entity's objectives\ + \ are communicated in a timely manner." + translations: + es: + name: null + description: "[SYSTEM LEVEL] Comunica los cambios del sistema - Los cambios\ + \ del sistema que afectan a las responsabilidades o a la consecuci\xF3\ + n de los objetivos de la entidad se comunican oportunamente." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2 + ref_id: CC2.3 + name: COSO Principle 15 + description: The entity communicates with external parties regarding matters + affecting the functioning of internal control. + translations: + es: + name: Principio COSO 15 + description: "La entidad se comunica con las partes externas en relaci\xF3\ + n con las cuestiones que afectan al funcionamiento del control interno." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3 + ref_id: CC2.3.1 + description: "[COSO] Communicates to External Parties \u2014 Processes are in\ + \ place to communicate relevant and timely information to external parties,\ + \ including shareholders, partners, owners, regulators, customers, financial\ + \ analysts, and other external parties." + translations: + es: + name: null + description: "[COSO] Comunica a las partes externas - Existen procesos para\ + \ comunicar informaci\xF3n relevante y oportuna a las partes externas,\ + \ incluidos accionistas, socios, propietarios, reguladores, clientes,\ + \ analistas financieros y otras partes externas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3 + ref_id: CC2.3.2 + description: "[COSO] Enables Inbound Communications \u2014 Open communication\ + \ channels allow input from customers, consumers, suppliers, external auditors,\ + \ regulators, financial analysts, and others, providing management and the\ + \ board of directors with relevant information." + translations: + es: + name: null + description: "[COSO] Permite las comunicaciones entrantes - Los canales\ + \ de comunicaci\xF3n abiertos permiten recibir aportaciones de clientes,\ + \ consumidores, proveedores, auditores externos, reguladores, analistas\ + \ financieros y otros, proporcionando informaci\xF3n relevante a la direcci\xF3\ + n y al consejo de administraci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3 + ref_id: CC2.3.3 + description: "[COSO] Communicates With the Board of Directors \u2014 Relevant\ + \ information resulting from assessments conducted by external parties is\ + \ communicated to the board of directors." + translations: + es: + name: null + description: "[COSO] Se comunica con el Consejo de Administraci\xF3n - La\ + \ informaci\xF3n pertinente resultante de las evaluaciones realizadas\ + \ por partes externas se comunica al Consejo de Administraci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3 + ref_id: CC2.3.4 + description: "[COSO] Provides Separate Communication Lines \u2014 Separate communication\ + \ channels, such as whistle-blower hotlines, are in place and serve as fail-safe\ + \ mechanisms to enable anonymous or confidential communication when normal\ + \ channels are inoperative or ineffective." + translations: + es: + name: null + description: "[COSO] Proporciona l\xEDneas de comunicaci\xF3n separadas\ + \ - Existen canales de comunicaci\xF3n separados, como l\xEDneas directas\ + \ de denuncia de irregularidades, que sirven como mecanismos a prueba\ + \ de fallos para permitir la comunicaci\xF3n an\xF3nima o confidencial\ + \ cuando los canales normales son inoperantes o ineficaces." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3 + ref_id: CC2.3.5 + description: "[COSO] Selects Relevant Method of Communication \u2014 The method\ + \ of communication considers the timing, audience, and nature of the communication\ + \ and legal, regulatory, and fiduciary requirements and expectations." + translations: + es: + name: null + description: "[COSO] Selecciona el m\xE9todo de comunicaci\xF3n pertinente:\ + \ el m\xE9todo de comunicaci\xF3n tiene en cuenta el momento, la audiencia\ + \ y la naturaleza de la comunicaci\xF3n, as\xED como los requisitos y\ + \ expectativas legales, reglamentarios y fiduciarios." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3 + ref_id: CC2.3.6 + description: "[C] Communicates Objectives Related to Confidentiality and Changes\ + \ to Those Objectives \u2014 The entity communicates, to external users, vendors,\ + \ business partners, and others whose products or services, or both, are part\ + \ of the system, the entity\u2019s objectives related to confidentiality and\ + \ the protection of confidential information, as well as changes to those\ + \ objectives." + translations: + es: + name: null + description: "[C] Comunica los objetivos relacionados con la confidencialidad\ + \ y los cambios en dichos objetivos - La entidad comunica a los usuarios\ + \ externos, proveedores, socios comerciales y otras personas cuyos productos\ + \ o servicios, o ambos, forman parte del sistema, los objetivos de la\ + \ entidad relacionados con la confidencialidad y la protecci\xF3n de la\ + \ informaci\xF3n confidencial, as\xED como los cambios en dichos objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3 + ref_id: CC2.3.7 + description: "[P] Communicates Objectives Related to Privacy and Changes to\ + \ Those Objectives \u2014 The entity communicates, to external users, vendors,\ + \ business partners, and others whose products or services, or both, are part\ + \ of the system, the entity\u2019s objectives related to privacy and the protection\ + \ of personal information, as well as changes to those objectives." + translations: + es: + name: null + description: "[P] Comunica los objetivos relacionados con la privacidad\ + \ y los cambios en dichos objetivos - La entidad comunica a los usuarios\ + \ externos, proveedores, socios comerciales y otros cuyos productos o\ + \ servicios, o ambos, forman parte del sistema, los objetivos de la entidad\ + \ relacionados con la privacidad y la protecci\xF3n de la informaci\xF3\ + n personal, as\xED como los cambios en dichos objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3 + ref_id: CC2.3.8 + description: "[P] Communicates Incident Reporting Methods \u2014 The entity\ + \ communicates to user entities, third parties, data subjects, and others\ + \ the process used to report a suspected privacy incident." + translations: + es: + name: null + description: "[P] Comunica los m\xE9todos de notificaci\xF3n de incidentes\ + \ - La entidad comunica a las entidades usuarias, terceros, interesados\ + \ y otros el proceso utilizado para notificar un presunto incidente relacionado\ + \ con la privacidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3.9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3 + ref_id: CC2.3.9 + description: "[SYSTEM LEVEL] Communicates Information About System Operation\ + \ and Boundaries \u2014 The entity prepares and communicates information about\ + \ the design and operation of the system and its boundaries to authorized\ + \ external users to permit users to understand their role in the system and\ + \ the results of system operation." + translations: + es: + name: null + description: "[SYSTEM LEVEL] Comunica informaci\xF3n sobre el funcionamiento\ + \ y los l\xEDmites del sistema - La entidad prepara y comunica informaci\xF3\ + n sobre el dise\xF1o y el funcionamiento del sistema y sus l\xEDmites\ + \ a los usuarios externos autorizados para permitir a los usuarios comprender\ + \ su papel en el sistema y los resultados del funcionamiento del sistema." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3.10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3 + ref_id: CC2.3.10 + description: "[SYSTEM LEVEL] Communicates System Objectives \u2014 The entity\ + \ communicates its system objectives to appropriate external users." + translations: + es: + name: null + description: '[SYSTEM LEVEL] Comunica los objetivos del sistema - La entidad + comunica los objetivos de su sistema a los usuarios externos apropiados.' + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3.11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3 + ref_id: CC2.3.11 + description: "[SYSTEM LEVEL] Communicates System Responsibilities \u2014 External\ + \ users with responsibility for designing, developing, implementing, operating,\ + \ maintaining, and monitoring system controls receive information about such\ + \ responsibilities and have the information necessary to carry out such responsibilities." + translations: + es: + name: null + description: "[NIVEL DEL SISTEMA] Comunica las responsabilidades del sistema\ + \ - Los usuarios externos con responsabilidad en el dise\xF1o, desarrollo,\ + \ implementaci\xF3n, operaci\xF3n, mantenimiento y monitoreo de los controles\ + \ del sistema reciben informaci\xF3n sobre dichas responsabilidades y\ + \ cuentan con la informaci\xF3n necesaria para llevar a cabo dichas responsabilidades." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3.12 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc2.3 + ref_id: CC2.3.12 + description: "[SYSTEM LEVEL] Communicates Information on Reporting System Failures,\ + \ Incidents, Concerns, and Other Matters \u2014 External users are provided\ + \ with information on how to report systems failures, incidents, concerns,\ + \ and other complaints to appropriate entity personnel." + translations: + es: + name: null + description: "[SYSTEM LEVEL] Comunica informaci\xF3n sobre la notificaci\xF3\ + n de fallos del sistema, incidentes, preocupaciones y otras cuestiones\ + \ - Los usuarios externos reciben informaci\xF3n sobre c\xF3mo notificar\ + \ fallos del sistema, incidentes, preocupaciones y otras quejas al personal\ + \ apropiado de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3 + assessable: false + depth: 1 + ref_id: CC3 + name: Risk Assessment + translations: + es: + name: "Evaluaci\xF3n del Riesgo" + description: null + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3 + ref_id: CC3.1 + name: COSO Principle 6 + description: The entity specifies objectives with sufficient clarity to enable + the identification and assessment of risks relating to objectives. + translations: + es: + name: Principio 6 de COSO + description: "La entidad especifica los objetivos con suficiente claridad\ + \ para permitir la identificaci\xF3n y evaluaci\xF3n de los riesgos relacionados\ + \ con los objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.1 + description: "[Operations Objectives] Reflects Management's Choices \u2014 Operations\ + \ objectives reflect management's choices about structure, industry considerations,\ + \ and performance of the entity." + translations: + es: + name: null + description: "[Refleja las decisiones de la direcci\xF3n - Los objetivos\ + \ operativos reflejan las decisiones de la direcci\xF3n sobre la estructura,\ + \ las consideraciones sectoriales y el rendimiento de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.2 + description: "[Operations Objectives] Considers Tolerances for Risk \u2014 Management\ + \ considers the acceptable levels of variation relative to the achievement\ + \ of operations objectives." + translations: + es: + name: null + description: "[Objetivos de las operaciones] Considera las tolerancias de\ + \ riesgo - La direcci\xF3n considera los niveles aceptables de variaci\xF3\ + n en relaci\xF3n con la consecuci\xF3n de los objetivos de las operaciones." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.3 + description: "[Operations Objectives] Includes Operations and Financial Performance\ + \ Goals \u2014 The organization reflects the desired level of operations and\ + \ financial performance for the entity within operations objectives." + translations: + es: + name: null + description: "[Objetivos de las operaciones] Incluye metas de rendimiento\ + \ operativo y financiero - La organizaci\xF3n refleja el nivel deseado\ + \ de rendimiento operativo y financiero para la entidad dentro de los\ + \ objetivos operativos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.4 + description: "[Operations Objectives] Forms a Basis for Committing of Resources\ + \ \u2014 Management uses operations objectives as a basis for allocating resources\ + \ needed to attain desired operations and financial performance." + translations: + es: + name: null + description: "[Objetivos de las operaciones] Forms a Basis for Committing\ + \ of Resources \u2014 Management uses operations objectives as a basis\ + \ for allocating resources needed to attain desired operations and financial\ + \ performance." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.5 + description: "[External Financial Reporting Objectives] Complies With Applicable\ + \ Accounting Standards \u2014 Financial reporting objectives are consistent\ + \ with accounting principles suitable and available for that entity. The accounting\ + \ principles selected are appropriate in the circumstances." + translations: + es: + name: null + description: "[Objetivos de la informaci\xF3n financiera externa] Cumple\ + \ con las normas contables aplicables - Los objetivos de la informaci\xF3\ + n financiera son coherentes con los principios contables adecuados y disponibles\ + \ para esa entidad. Los principios contables seleccionados son adecuados\ + \ a las circunstancias." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.6 + description: "[External Financial Reporting Objectives] Considers Materiality\ + \ \u2014 Management considers materiality in financial statement presentation." + translations: + es: + name: null + description: "[Objetivos de la informaci\xF3n financiera externa] Tiene\ + \ en cuenta la importancia relativa - La direcci\xF3n tiene en cuenta\ + \ la importancia relativa en la presentaci\xF3n de los estados financieros." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.7 + description: "[External Financial Reporting Objectives] Reflects Entity Activities\ + \ \u2014 External reporting reflects the underlying transactions and events\ + \ to show qualitative characteristics and assertions." + translations: + es: + name: null + description: "[Objetivos de la informaci\xF3n financiera externa] Refleja\ + \ las actividades de la entidad - La informaci\xF3n externa refleja las\ + \ transacciones y eventos subyacentes para mostrar las caracter\xEDsticas\ + \ cualitativas y las afirmaciones." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.8 + description: "[External Nonfinancial Reporting Objectives] Complies With Externally\ + \ Established Frameworks \u2014 Management establishes objectives consistent\ + \ with laws and regulations or standards and frameworks of recognized external\ + \ organizations." + translations: + es: + name: null + description: "[Objetivos de reporting externo no financiero] Cumple con\ + \ marcos establecidos externamente - La direcci\xF3n establece objetivos\ + \ coherentes con leyes y reglamentos o normas y marcos de organizaciones\ + \ externas reconocidas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.9 + description: "[External Nonfinancial Reporting Objectives] Considers the Required\ + \ Level of Precision \u2014 Management reflects the required level of precision\ + \ and accuracy suitable for user needs and based on criteria established by\ + \ third parties in nonfinancial reporting." + translations: + es: + name: null + description: "[Objetivos de reporting externo no financiero] Considera el\ + \ nivel de precisi\xF3n requerido - La direcci\xF3n refleja el nivel requerido\ + \ de precisi\xF3n y exactitud adecuado a las necesidades de los usuarios\ + \ y basado en criterios establecidos por terceros en la informaci\xF3\ + n no financiera." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.10 + description: "[External Nonfinancial Reporting Objectives] Reflects Entity Activities\ + \ \u2014 External reporting reflects the underlying transactions and events\ + \ within a range of acceptable limits." + translations: + es: + name: null + description: "[Objetivos de reporting externo no financiero] Refleja las\ + \ actividades de la entidad - La informaci\xF3n externa refleja las transacciones\ + \ y eventos subyacentes dentro de un rango de l\xEDmites aceptables." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.11 + description: "[Internal Reporting Objectives] Reflects Management's Choices\ + \ \u2014 Internal reporting provides management with accurate and complete\ + \ information regarding management's choices and information needed in managing\ + \ the entity." + translations: + es: + name: null + description: "[Objetivos de la informaci\xF3n interna] Refleja las decisiones\ + \ de la direcci\xF3n - La informaci\xF3n interna proporciona a la direcci\xF3\ + n datos precisos y completos sobre las decisiones de la direcci\xF3n y\ + \ la informaci\xF3n necesaria para gestionar la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.12 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.12 + description: "[Internal Reporting Objectives] Considers the Required Level of\ + \ Precision \u2014 Management reflects the required level of precision and\ + \ accuracy suitable for user needs in nonfinancial reporting objectives and\ + \ materiality within financial reporting objectives." + translations: + es: + name: null + description: "[Objetivos de la informaci\xF3n interna] Tiene en cuenta el\ + \ nivel de precisi\xF3n requerido - La direcci\xF3n refleja el nivel requerido\ + \ de precisi\xF3n y exactitud adecuado a las necesidades de los usuarios\ + \ en los objetivos de la informaci\xF3n no financiera y la importancia\ + \ relativa en los objetivos de la informaci\xF3n financiera." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.13 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.13 + description: "[Internal Reporting Objectives] Reflects Entity Activities \u2014\ + \ Internal reporting reflects the underlying transactions and events within\ + \ a range of acceptable limits." + translations: + es: + name: null + description: "[Refleja las actividades de la entidad - La informaci\xF3\ + n interna refleja las transacciones y hechos subyacentes dentro de unos\ + \ l\xEDmites aceptables." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.14 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.14 + description: "[Compliance Objectives] Reflects External Laws and Regulations\ + \ \u2014 Laws and regulations establish m\xEDnimum standards of conduct, which\ + \ the entity integrates into compliance objectives." + translations: + es: + name: null + description: "[Refleja las leyes y reglamentos externos - Las leyes y reglamentos\ + \ establecen normas m\xEDnimas de conducta, que la entidad integra en\ + \ los objetivos de cumplimiento." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.15 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.15 + description: "[Compliance Objectives] Considers Tolerances for Risk \u2014 Management\ + \ considers the acceptable levels of variation relative to the achievement\ + \ of operations objectives." + translations: + es: + name: null + description: "[Objetivos de cumplimiento] Considera las tolerancias de riesgo\ + \ - La direcci\xF3n considera los niveles aceptables de variaci\xF3n en\ + \ relaci\xF3n con la consecuci\xF3n de los objetivos de las operaciones." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1.16 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.1 + ref_id: CC3.1.16 + description: "Establishes Sub-Objectives for Risk Assessment \u2014 Management\ + \ identifies sub-objectives for use in risk assessment related to security,\ + \ availability, processing integrity, confidentiality, or privacy to support\ + \ the achievement of the entity\u2019s objectives." + translations: + es: + name: null + description: "Establece subobjetivos para la evaluaci\xF3n de riesgos -\ + \ La direcci\xF3n identifica subobjetivos para su uso en la evaluaci\xF3\ + n de riesgos relacionados con la seguridad, la disponibilidad, la integridad\ + \ del procesamiento, la confidencialidad o la privacidad para apoyar la\ + \ consecuci\xF3n de los objetivos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3 + ref_id: CC3.2 + name: COSO Principle 7 + description: 'COSO Principle 7: The entity identifies risks to the achievement + of its objectives across the entity and analyzes risks as a basis for determining + how the risks should be managed.' + translations: + es: + name: Principio 7 de COSO + description: "Principio COSO 7: La entidad identifica los riesgos para la\ + \ consecuci\xF3n de sus objetivos en toda la entidad y analiza los riesgos\ + \ como base para determinar c\xF3mo deben gestionarse." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2 + ref_id: CC3.2.1 + description: "[COSO] Includes Entity, Subsidiary, Division, Operating Unit,\ + \ and Functional Levels \u2014 The entity identifies and assesses risk at\ + \ the entity, subsidiary, division, operating unit, and functional levels\ + \ relevant to the achievement of objectives." + translations: + es: + name: null + description: "[COSO] Incluye los niveles de entidad, filial, divisi\xF3\ + n, unidad operativa y funcional - La entidad identifica y eval\xFAa el\ + \ riesgo en los niveles de entidad, filial, divisi\xF3n, unidad operativa\ + \ y funcional pertinentes para la consecuci\xF3n de los objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2 + ref_id: CC3.2.2 + description: "[COSO] Analyzes Internal and External Factors \u2014 Risk identification\ + \ considers both internal and external factors and their impact on the achievement\ + \ of objectives." + translations: + es: + name: null + description: "[COSO] Analiza los factores internos y externos - La identificaci\xF3\ + n de riesgos tiene en cuenta tanto los factores internos como los externos\ + \ y su impacto en la consecuci\xF3n de los objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2 + ref_id: CC3.2.3 + description: "[COSO] Involves Appropriate Levels of Management \u2014 The entity\ + \ puts into place effective risk assessment mechanisms that involve appropriate\ + \ levels of management." + translations: + es: + name: null + description: "[COSO] Implica a los niveles de direcci\xF3n adecuados - La\ + \ entidad establece mecanismos eficaces de evaluaci\xF3n de riesgos que\ + \ implican a los niveles de direcci\xF3n adecuados." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2 + ref_id: CC3.2.4 + description: "[COSO] Estimates Significance of Risks Identified \u2014 Identified\ + \ risks are analyzed through a process that includes estimating the potential\ + \ significance of the risk." + translations: + es: + name: null + description: "[COSO] Estima la importancia de los riesgos identificados\ + \ - Los riesgos identificados se analizan mediante un proceso que incluye\ + \ la estimaci\xF3n de la importancia potencial del riesgo." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2 + ref_id: CC3.2.5 + description: "[COSO] Determines How to Respond to Risks \u2014 Risk assessment\ + \ includes considering how the risk should be managed and whether to accept,\ + \ avoid, reduce, or share the risk. Identifies Threats to Objectives \u2014\ + The entity identifies threats to the achievement of its objectives from intentional\ + \ (including malicious) and unintentional acts and environmental events." + translations: + es: + name: null + description: "[COSO] Determina c\xF3mo responder a los riesgos - La evaluaci\xF3\ + n de riesgos incluye considerar c\xF3mo debe gestionarse el riesgo y si\ + \ debe aceptarse, evitarse, reducirse o compartirse. Identifica las amenazas\ + \ a los objetivos - La entidad identifica las amenazas a la consecuci\xF3\ + n de sus objetivos derivadas de actos intencionados (incluidos los malintencionados)\ + \ y no intencionados y de acontecimientos del entorno." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2 + ref_id: CC3.2.6 + description: "[TSC] Identifies Vulnerability of System Components \u2014 The\ + \ entity identifies the vulnerabilities of system components, including system\ + \ processes, infrastructure, software, and other information assets." + translations: + es: + name: null + description: "[TSC] Identifica la vulnerabilidad de los componentes del\ + \ sistema - La entidad identifica las vulnerabilidades de los componentes\ + \ del sistema, incluidos los procesos del sistema, la infraestructura,\ + \ el software y otros activos de informaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2 + ref_id: CC3.2.7 + description: "[TSC] Analyzes Threats and Vulnerabilities From Vendors, Business\ + \ Partners, and Other Parties \u2014 The entity's risk assessment process\ + \ includes the analysis of potential threats and vulnerabilities arising from\ + \ vendors providing goods and services, as well as threats and vulnerabilities\ + \ arising from business partners, customers, and other third parties with\ + \ access to the entity's information systems." + translations: + es: + name: null + description: "[TSC] Analiza las amenazas y vulnerabilidades de proveedores,\ + \ socios comerciales y otras partes - El proceso de evaluaci\xF3n de riesgos\ + \ de la entidad incluye el an\xE1lisis de las posibles amenazas y vulnerabilidades\ + \ derivadas de los proveedores de bienes y servicios, as\xED como las\ + \ amenazas y vulnerabilidades derivadas de los socios comerciales, clientes\ + \ y otros terceros con acceso a los sistemas de informaci\xF3n de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.2 + ref_id: CC3.2.8 + description: "[TSC] Assesses the Significance of the Risks \u2014 The entity\ + \ assesses the significance of the identified risks, including (1) determining\ + \ the criticality of system components, including information assets, in achieving\ + \ the objectives; (2) assessing the susceptibility of the identified vulnerabilities\ + \ to the identified threats (3) assessing the likelihood of the identified\ + \ risks (4) assessing the magnitude of the effect of potential risks to the\ + \ achievement of the objectives; (5) considering the potential effects of\ + \ unidentified threats and vulnerabilities on the assessed risks; (6) developing\ + \ risk mitigation strategies to address the assessed risks; and (7) evaluating\ + \ the appropriateness of residual risk (including whether to accept, reduce,\ + \ or share such risks)." + translations: + es: + name: null + description: "[TSC] Eval\xFAa la importancia de los riesgos - La entidad\ + \ eval\xFAa la importancia de los riesgos identificados, incluyendo (1)\ + \ la determinaci\xF3n de la criticidad de los componentes del sistema,\ + \ incluidos los activos de informaci\xF3n, en el logro de los objetivos;\ + \ (2) la evaluaci\xF3n de la susceptibilidad de las vulnerabilidades identificadas\ + \ a las amenazas identificadas (3) la evaluaci\xF3n de la probabilidad\ + \ de los riesgos identificados (4) la evaluaci\xF3n de la magnitud del\ + \ efecto de los riesgos potenciales para el logro de los objetivos; (5)\ + \ considerar los efectos potenciales de las amenazas y vulnerabilidades\ + \ no identificadas sobre los riesgos evaluados; (6) desarrollar estrategias\ + \ de mitigaci\xF3n de riesgos para hacer frente a los riesgos evaluados;\ + \ y (7) evaluar la idoneidad del riesgo residual (incluyendo si aceptar,\ + \ reducir o compartir dichos riesgos)." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3 + ref_id: CC3.3 + name: COSO Principle 8 + description: The entity considers the potential for fraud in assessing risks + to the achievement of objectives. + translations: + es: + name: Principio 8 de COSO + description: "La entidad tiene en cuenta la posibilidad de fraude al evaluar\ + \ los riesgos para la consecuci\xF3n de los objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.3.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.3 + ref_id: CC3.3.1 + description: "[COSO] Considers Various Types of Fraud \u2014 The assessment\ + \ of fraud considers fraudulentreporting, possible loss of assets, and corruption\ + \ resulting from the various ways that fraud and misconduct can occur." + translations: + es: + name: null + description: "[COSO] Considera varios tipos de fraude - La evaluaci\xF3\ + n del fraude considera la informaci\xF3n fraudulenta, la posible p\xE9\ + rdida de activos y la corrupci\xF3n resultante de las diversas formas\ + \ en que pueden producirse el fraude y la mala conducta." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.3.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.3 + ref_id: CC3.3.2 + description: "[COSO] Assesses Incentives and Pressures \u2014 The assessment\ + \ of fraud risks considers incentives and pressures." + translations: + es: + name: null + description: "[COSO] Eval\xFAa los incentivos y las presiones - La evaluaci\xF3\ + n de los riesgos de fraude tiene en cuenta los incentivos y las presiones." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.3.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.3 + ref_id: CC3.3.3 + description: "[COSO] Assesses Opportunities \u2014 The assessment of fraud risk\ + \ considers opportunities for unauthorized acquisition, use, or disposal of\ + \ assets, altering the entity\u2019s reporting records, or committing other\ + \ inappropriate acts." + translations: + es: + name: null + description: "[COSO] Eval\xFAa las oportunidades - La evaluaci\xF3n del\ + \ riesgo de fraude tiene en cuenta las oportunidades de adquisici\xF3\ + n, uso o enajenaci\xF3n no autorizados de activos, alteraci\xF3n de los\ + \ registros de informaci\xF3n de la entidad o comisi\xF3n de otros actos\ + \ inapropiados." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.3.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.3 + ref_id: CC3.3.4 + description: "[COSO] Assesses Attitudes and Rationalizations \u2014 The assessment\ + \ of fraud risk considers how management and other personnel might engage\ + \ in or justify inappropriate actions." + translations: + es: + name: null + description: "[COSO] Eval\xFAa actitudes y racionalizaciones - La evaluaci\xF3\ + n del riesgo de fraude tiene en cuenta el modo en que la direcci\xF3n\ + \ y el resto del personal pueden llevar a cabo o justificar acciones inadecuadas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.3.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.3 + ref_id: CC3.3.5 + description: "[TSC] Considers the Risks Related to the Use of IT and Access\ + \ to Information \u2014 The assessment of fraud risks includes consideration\ + \ of internal and external threats and vulnerabilities that arise specifically\ + \ from the use of IT and access to information." + translations: + es: + name: null + description: "[TSC] Considera los riesgos relacionados con el uso de TI\ + \ y el acceso a la informaci\xF3n - La evaluaci\xF3n de los riesgos de\ + \ fraude incluye la consideraci\xF3n de las amenazas y vulnerabilidades\ + \ internas y externas que surgen espec\xEDficamente del uso de TI y el\ + \ acceso a la informaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3 + ref_id: CC3.4 + name: COSO Principle 9 + description: 'COSO Principle 9: The entity identifies and assesses changes that + could significantly impact the + + system of internal control.' + translations: + es: + name: Principio 9 de COSO + description: "Principio COSO 9: La entidad identifica y eval\xFAa los cambios\ + \ que podr\xEDan tener un impacto significativo en el sistema de control\ + \ interno." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.4.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.4 + ref_id: CC3.4.1 + description: "[COSO] Assesses Changes in the External Environment \u2014 The\ + \ risk identification process considers changes to the regulatory, economic,\ + \ and physical environment in which the entity operates." + translations: + es: + name: null + description: "[COSO] Eval\xFAa los cambios en el entorno externo: El proceso\ + \ de identificaci\xF3n de riesgos considera los cambios en el entorno\ + \ normativo, econ\xF3mico y f\xEDsico en el que opera la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.4.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.4 + ref_id: CC3.4.2 + description: "[COSO] Assesses Changes in the Business Model \u2014 The entity\ + \ considers the potential impacts of new business lines, dramatically altered\ + \ compositions of existing business lines, acquired or divested business operations\ + \ on the system of internal control, rapid growth, changing reliance on foreign\ + \ geographies, and new technologies." + translations: + es: + name: null + description: "[COSO] Eval\xFAa los cambios en el modelo de negocio: La entidad\ + \ analiza los posibles impactos en el sistema de control interno derivados\ + \ de nuevas l\xEDneas de negocio, alteraciones significativas en la composici\xF3\ + n de l\xEDneas de negocio existentes, operaciones adquiridas o desinvertidas,\ + \ crecimiento acelerado, mayor dependencia de geograf\xEDas extranjeras\ + \ y nuevas tecnolog\xEDas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.4.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.4 + ref_id: CC3.4.3 + description: "[COSO] Assesses Changes in Leadership \u2014 The entity considers\ + \ changes in management and respective attitudes and philosophies on the system\ + \ of internal control." + translations: + es: + name: null + description: "[COSO] Eval\xFAa los cambios en el liderazgo: La entidad considera\ + \ las modificaciones en la direcci\xF3n y las actitudes y filosof\xED\ + as asociadas respecto al sistema de control interno." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.4.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.4 + ref_id: CC3.4.4 + description: "[TSC] Assesses Changes in Systems and Technology \u2014 The risk\ + \ identification process considers changes arising from changes in the entity\u2019\ + s systems and changes in the technology environment." + translations: + es: + name: null + description: "[TSC] Eval\xFAa los cambios en los sistemas y la tecnolog\xED\ + a: El proceso de identificaci\xF3n de riesgos considera los cambios derivados\ + \ de modificaciones en los sistemas de la entidad y en el entorno tecnol\xF3\ + gico." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.4.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.4 + ref_id: CC3.4.5 + description: "[TSC] Assesses Changes in Vendor and Business Partner Relationships\ + \ \u2014 The risk identification process considers changes in vendor and business\ + \ partner relationships." + translations: + es: + name: null + description: "[TSC] Eval\xFAa los cambios en las relaciones con proveedores\ + \ y socios comerciales: El proceso de identificaci\xF3n de riesgos contempla\ + \ las variaciones en las relaciones con proveedores y socios comerciales." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.4.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc3.4 + ref_id: CC3.4.6 + description: "[TSC] Assesses Changes in Threats and Vulnerabilities \u2014 The\ + \ risk identification process assesses changes in (1) internal and external\ + \ threats to and vulnerabilities of the components of the entity\u2019s systems\ + \ and (2) the likelihood and magnitude of the resultant risks to the achievement\ + \ of the entity\u2019s objectives." + translations: + es: + name: null + description: "[TSC] Eval\xFAa los cambios en las amenazas y vulnerabilidades:\ + \ El proceso de identificaci\xF3n de riesgos analiza los cambios en (1)\ + \ las amenazas internas y externas, as\xED como las vulnerabilidades de\ + \ los componentes de los sistemas de la entidad, y (2) la probabilidad\ + \ y magnitud de los riesgos resultantes para el logro de los objetivos\ + \ de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4 + assessable: false + depth: 1 + ref_id: CC4 + name: Monitoring Activities + translations: + es: + name: "Actividades de Supervisi\xF3n" + description: null + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4 + ref_id: CC4.1 + name: COSO Principle 16 + description: The entity selects, develops, and performs ongoing and/or separate + evaluations to ascertain whether the components of internal control are present + and functioning. + translations: + es: + name: Principio 16 de COSO + description: "La entidad selecciona, desarrolla y realiza evaluaciones continuas\ + \ y/o separadas para determinar si los componentes del control interno\ + \ est\xE1n presentes y funcionan." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1 + ref_id: CC4.1.1 + description: "[COSO] Considers a Mix of Ongoing and Separate Evaluations \u2014\ + \ Management includes a balance of ongoing and separate evaluations." + translations: + es: + name: null + description: "[COSO] Considera una combinaci\xF3n de evaluaciones continuas\ + \ y separadas - La direcci\xF3n incluye un equilibrio entre evaluaciones\ + \ continuas y separadas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1 + ref_id: CC4.1.2 + description: "[COSO] Considers Rate of Change \u2014 Management considers the\ + \ rate of change in business and business processes when selecting and developing\ + \ ongoing and separate evaluations." + translations: + es: + name: null + description: "[COSO] Tiene en cuenta el ritmo de cambio - La direcci\xF3\ + n tiene en cuenta el ritmo de cambio de la empresa y de los procesos empresariales\ + \ a la hora de seleccionar y desarrollar evaluaciones continuas y separadas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1 + ref_id: CC4.1.3 + description: "[COSO] Establishes Baseline Understanding \u2014 The design and\ + \ current state of an internal control system are used to establish a baseline\ + \ for ongoing and separate evaluations." + translations: + es: + name: null + description: "[COSO] Establece una base de comprensi\xF3n - El dise\xF1\ + o y el estado actual de un sistema de control interno se utilizan para\ + \ establecer una base de referencia para las evaluaciones en curso y por\ + \ separado." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1 + ref_id: CC4.1.4 + description: "[COSO] Uses Knowledgeable Personnel \u2014 Evaluators performing\ + \ ongoing and separate evaluations have sufficient knowledge to understand\ + \ what is being evaluated." + translations: + es: + name: null + description: "[COSO] Utiliza personal con conocimientos - Los evaluadores\ + \ que realizan evaluaciones continuas y separadas tienen conocimientos\ + \ suficientes para comprender lo que se est\xE1 evaluando." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1 + ref_id: CC4.1.5 + description: "[COSO] Integrates With Business Processes \u2014 Ongoing evaluations\ + \ are built into the business processes and adjust to changing conditions." + translations: + es: + name: null + description: '[COSO] Se integra con los procesos empresariales: las evaluaciones + continuas se incorporan a los procesos empresariales y se ajustan a las + condiciones cambiantes.' + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1 + ref_id: CC4.1.6 + description: "[COSO] Adjusts Scope and Frequency \u2014 Management varies the\ + \ scope and frequency of separate evaluations depending on risk." + translations: + es: + name: null + description: "[COSO] Ajusta el alcance y la frecuencia - La direcci\xF3\ + n var\xEDa el alcance y la frecuencia de las evaluaciones independientes\ + \ en funci\xF3n del riesgo." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1 + ref_id: CC4.1.7 + description: "[COSO] Objectively Evaluates \u2014 Separate evaluations are performed\ + \ periodically to provide objective feedback." + translations: + es: + name: null + description: "[COSO] Eval\xFAa de forma objetiva - Peri\xF3dicamente se\ + \ realizan evaluaciones independientes para proporcionar informaci\xF3\ + n objetiva." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.1 + ref_id: CC4.1.8 + description: "[TSC] Considers Different Types of Ongoing and Separate Evaluations\ + \ \u2014 Management uses a variety of ongoing and separate risk and control\ + \ evaluations to determine whether internal controls are present and functioning.\ + \ Depending on the entity\u2019s objectives, such risk and control evaluations\ + \ may include first- and second-line monitoring and control testing, internal\ + \ audit assessments, compliance assessments, resilience assessments, vulnerability\ + \ scans, security assessment, penetration testing, and third-party assessments." + translations: + es: + name: null + description: "[TSC] Considera diferentes tipos de evaluaciones continuas\ + \ y separadas - La direcci\xF3n utiliza una variedad de evaluaciones continuas\ + \ y separadas de riesgos y controles para determinar si los controles\ + \ internos est\xE1n presentes y funcionan. Dependiendo de los objetivos\ + \ de la entidad, dichas evaluaciones de riesgos y controles pueden incluir\ + \ pruebas de supervisi\xF3n y control de primera y segunda l\xEDnea, evaluaciones\ + \ de auditor\xEDa interna, evaluaciones de cumplimiento, evaluaciones\ + \ de resiliencia, escaneos de vulnerabilidad, evaluaci\xF3n de seguridad,\ + \ pruebas de penetraci\xF3n y evaluaciones de terceros." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4 + ref_id: CC4.2 + name: COSO Principle 17 + description: The entity evaluates and communicates internal control deficiencies + in a timely manner to those parties responsible for taking corrective action, + including senior management and the board of directors, as appropriate. + translations: + es: + name: Principio 17 de COSO + description: "La entidad eval\xFAa y comunica oportunamente las deficiencias\ + \ del control interno a las partes responsables de adoptar medidas correctoras,\ + \ incluida la alta direcci\xF3n y el consejo de administraci\xF3n, seg\xFA\ + n proceda." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.2 + ref_id: CC4.2.1 + description: "[COSO] Assesses Results \u2014 Management and the board of directors,\ + \ as appropriate, assess results of ongoing and separate evaluations." + translations: + es: + name: null + description: "[COSO] Eval\xFAa los resultados - La direcci\xF3n y el consejo\ + \ de administraci\xF3n, seg\xFAn proceda, eval\xFAan los resultados de\ + \ las evaluaciones en curso y de las independientes." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.2.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.2 + ref_id: CC4.2.2 + description: "[COSO] Communicates Deficiencies \u2014 Deficiencies are communicated\ + \ to parties responsable for taking corrective action and to senior management\ + \ and the board of directors, as appropriate." + translations: + es: + name: null + description: "[COSO] Comunica las deficiencias - Las deficiencias se comunican\ + \ a las partes responsables de tomar medidas correctoras y a la alta direcci\xF3\ + n y al consejo de administraci\xF3n, seg\xFAn proceda." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.2.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc4.2 + ref_id: CC4.2.3 + description: "[COSO] Monitors Corrective Action \u2014 Management tracks whether\ + \ deficiencies are remedied on a timely basis." + translations: + es: + name: null + description: "[COSO] Supervisa las medidas correctoras: la direcci\xF3n\ + \ controla si las deficiencias se subsanan a tiempo." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5 + assessable: false + depth: 1 + ref_id: CC5 + name: Control Activities + translations: + es: + name: Actividades de control + description: null + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5 + ref_id: CC5.1 + name: COSO Principle 10 + description: The entity selects and develops control activities that contribute + to the mitigation of risks to the achievement of objectives to acceptable + levels. + translations: + es: + name: Principio 10 de COSO + description: "La entidad selecciona y desarrolla actividades de control\ + \ que contribuyen a mitigar los riesgos para la consecuci\xF3n de los\ + \ objetivos hasta niveles aceptables." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.1 + ref_id: CC5.1.1 + description: "[COSO] Integrates With Risk Assessment \u2014 Control activities\ + \ help ensure that risk responses that address and mitigate risks are carried\ + \ out." + translations: + es: + name: null + description: "[COSO] Se integra con la evaluaci\xF3n de riesgos - Las actividades\ + \ de control ayudan a garantizar que se llevan a cabo las respuestas que\ + \ abordan y mitigan los riesgos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.1 + ref_id: CC5.1.2 + description: "[COSO] Considers Entity-Specific Factors \u2014 Management considers\ + \ how the environment, complexity, nature, and scope of its operations, as\ + \ well as the specific characteristics of its organization, affect the selection\ + \ and development of control activities." + translations: + es: + name: null + description: "[COSO] Considera factores espec\xEDficos de la entidad - La\ + \ direcci\xF3n tiene en cuenta c\xF3mo el entorno, la complejidad, la\ + \ naturaleza y el alcance de sus operaciones, as\xED como las caracter\xED\ + sticas espec\xEDficas de su organizaci\xF3n, afectan a la selecci\xF3\ + n y el desarrollo de las actividades de control." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.1 + ref_id: CC5.1.3 + description: "[COSO] Determines Relevant Business Processes \u2014 Management\ + \ determines which relevant business processes require control activities." + translations: + es: + name: null + description: "[COSO] Determina los procesos de negocio relevantes - La direcci\xF3\ + n determina qu\xE9 procesos de negocio relevantes requieren actividades\ + \ de control." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.1.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.1 + ref_id: CC5.1.4 + description: "[COSO] Evaluates a Mix of Control Activity Types \u2014 Control\ + \ activities include a range and variety of controls and may include a balance\ + \ of approaches to mitigate risks, considering both manual and automated controls,\ + \ and preventive and detective controls." + translations: + es: + name: null + description: "[COSO] Eval\xFAa una mezcla de tipos de actividades de control\ + \ - Las actividades de control incluyen una gama y variedad de controles\ + \ y pueden incluir un equilibrio de enfoques para mitigar los riesgos,\ + \ considerando tanto los controles manuales como los automatizados, y\ + \ los controles preventivos y detectivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.1.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.1 + ref_id: CC5.1.5 + description: "[COSO] Considers at What Level Activities Are Applied \u2014 Management\ + \ considers control activities at various levels in the entity." + translations: + es: + name: null + description: "[COSO] Considera a qu\xE9 nivel se aplican las actividades\ + \ - La direcci\xF3n considera las actividades de control a varios niveles\ + \ en la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.1.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.1 + ref_id: CC5.1.6 + description: "[COSO] Addresses Segregation of Duties \u2014 Management segregates\ + \ incompatible duties and, where such segregation is not practical, management\ + \ selects and develops alternative control activities." + translations: + es: + name: null + description: "[COSO] Aborda la segregaci\xF3n de funciones - La direcci\xF3\ + n segrega las funciones incompatibles y, cuando dicha segregaci\xF3n no\ + \ resulta pr\xE1ctica, selecciona y desarrolla actividades de control\ + \ alternativas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5 + ref_id: CC5.2 + name: COSO Principle 11 + description: The entity also selects and develops general control activities + over technology to support the achievement of objectives. + translations: + es: + name: Principio 11 de COSO + description: "La entidad tambi\xE9n selecciona y desarrolla actividades\ + \ de control general sobre la tecnolog\xEDa para apoyar el logro de los\ + \ objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.2 + ref_id: CC5.2.1 + description: "Determines Dependency Between the Use of Technology in Business\ + \ Processes and Technology General Controls \u2014 Management understands\ + \ and determines the dependency and linkage between business processes, automated\ + \ control activities, and technology general controls." + translations: + es: + name: null + description: "[COSO] Determina la dependencia entre el uso de la tecnolog\xED\ + a en los procesos de negocio y los controles generales de tecnolog\xED\ + a: La direcci\xF3n comprende y determina la dependencia y vinculaci\xF3\ + n entre los procesos de negocio, las actividades de control automatizadas\ + \ y los controles generales de tecnolog\xEDa." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.2.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.2 + ref_id: CC5.2.2 + description: "Establishes Relevant Technology Infrastructure Control Activities\ + \ \u2014 Management selects and develops control activities over the technology\ + \ infrastructure, which are designed and implemented to help ensure the completeness,\ + \ accuracy, and availability of technology processing." + translations: + es: + name: null + description: "[COSO] Establece actividades de control relevantes sobre la\ + \ infraestructura tecnol\xF3gica: La direcci\xF3n selecciona y desarrolla\ + \ actividades de control sobre la infraestructura tecnol\xF3gica, que\ + \ est\xE1n dise\xF1adas e implementadas para contribuir a garantizar la\ + \ integridad, exactitud y disponibilidad del procesamiento tecnol\xF3\ + gico." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.2.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.2 + ref_id: CC5.2.3 + description: "Establishes Relevant Security Management Process Controls Activities\ + \ \u2014 Management selects and develops control activities that are designed\ + \ and implemented to restrict technology access rights to authorized users\ + \ commensurate with their job responsibilities and to protect the entity\u2019\ + s assets from external threats." + translations: + es: + name: null + description: "[COSO] Establece actividades de control relevantes en los\ + \ procesos de gesti\xF3n de la seguridad: La direcci\xF3n selecciona y\ + \ desarrolla actividades de control dise\xF1adas e implementadas para\ + \ restringir los derechos de acceso a la tecnolog\xEDa a usuarios autorizados,\ + \ en funci\xF3n de sus responsabilidades laborales, y para proteger los\ + \ activos de la entidad frente a amenazas externas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.2.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.2 + ref_id: CC5.2.4 + description: "Establishes Relevant Technology Acquisition, Development, and\ + \ Maintenance Process Control Activities \u2014 Management selects and develops\ + \ control activities over the acquisition, development, and maintenance of\ + \ technology and its infrastructure to achieve management\u2019s objectives." + translations: + es: + name: null + description: "[COSO] Establece actividades de control relevantes en la adquisici\xF3\ + n, desarrollo y mantenimiento de la tecnolog\xEDa: La direcci\xF3n selecciona\ + \ y desarrolla actividades de control sobre la adquisici\xF3n, desarrollo\ + \ y mantenimiento de la tecnolog\xEDa y su infraestructura para alcanzar\ + \ los objetivos de la direcci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5 + ref_id: CC5.3 + name: COSO Principle 12 + description: 'The entity deploys control activities through policies that establish + what is + + expected and in procedures that put policies into action.' + translations: + es: + name: null + description: "La entidad despliega actividades de control a trav\xE9s de\ + \ pol\xEDticas que establecen lo que se\nesperado y en procedimientos\ + \ que ponen las pol\xEDticas en acci\xF3n\xBB." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.3.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.3 + ref_id: CC5.3.1 + description: "[COSO] Establishes Policies and Procedures to Support Deployment\ + \ of Management\u2019s Directives \u2014 Management establishes control activities\ + \ that are built into business processes and employees\u2019 day-to-day activities\ + \ through policies establishing what is expected and relevant procedures specifying\ + \ actions." + translations: + es: + name: null + description: "[COSO] Establece pol\xEDticas y procedimientos para apoyar\ + \ el despliegue de las directivas de la direcci\xF3n - La direcci\xF3\ + n establece actividades de control que se incorporan a los procesos empresariales\ + \ y a las actividades cotidianas de los empleados mediante pol\xEDticas\ + \ que establecen lo que se espera y procedimientos pertinentes que especifican\ + \ las acciones." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.3.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.3 + ref_id: CC5.3.2 + description: "[COSO] Establishes Responsibility and Accountability for Executing\ + \ Policies and Procedures \u2014 Management establishes responsibility and\ + \ accountability for control activities with management (or other designated\ + \ personnel) of the business unit or function in which the relevant risks\ + \ reside." + translations: + es: + name: null + description: "[COSO] Establece la responsabilidad y la obligaci\xF3n de\ + \ rendir cuentas para la ejecuci\xF3n de pol\xEDticas y procedimientos\ + \ - La direcci\xF3n establece la responsabilidad y la obligaci\xF3n de\ + \ rendir cuentas para las actividades de control con la direcci\xF3n (u\ + \ otro personal designado) de la unidad de negocio o funci\xF3n en la\ + \ que residen los riesgos relevantes." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.3.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.3 + ref_id: CC5.3.3 + description: "[COSO] Performs in a Timely Manner \u2014 Responsible personnel\ + \ perform control activities in a timely manner as defined by the policies\ + \ and procedures." + translations: + es: + name: null + description: "[COSO] Realizaci\xF3n oportuna - El personal responsable realiza\ + \ las actividades de control de forma oportuna, tal y como se define en\ + \ las pol\xEDticas y procedimientos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.3.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.3 + ref_id: CC5.3.4 + description: "[COSO] Takes Corrective Action \u2014 Responsible personnel investigate\ + \ and act on matters identified as a result of executing control activities." + translations: + es: + name: null + description: "[COSO] Toma medidas correctivas - El personal responsable\ + \ investiga y act\xFAa sobre los asuntos identificados como resultado\ + \ de la ejecuci\xF3n de las actividades de control." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.3.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.3 + ref_id: CC5.3.5 + description: "[COSO] Performs Using Competent Personnel \u2014 Competent personnel\ + \ with sufficient authority perform control activities with diligence and\ + \ continuing focus." + translations: + es: + name: null + description: "[COSO] Performs Using Competent Personnel \u2014 Competent\ + \ personnel with sufficient authority perform control activities with\ + \ diligence and continuing focus." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.3.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc5.3 + ref_id: CC5.3.6 + description: "[COSO] Reassesses Policies and Procedures \u2014 Management periodically\ + \ reviews control activities to determine their continued relevance and refreshes\ + \ them when necessary." + translations: + es: + name: null + description: "[COSO] Reevaluaci\xF3n de pol\xEDticas y procedimientos -\ + \ La direcci\xF3n revisa peri\xF3dicamente las actividades de control\ + \ para determinar si siguen siendo pertinentes y las actualiza cuando\ + \ es necesario." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6 + assessable: false + depth: 1 + ref_id: CC6 + name: Logical and Physical Access Controls + translations: + es: + name: "Controles de acceso l\xF3gico y f\xEDsico" + description: null + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6 + ref_id: CC6.1 + description: The entity implements logical access security software, infrastructure, + and architectures over protected information assets to protect them from security + events to meet the entity's objectives. + translations: + es: + name: null + description: "La entidad implementa software de seguridad de acceso l\xF3\ + gico, infraestructura y arquitecturas sobre activos de informaci\xF3n\ + \ protegidos para protegerlos de eventos de seguridad y cumplir con los\ + \ objetivos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1 + ref_id: CC6.1.1 + description: "[TSC] Identifies and Manages the Inventory of Information Assets\ + \ \u2014 The entity identifies, inventories, classifies, and manages information\ + \ assets (for example, infrastructure, software, and data)." + translations: + es: + name: null + description: "[TSC] Identifica y gestiona el inventario de activos de informaci\xF3\ + n: La entidad identifica, inventar\xEDa, clasifica y gestiona los activos\ + \ de informaci\xF3n (por ejemplo, infraestructura, software y datos)." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1 + ref_id: CC6.1.2 + description: "[TSC] Assesses New Architectures \u2014 The entity identifies\ + \ new system architectures and assesses their security prior to implementation\ + \ into the system environment." + translations: + es: + name: null + description: "[TSC] Eval\xFAa nuevas arquitecturas: La entidad identifica\ + \ nuevas arquitecturas del sistema y eval\xFAa su seguridad antes de implementarlas\ + \ en el entorno del sistema." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1 + ref_id: CC6.1.3 + description: "[TSC] Restricts Logical Access \u2014 The entity restricts logical\ + \ access to information assets, including infrastructure (for example, server,\ + \ storage, network elements, APIs, and endpoint devices), software, and data\ + \ (at rest, during processing, or in transmission) through the use of access\ + \ control software, rule sets, and standard configuration hardening processes." + translations: + es: + name: null + description: "[TSC] Restringe el acceso l\xF3gico: La entidad restringe\ + \ el acceso l\xF3gico a los activos de informaci\xF3n, incluida la infraestructura\ + \ (por ejemplo, servidores, almacenamiento, elementos de red, API y dispositivos\ + \ finales), software y datos (en reposo, durante el procesamiento o en\ + \ transmisi\xF3n), mediante el uso de software de control de acceso, conjuntos\ + \ de reglas y procesos est\xE1ndar de endurecimiento de configuraci\xF3\ + n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1 + ref_id: CC6.1.4 + description: "[TSC] Identifies and Authenticates Users \u2014 The entity identifies\ + \ and authenticates persons, infrastructure, and software prior to accessing\ + \ information assets, whether locally or remotely. The entity uses more complex\ + \ or advanced user authentication techniques such as multifactor authentication\ + \ when such protections are deemed appropriate based on its risk mitigation\ + \ strategy." + translations: + es: + name: null + description: "[TSC] Identifica y autentica a los usuarios: La entidad identifica\ + \ y autentica a las personas, infraestructura y software antes de acceder\ + \ a los activos de informaci\xF3n, ya sea localmente o de forma remota.\ + \ La entidad utiliza t\xE9cnicas de autenticaci\xF3n avanzadas, como la\ + \ autenticaci\xF3n multifactor, cuando estas protecciones se consideran\ + \ apropiadas seg\xFAn su estrategia de mitigaci\xF3n de riesgos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1 + ref_id: CC6.1.5 + description: "[TSC] Considers Network Segmentation \u2014 The entity uses network\ + \ segmentation, zero trust architectures, and other techniques to isolate\ + \ unrelated portions of the entity's information technology from each other\ + \ based on the entity\u2019s risk mitigation strategy." + translations: + es: + name: null + description: "[TSC] Considera la segmentaci\xF3n de la red: La entidad utiliza\ + \ la segmentaci\xF3n de la red, arquitecturas de confianza cero y otras\ + \ t\xE9cnicas para aislar partes no relacionadas de la tecnolog\xEDa de\ + \ la informaci\xF3n de la entidad, bas\xE1ndose en su estrategia de mitigaci\xF3\ + n de riesgos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1 + ref_id: CC6.1.6 + description: "[TSC] Manages Points of Access \u2014 Points of access by outside\ + \ entities and the types of data that flow through the points of access are\ + \ identified, inventoried, and managed. The types of individuals and systems\ + \ using each point of access are identified, documented, and managed." + translations: + es: + name: null + description: "[TSC] Gestiona los puntos de acceso: Los puntos de acceso\ + \ utilizados por entidades externas y los tipos de datos que fluyen a\ + \ trav\xE9s de ellos se identifican, inventar\xEDan y gestionan. Se identifican,\ + \ documentan y gestionan los tipos de individuos y sistemas que utilizan\ + \ cada punto de acceso." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1 + ref_id: CC6.1.7 + description: "[TSC] Restricts Access to Information Assets \u2014 Combinations\ + \ of data classification, separate data structures, port restrictions, access\ + \ protocol restrictions, user identification, and digital certificates are\ + \ used to establish access control rules and configuration standards for information\ + \ assets." + translations: + es: + name: null + description: "[TSC] Restringe el acceso a los activos de informaci\xF3n:\ + \ Se utilizan combinaciones de clasificaci\xF3n de datos, estructuras\ + \ de datos separadas, restricciones de puertos, restricciones de protocolos\ + \ de acceso, identificaci\xF3n de usuarios y certificados digitales para\ + \ establecer reglas de control de acceso y est\xE1ndares de configuraci\xF3\ + n para los activos de informaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1 + ref_id: CC6.1.8 + description: "[TSC] Manages Identification and Authentication \u2014 Identification\ + \ and authentication requirements are established, documented, and managed\ + \ for individuals and systems accessing entity information, infrastructure,\ + \ and software." + translations: + es: + name: null + description: "[TSC] Gestiona la identificaci\xF3n y autenticaci\xF3n: Los\ + \ requisitos de identificaci\xF3n y autenticaci\xF3n se establecen, documentan\ + \ y gestionan para individuos y sistemas que acceden a la informaci\xF3\ + n, infraestructura y software de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1.9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1 + ref_id: CC6.1.9 + description: "[TSC] Manages Credentials for Infrastructure and Software \u2014\ + \ New internal and external infrastructure and software are registered, authorized,\ + \ and documented prior to being granted access credentials and implemented\ + \ on the network or access point.Credentials are removed and access is disabled\ + \ when access is no longer required or the infrastructure and software are\ + \ no longer in use." + translations: + es: + name: null + description: '[TSC] Gestiona las credenciales de infraestructura y software: + Las infraestructuras y software internos y externos nuevos son registrados, + autorizados y documentados antes de otorgar credenciales de acceso e implementarlos + en la red o en los puntos de acceso. Las credenciales se eliminan y el + acceso se desactiva cuando ya no es necesario o cuando la infraestructura + y el software dejan de utilizarse.' + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1.10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1 + ref_id: CC6.1.10 + description: "[TSC] Uses Encryption to Protect Data \u2014 The entity uses encryption\ + \ to protect data (at rest, during processing, or in transmission), when such\ + \ protections are deemed appropriate based on the entity\u2019s risk mitigation\ + \ strategy." + translations: + es: + name: null + description: "[TSC] Utiliza el cifrado para proteger los datos: La entidad\ + \ utiliza el cifrado para proteger los datos (en reposo, durante el procesamiento\ + \ o en transmisi\xF3n) cuando dichas protecciones se consideran apropiadas\ + \ seg\xFAn la estrategia de mitigaci\xF3n de riesgos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1.11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1 + ref_id: CC6.1.11 + description: "[TSC] Protects Cryptographic Keys \u2014 The entity protects cryptographic\ + \ keys during generation, storage, use, and destruction. Cryptographic modules,\ + \ algorithms, key lengths, and architectures are appropriate based on the\ + \ entity\u2019s risk mitigation strategy." + translations: + es: + name: null + description: "[TSC] Protege las claves criptogr\xE1ficas: La entidad protege\ + \ las claves criptogr\xE1ficas durante su generaci\xF3n, almacenamiento,\ + \ uso y destrucci\xF3n. Los m\xF3dulos criptogr\xE1ficos, algoritmos,\ + \ longitudes de clave y arquitecturas son apropiados seg\xFAn la estrategia\ + \ de mitigaci\xF3n de riesgos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1.12 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1 + ref_id: CC6.1.12 + description: "[C] Restricts Access to and Use of Confidential Information for\ + \ Identified Purposes \u2014 Logical access to and use of confidential information\ + \ is restricted to identified purposes." + translations: + es: + name: null + description: "[C] Restringe el acceso y uso de la informaci\xF3n confidencial\ + \ para fines identificados: El acceso l\xF3gico y el uso de la informaci\xF3\ + n confidencial est\xE1n restringidos a los fines identificados." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1.13 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.1 + ref_id: CC6.1.13 + description: "[P] Restricts Access to and the Use of Personal Information \u2014\ + \ Logical access to and use of personal information is restricted to authorized\ + \ personnel who require such access to fulfill the identified purposes to\ + \ support the achievement of the entity\u2019s objectives\nrelated to privacy." + translations: + es: + name: null + description: "[P] Restringe el acceso y el uso de la informaci\xF3n personal:\ + \ El acceso l\xF3gico y el uso de la informaci\xF3n personal est\xE1n\ + \ restringidos al personal autorizado que requiere dicho acceso para cumplir\ + \ con los fines identificados y apoyar el logro de los objetivos de la\ + \ entidad relacionados con la privacidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6 + ref_id: CC6.2 + description: Prior to issuing system credentials and granting system access, + the entity registers and authorizes new internal and external users whose + access is administered by the entity. For those users whose access is administered + by the entity, user system credentials are removed when user access is no + longer authorized. + translations: + es: + name: null + description: "Antes de emitir credenciales del sistema y conceder acceso,\ + \ la entidad registra y autoriza a los nuevos usuarios internos y externos\ + \ cuyo acceso es gestionado por la entidad. Para aquellos usuarios cuyo\ + \ acceso es administrado por la entidad, las credenciales del sistema\ + \ son eliminadas cuando el acceso del usuario ya no est\xE1 autorizado." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.2 + ref_id: CC6.2.1 + description: "Creates Access Credentials to Protected Information Assets \u2014\ + The entity creates credentials for accessing protected information assets\ + \ based on an authorization from the system's asset owner or authorized custodian.\ + \ Authorization is required for the creation of all types of credentials of\ + \ individuals (for example, employees, contractors, vendors, and business\ + \ partner personnel), systems, and software." + translations: + es: + name: null + description: "Crea credenciales de acceso a activos de informaci\xF3n protegidos:\ + \ La entidad crea credenciales para acceder a activos de informaci\xF3\ + n protegidos con base en una autorizaci\xF3n del propietario del activo\ + \ o del custodio autorizado. Se requiere autorizaci\xF3n para la creaci\xF3\ + n de cualquier tipo de credenciales de individuos (por ejemplo, empleados,\ + \ contratistas, proveedores y personal de socios comerciales), sistemas\ + \ y software." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.2.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.2 + ref_id: CC6.2.2 + description: "Reviews Validity of Access Credentials \u2014 The entity reviews\ + \ access credentials on a periodic basis for validity (for example, employees,\ + \ contractors, vendors, and business partner personnel) and inappropriate\ + \ system or service accounts." + translations: + es: + name: null + description: "Revisa la validez de las credenciales de acceso: La entidad\ + \ revisa peri\xF3dicamente las credenciales de acceso para verificar su\ + \ validez (por ejemplo, empleados, contratistas, proveedores y personal\ + \ de socios comerciales) y la existencia de cuentas inapropiadas de sistema\ + \ o servicio." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.2.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.2 + ref_id: CC6.2.3 + description: "Prevents the Use of Credentials When No Longer Valid \u2014 Processes\ + \ are in place to disable, destroy, or otherwise prevent the use of access\ + \ credentials when no longer valid." + translations: + es: + name: null + description: "Evita el uso de credenciales cuando ya no son v\xE1lidas:\ + \ Se implementan procesos para deshabilitar, destruir o prevenir el uso\ + \ de credenciales de acceso cuando dejan de ser v\xE1lidas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6 + ref_id: CC6.3 + description: "The entity authorizes, modifies, or removes access to data, software,\ + \ functions, and other protected information assets based on roles, responsibilities,\ + \ or the system design and changes, giving consideration to the concepts of\ + \ least privilege and segregation of duties, to meet the entity\u2019s objectives." + translations: + es: + name: null + description: "La entidad autoriza, modifica o elimina el acceso a datos,\ + \ software, funciones y otros activos de informaci\xF3n protegida en funci\xF3\ + n de roles, responsabilidades o del dise\xF1o y cambios del sistema, considerando\ + \ los conceptos de m\xEDnimo privilegio y segregaci\xF3n de funciones,\ + \ para cumplir con los objetivos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.3.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.3 + ref_id: CC6.3.1 + description: "Creates or Modifies Access to Protected Information Assets \u2014\ + \ Processes are in place to create or modify access to protected information\ + \ assets based on authorization from the asset\u2019s owner." + translations: + es: + name: null + description: "Crea o modifica el acceso a activos de informaci\xF3n protegidos:\ + \ Existen procesos para crear o modificar el acceso a activos de informaci\xF3\ + n protegidos, bas\xE1ndose en la autorizaci\xF3n del propietario del activo." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.3.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.3 + ref_id: CC6.3.2 + description: "Removes Access to Protected Information Assets \u2014 Processes\ + \ are in place to remove access to protected information assets when no longer\ + \ required." + translations: + es: + name: null + description: "Elimina el acceso a activos de informaci\xF3n protegidos:\ + \ Se implementan procesos para eliminar el acceso a activos de informaci\xF3\ + n protegidos cuando ya no es necesario." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.3.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.3 + ref_id: CC6.3.3 + description: "Uses Access Control Structures \u2014 The entity uses access control\ + \ structures, such as role-based access controls, to restrict access to protected\ + \ information assets, limit privileges, and support segregation of incompatible\ + \ functions." + translations: + es: + name: null + description: "Utiliza estructuras de control de acceso: La entidad utiliza\ + \ estructuras de control de acceso, como controles de acceso basados en\ + \ roles, para restringir el acceso a activos de informaci\xF3n protegidos,\ + \ limitar privilegios y apoyar la segregaci\xF3n de funciones incompatibles." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.3.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.3 + ref_id: CC6.3.4 + description: "Reviews Access Roles and Rules \u2014 The appropriateness of access\ + \ roles and Access rules is reviewed on a periodic basis for unnecessary and\ + \ inappropriate individuals (for example, employees, contractors, vendors,\ + \ business partner personnel) and inappropriate system or service accounts.\ + \ Access roles and rules are modified, as appropriate." + translations: + es: + name: null + description: "Revisa los roles y reglas de acceso: Se revisa peri\xF3dicamente\ + \ la adecuaci\xF3n de los roles y reglas de acceso para identificar accesos\ + \ innecesarios o inapropiados (por ejemplo, empleados, contratistas, proveedores\ + \ y personal de socios comerciales) y cuentas inapropiadas del sistema\ + \ o servicio. Los roles y reglas de acceso se modifican seg\xFAn corresponda." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6 + ref_id: CC6.4 + description: "The entity restricts physical access to facilities and protected\ + \ information assets (for example, data center facilities, backup media storage,\ + \ and other sensitive locations) to authorized personnel to meet the entity\u2019\ + s objectives." + translations: + es: + name: null + description: "La entidad restringe el acceso f\xEDsico a instalaciones y\ + \ activos de informaci\xF3n protegida (por ejemplo, centros de datos,\ + \ almacenamiento de copias de seguridad y otras ubicaciones sensibles)\ + \ al personal autorizado para cumplir con los objetivos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.4.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.4 + ref_id: CC6.4.1 + description: "Creates or Modifies Physical Access \u2014 Processes are in place\ + \ to create or modify physical access by employees, contractors, vendors,\ + \ and business partner personnel to facilities such as data centers, office\ + \ spaces, and work areas, based on appropriate authorization." + translations: + es: + name: null + description: "Crea o modifica el acceso f\xEDsico: Se implementan procesos\ + \ para crear o modificar el acceso f\xEDsico de empleados, contratistas,\ + \ proveedores y socios comerciales a instalaciones como centros de datos,\ + \ oficinas y \xE1reas de trabajo, bas\xE1ndose en la autorizaci\xF3n correspondiente." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.4.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.4 + ref_id: CC6.4.2 + description: "Removes Physical Access \u2014 Processes are in place to remove\ + \ physical access to facilities and protected information assets when an employee,\ + \ contractor, vendor, or business partner no longer requires access." + translations: + es: + name: null + description: "Elimina el acceso f\xEDsico: Se implementan procesos para\ + \ eliminar el acceso f\xEDsico a instalaciones y activos de informaci\xF3\ + n protegidos cuando un empleado, contratista, proveedor o socio comercial\ + \ ya no requiere acceso." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.4.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.4 + ref_id: CC6.4.3 + description: "Recovers Physical Devices \u2014 Processes are in place to recover\ + \ entity devices (for example, badges, laptops, and mobile devices) when an\ + \ employee, contractor, vendor, or business partner no longer requires access." + translations: + es: + name: null + description: "Recupera dispositivos f\xEDsicos: Se implementan procesos\ + \ para recuperar dispositivos de la entidad (por ejemplo, credenciales\ + \ de acceso, ordenadores port\xE1tiles y dispositivos m\xF3viles) cuando\ + \ un empleado, contratista, proveedor o socio comercial ya no requiere\ + \ acceso." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.4.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.4 + ref_id: CC6.4.4 + description: "Reviews Physical Access \u2014 Processes are in place to periodically\ + \ review physical access to help ensure consistency with job responsibilities." + translations: + es: + name: null + description: "Revisa el acceso f\xEDsico: Se implementan procesos para revisar\ + \ peri\xF3dicamente el acceso f\xEDsico y asegurar que sea consistente\ + \ con las responsabilidades laborales." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6 + ref_id: CC6.5 + description: "The entity discontinues logical and physical protections over\ + \ physical assets only after the ability to read or recover data and software\ + \ from those assets has been diminished and is no longer required to meet\ + \ the entity\u2019s objectives." + translations: + es: + name: null + description: "La entidad interrumpe las protecciones l\xF3gicas y f\xED\ + sicas de activos f\xEDsicos \xFAnicamente cuando la capacidad de leer\ + \ o recuperar datos y software de dichos activos se ha reducido y ya no\ + \ se requiere para cumplir con los objetivos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c6.5.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.5 + ref_id: C6.5.1 + description: "Removes Data and Software for Disposal \u2014 Procedures are in\ + \ place to remove, delete, or otherwise render data and software inaccessible\ + \ from physical assets and other devices owned by the entity, its vendors,\ + \ and employees when the data and software are no longer required on the asset\ + \ or the asset will no longer be under the control of the entity." + translations: + es: + name: null + description: "Elimina datos y software para su eliminaci\xF3n: Se implementan\ + \ procedimientos para eliminar, borrar o hacer inaccesibles los datos\ + \ y software de activos f\xEDsicos y otros dispositivos propiedad de la\ + \ entidad, sus proveedores y empleados, cuando dichos datos y software\ + \ ya no son necesarios o el activo dejar\xE1 de estar bajo el control\ + \ de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.6 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6 + ref_id: CC6.6 + description: The entity implements logical access security measures to protect + against threats from sources outside its system boundaries. + translations: + es: + name: null + description: "La entidad implementa medidas de seguridad de acceso l\xF3\ + gico para protegerse contra amenazas provenientes de fuentes externas\ + \ a los l\xEDmites de su sistema." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.6.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.6 + ref_id: CC6.6.1 + description: "Restricts Access \u2014 The types of activities that can occur\ + \ through a communication channel (for example, FTP site, router port) are\ + \ restricted." + translations: + es: + name: null + description: "Restringe el acceso: Se restringen los tipos de actividades\ + \ que pueden ocurrir a trav\xE9s de un canal de comunicaci\xF3n (por ejemplo,\ + \ sitios FTP, puertos de router)." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.6.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.6 + ref_id: CC6.6.2 + description: "Protects Identification and Authentication Credentials \u2014\ + \ Identification and authentication credentials are protected during transmission\ + \ outside its system boundaries." + translations: + es: + name: null + description: "Protege las credenciales de identificaci\xF3n y autenticaci\xF3\ + n: Las credenciales de identificaci\xF3n y autenticaci\xF3n se protegen\ + \ durante la transmisi\xF3n fuera de los l\xEDmites del sistema." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.6.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.6 + ref_id: CC6.6.3 + description: "Requires Additional Authentication or Credentials \u2014 Additional\ + \ authentication information or credentials are required when accessing the\ + \ system from outside its boundaries." + translations: + es: + name: null + description: "Requiere autenticaci\xF3n adicional o credenciales: Se requiere\ + \ informaci\xF3n o credenciales adicionales de autenticaci\xF3n al acceder\ + \ al sistema desde fuera de sus l\xEDmites." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.6.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.6 + ref_id: CC6.6.4 + description: "Implements Boundary Protection Systems \u2014 Boundary protection\ + \ systems (for example, firewalls, demilitarized zones, intrusion detection\ + \ or prevention systems, and endpoint detection and response systems) are\ + \ configured, implemented, and maintained to protect external access points." + translations: + es: + name: null + description: "Implementa sistemas de protecci\xF3n de l\xEDmites: Los sistemas\ + \ de protecci\xF3n de l\xEDmites (por ejemplo, firewalls, zonas desmilitarizadas,\ + \ sistemas de detecci\xF3n o prevenci\xF3n de intrusiones y sistemas de\ + \ detecci\xF3n y respuesta de endpoints) se configuran, implementan y\ + \ mantienen para proteger los puntos de acceso externos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.7 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6 + ref_id: CC6.7 + description: "The entity restricts the transmission, movement, and removal of\ + \ information to authorized internal and external users and processes, and\ + \ protects it during transmission, movement, or removal to meet the entity\u2019\ + s objectives." + translations: + es: + name: null + description: "La entidad restringe la transmisi\xF3n, movimiento y eliminaci\xF3\ + n de informaci\xF3n a usuarios y procesos internos y externos autorizados,\ + \ y la protege durante la transmisi\xF3n, el movimiento o la eliminaci\xF3\ + n, para cumplir con los objetivos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.7.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.7 + ref_id: CC6.7.1 + description: "Restricts the Ability to Perform Transmission \u2014 Data loss\ + \ prevention processes and technologies are used to restrict ability to authorize\ + \ and execute transmission, movement, and removal of information." + translations: + es: + name: null + description: "Restringe la capacidad de realizar transmisiones: Se utilizan\ + \ procesos y tecnolog\xEDas de prevenci\xF3n de p\xE9rdida de datos para\ + \ restringir la capacidad de autorizar y ejecutar la transmisi\xF3n, movimiento\ + \ y eliminaci\xF3n de informaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.7.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.7 + ref_id: CC6.7.2 + description: "Uses Encryption Technologies or Secure Communication Channels\ + \ to Protect Data \u2014 Encryption technologies or secured communication\ + \ channels are used to protect transmission of data and other communications\ + \ beyond connectivity access points." + translations: + es: + name: null + description: "Utiliza tecnolog\xEDas de cifrado o canales de comunicaci\xF3\ + n seguros para proteger los datos: Se utilizan tecnolog\xEDas de cifrado\ + \ o canales de comunicaci\xF3n seguros para proteger la transmisi\xF3\ + n de datos y otras comunicaciones m\xE1s all\xE1 de los puntos de acceso\ + \ a la conectividad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.7.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.7 + ref_id: CC6.7.3 + description: "Protects Removal Media \u2014 Encryption technologies and physical\ + \ asset protections are used for removable media (such as USB drives and backup\ + \ tapes), as appropriate." + translations: + es: + name: null + description: "Protege medios extra\xEDbles: Se aplican tecnolog\xEDas de\ + \ cifrado y protecciones f\xEDsicas para medios extra\xEDbles (como unidades\ + \ USB y cintas de respaldo), seg\xFAn corresponda." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.7.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.7 + ref_id: CC6.7.4 + description: "Protects Endpoint Devices \u2014 Processes and controls are in\ + \ place to protect endpoint devices (such as mobile devices, laptops, desktops,\ + \ and sensors)." + translations: + es: + name: null + description: "Protege dispositivos terminales: Se implementan procesos y\ + \ controles para proteger dispositivos terminales (como dispositivos m\xF3\ + viles, ordenadores port\xE1tiles, escritorios y sensores)." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.8 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6 + ref_id: CC6.8 + description: "The entity implements controls to prevent or detect and act upon\ + \ the introduction of unauthorized or malicious software to meet the entity\u2019\ + s objectives." + translations: + es: + name: null + description: "La entidad implementa controles para prevenir o detectar la\ + \ introducci\xF3n de software no autorizado o malicioso y actuar en consecuencia\ + \ para cumplir los objetivos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.8.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.8 + ref_id: CC6.8.1 + description: "Restricts Installation and Modification of Application and Software\ + \ \u2014 The ability to install and modify applications and software is restricted\ + \ to authorized individuals. Utility software capable of bypassing normal\ + \ operating or security procedures is limited to use by authorized individuals\ + \ and is monitored regularly." + translations: + es: + name: null + description: "Restringe la instalaci\xF3n y modificaci\xF3n de aplicaciones\ + \ y software - La capacidad de instalar y modificar aplicaciones y software\ + \ est\xE1 restringida a personas autorizadas. El software de utilidad\ + \ capaz de eludir los procedimientos normales de funcionamiento o seguridad\ + \ est\xE1 limitado al uso por parte de personas autorizadas y se supervisa\ + \ peri\xF3dicamente." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.8.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.8 + ref_id: CC6.8.2 + description: "Detects Unauthorized Changes to Software and Configuration Parameters\ + \ \u2014 Processes are in place to detect changes to software and configuration\ + \ parameters that may be indicative of unauthorized or malicious software." + translations: + es: + name: null + description: "Detecta cambios no autorizados en el software y los par\xE1\ + metros de configuraci\xF3n - Existen procesos para detectar cambios en\ + \ el software y los par\xE1metros de configuraci\xF3n que puedan ser indicativos\ + \ de software no autorizado o malicioso." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.8.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.8 + ref_id: CC6.8.3 + description: "Uses a Defined Change Control Process \u2014 A management-defined\ + \ change control process is used for the implementation of software." + translations: + es: + name: null + description: "Utiliza un proceso de control de cambios definido - Para la\ + \ implantaci\xF3n del software se utiliza un proceso de control de cambios\ + \ definido por la direcci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.8.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.8 + ref_id: CC6.8.4 + description: "Uses Antivirus and Anti-Malware Software \u2014 Antivirus and\ + \ anti-malware software on servers and endpoint devices is configured, implemented,\ + \ and maintained to provide for the interception or detection and remediation\ + \ of malware." + translations: + es: + name: null + description: "Utiliza software antivirus y antimalware: el software antivirus\ + \ y antimalware de los servidores y dispositivos de punto final est\xE1\ + \ configurado, implementado y mantenido para permitir la interceptaci\xF3\ + n o detecci\xF3n y correcci\xF3n de malware." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.8.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc6.8 + ref_id: CC6.8.5 + description: "Scans Information Assets From Outside the Entity for Malware and\ + \ Other Unauthorized Software \u2014 Procedures are in place to scan information\ + \ assets that have been transferred or returned to the entity\u2019s custody\ + \ for malware and other unauthorized software. Detected malware or other software\ + \ is removed prior to connection to the entity\u2019s network." + translations: + es: + name: null + description: "Analiza los activos de informaci\xF3n procedentes de fuera\ + \ de la entidad en busca de malware y otro software no autorizado - Existen\ + \ procedimientos para analizar los activos de informaci\xF3n que han sido\ + \ transferidos o devueltos a la custodia de la entidad en busca de malware\ + \ y otro software no autorizado. El malware u otro software detectado\ + \ se elimina antes de su conexi\xF3n a la red de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7 + assessable: false + depth: 1 + ref_id: CC7 + name: System Operations + translations: + es: + name: Operaciones del sistema + description: null + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7 + ref_id: CC7.1 + description: "To meet its objectives, the entity uses detection and monitoring\ + \ procedures to identify \n(1) changes to configurations that result in the\ + \ introduction of new vulnerabilities, and \n(2) susceptibilities to newly\ + \ discovered vulnerabilities." + translations: + es: + name: null + description: "Para cumplir con sus objetivos, la entidad utiliza procedimientos\ + \ de detecci\xF3n y monitorizaci\xF3n para identificar: (1) cambios en\ + \ configuraciones que resultan en la introducci\xF3n de nuevas vulnerabilidades,\ + \ y (2) susceptibilidades a vulnerabilidades reci\xE9n descubiertas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.1 + ref_id: CC7.1.1 + description: "Uses Defined Configuration Standards \u2014 The entity has defined\ + \ configuration standards to be used for hardening systems." + translations: + es: + name: null + description: "Utiliza est\xE1ndares de configuraci\xF3n definidos: La entidad\ + \ define est\xE1ndares de configuraci\xF3n para el endurecimiento de sistemas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.1 + ref_id: CC7.1.2 + description: "Monitors Infrastructure and Software \u2014 The entity monitors\ + \ infrastructure and software for noncompliance with the standards, which\ + \ could threaten the achievement of the entity's objectives." + translations: + es: + name: null + description: "Monitoriza la infraestructura y el software: La entidad supervisa\ + \ la infraestructura y el software para detectar incumplimientos con los\ + \ est\xE1ndares establecidos, lo cual podr\xEDa amenazar el logro de los\ + \ objetivos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.1 + ref_id: CC7.1.3 + description: "Implements Change-Detection Mechanisms \u2014 The IT system includes\ + \ a change-detection mechanism (for example, file integrity monitoring tools)\ + \ to alert personnel to unauthorized modifications of critical system files,\ + \ configuration files, or content files." + translations: + es: + name: null + description: "Implementa mecanismos de detecci\xF3n de cambios: El sistema\ + \ de TI incluye un mecanismo de detecci\xF3n de cambios (por ejemplo,\ + \ herramientas de monitorizaci\xF3n de integridad de archivos) para alertar\ + \ al personal sobre modificaciones no autorizadas de archivos cr\xEDticos\ + \ del sistema, archivos de configuraci\xF3n o archivos de contenido." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.1.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.1 + ref_id: CC7.1.4 + description: "Detects Unknown or Unauthorized Components \u2014 Procedures are\ + \ in place to detect the introduction of unknown or unauthorized components." + translations: + es: + name: null + description: "Detecta componentes desconocidos o no autorizados: Se implementan\ + \ procedimientos para detectar la introducci\xF3n de componentes desconocidos\ + \ o no autorizados." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.1.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.1 + ref_id: CC7.1.5 + description: "Conducts Vulnerability Scans \u2014 The entity conducts infrastructure\ + \ and software vulnerability scans designed to identify potential vulnerabilities\ + \ or misconfigurations on a periodic basis and after significant changes are\ + \ made to the environment. Action is taken to remediate identified deficiencies\ + \ in a timely manner to support the achievement of the entity\u2019s objectives." + translations: + es: + name: null + description: "Realiza escaneos de vulnerabilidades: La entidad realiza escaneos\ + \ de vulnerabilidades de infraestructura y software dise\xF1ados para\ + \ identificar posibles vulnerabilidades o configuraciones incorrectas\ + \ de forma peri\xF3dica y despu\xE9s de realizar cambios significativos\ + \ en el entorno. Se toman acciones para remediar las deficiencias identificadas\ + \ de manera oportuna, con el fin de apoyar el logro de los objetivos de\ + \ la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7 + ref_id: CC7.2 + description: The entity monitors system components and the operation of those + components for anomalies that are indicative of malicious acts, natural disasters, + and errors affecting the entity's ability to meet its objectives; anomalies + are analyzed to determine whether they represent security events. + translations: + es: + name: null + description: "La entidad monitoriza los componentes del sistema y el funcionamiento\ + \ de esos componentes para detectar anomal\xEDas indicativas de actos\ + \ maliciosos, desastres naturales y errores que afecten la capacidad de\ + \ la entidad para cumplir con sus objetivos; las anomal\xEDas son analizadas\ + \ para determinar si representan eventos de seguridad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.2 + ref_id: CC7.2.1 + description: "Implements Detection Policies, Procedures, and Tools \u2014 Detection\ + \ policies, procedures, and tools are defined and implemented on infrastructure\ + \ and software to identify potential intrusions, inappropriate access, and\ + \ anomalies in the operation of or unusual activity on systems. Procedures\ + \ may include \n(1) a defined governance process for security event detection\ + \ and management; \n(2) use of intelligence sources to identify newly discovered\ + \ threats and vulnerabilities; and \n(3) logging of unusual system activities." + translations: + es: + name: null + description: "Implementa pol\xEDticas, procedimientos y herramientas de\ + \ detecci\xF3n: Se definen e implementan pol\xEDticas, procedimientos\ + \ y herramientas de detecci\xF3n en la infraestructura y el software para\ + \ identificar intrusiones potenciales, accesos inapropiados y anomal\xED\ + as en la operaci\xF3n o actividades inusuales en los sistemas. Los procedimientos\ + \ pueden incluir:(1) Un proceso de gobernanza definido para la detecci\xF3\ + n y gesti\xF3n de eventos de seguridad. (2) El uso de fuentes de inteligencia\ + \ para identificar amenazas y vulnerabilidades reci\xE9n descubiertas.\ + \ (3) El registro de actividades inusuales del sistema." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.2.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.2 + ref_id: CC7.2.2 + description: "Designs Detection Measures \u2014 Detection measures are designed\ + \ to identify anomalies that could result from actual or attempted \n(1) compromise\ + \ of physical barriers;\n(2) unauthorized actions of authorized personnel;\ + \ \n(3) use of compromised identification and authentication credentials;\ + \ \n(4) unauthorized access from outside the system boundaries; \n(5) compromise\ + \ of authorized external parties; and \n(6) implementation or connection of\ + \ unauthorized hardware and software." + translations: + es: + name: null + description: "Dise\xF1a medidas de detecci\xF3n: Las medidas de detecci\xF3\ + n se dise\xF1an para identificar anomal\xEDas que podr\xEDan resultar\ + \ de:\n(1) Compromiso de barreras f\xEDsicas.\n(2) Acciones no autorizadas\ + \ de personal autorizado.\n(3) Uso de credenciales de identificaci\xF3\ + n y autenticaci\xF3n comprometidas.\n(4) Acceso no autorizado desde fuera\ + \ de los l\xEDmites del sistema.\n(5) Compromiso de partes externas autorizadas.\n\ + (6) Implementaci\xF3n o conexi\xF3n de hardware y software no autorizados." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.2.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.2 + ref_id: CC7.2.3 + description: "Implements Filters to Analyze Anomalies \u2014 Management has\ + \ implemented procedures to filter, summarize, and analyze anomalies to identify\ + \ security events." + translations: + es: + name: null + description: "Implementa filtros para analizar anomal\xEDas: La direcci\xF3\ + n implementa procedimientos para filtrar, resumir y analizar anomal\xED\ + as con el fin de identificar eventos de seguridad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.2.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.2 + ref_id: CC7.2.4 + description: "Monitors Detection Tools for Effective Operation \u2014 Management\ + \ has implemented processes to monitor and maintain the effectiveness of detection\ + \ tools." + translations: + es: + name: null + description: "Monitoriza las herramientas de detecci\xF3n para una operaci\xF3\ + n efectiva: La direcci\xF3n implementa procesos para supervisar y mantener\ + \ la efectividad de las herramientas de detecci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7 + ref_id: CC7.3 + description: The entity evaluates security events to determine whether they + could or have resulted in a failure of the entity to meet its objectives (security + incidents) and, if so, takes actions to prevent or address such failures. + translations: + es: + name: null + description: "La entidad eval\xFAa los eventos de seguridad para determinar\ + \ si podr\xEDan o han resultado en un fallo que impida el cumplimiento\ + \ de los objetivos de la entidad (incidentes de seguridad) y, en tal caso,\ + \ toma medidas para prevenir o resolver dichos fallos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.3.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.3 + ref_id: CC7.3.1 + description: "Responds to Security Incidents \u2014 Procedures are in place\ + \ for responding to security incidents and evaluating the effectiveness of\ + \ those policies and procedures on a periodic basis." + translations: + es: + name: null + description: "Responde a los incidentes de seguridad: Se implementan procedimientos\ + \ para responder a los incidentes de seguridad y evaluar la efectividad\ + \ de dichas pol\xEDticas y procedimientos de manera peri\xF3dica." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.3.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.3 + ref_id: CC7.3.2 + description: "Communicates and Reviews Detected Security Events \u2014 Detected\ + \ security events are communicated to and reviewed by the individuals responsible\ + \ for the management of the security program, and actions are taken, if necessary." + translations: + es: + name: null + description: "Comunica y revisa los eventos de seguridad detectados: Los\ + \ eventos de seguridad detectados son comunicados y revisados por las\ + \ personas responsables de la gesti\xF3n del programa de seguridad, y\ + \ se toman las acciones necesarias." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.3.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.3 + ref_id: CC7.3.3 + description: "Develops and Implements Procedures to Analyze Security Incidents\ + \ \u2014 Procedures are in place to analyze security incidents and determine\ + \ system impact." + translations: + es: + name: null + description: 'Desarrolla e implementa procedimientos para analizar incidentes + de seguridad: Se implementan procedimientos para analizar los incidentes + de seguridad y determinar el impacto en el sistema.' + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.3.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.3 + ref_id: CC7.3.4 + description: "[C] Assesses the Impact on Confidential Information \u2014 Detected\ + \ security events are evaluated to determine whether they could or did result\ + \ in the unauthorized disclosure or use of confidential information." + translations: + es: + name: null + description: "[C] Eval\xFAa el impacto sobre la informaci\xF3n confidencial:\ + \ Los eventos de seguridad detectados son evaluados para determinar si\ + \ pudieron o resultaron en la divulgaci\xF3n o uso no autorizado de informaci\xF3\ + n confidencial." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.3.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.3 + ref_id: CC7.3.5 + description: "[C] Determines Confidential Information Used or Disclosed \u2014\ + \ When an unauthorized use or disclosure of confidential information has occurred,\ + \ the affected information is identified and actions are taken to help prevent\ + \ future recurrence and address control failures to support the achievement\ + \ of entity objectives." + translations: + es: + name: null + description: "[C] Determina la informaci\xF3n confidencial utilizada o divulgada:\ + \ Cuando ocurre un uso o divulgaci\xF3n no autorizada de informaci\xF3\ + n confidencial, se identifica la informaci\xF3n afectada y se toman acciones\ + \ para prevenir recurrencias y abordar fallos de control." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.3.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.3 + ref_id: CC7.3.6 + description: "[P] Assesses the Impact on Personal Information \u2014 Detected\ + \ security events are evaluated to determine whether they could or did result\ + \ in the unauthorized disclosure or use of personal information and whether\ + \ there has been a failure to comply with aplicable laws or regulations." + translations: + es: + name: null + description: "[P] Eval\xFAa el impacto sobre la informaci\xF3n personal:\ + \ Los eventos de seguridad detectados son evaluados para determinar si\ + \ pudieron o resultaron en la divulgaci\xF3n o uso no autorizado de informaci\xF3\ + n personal y si hubo incumplimiento de leyes o regulaciones aplicables." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.3.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.3 + ref_id: CC7.3.7 + description: "[P] Determines Personal Information Used or Disclosed \u2014 When\ + \ an unauthorized use or disclosure of personal information has occurred,\ + \ the affected information is identified and actions are taken to help prevent\ + \ future recurrence and address control failures to support the achievement\ + \ of entity objectives." + translations: + es: + name: null + description: "[P] Determina la informaci\xF3n personal utilizada o divulgada:\ + \ Cuando ocurre un uso o divulgaci\xF3n no autorizada de informaci\xF3\ + n personal, se identifica la informaci\xF3n afectada y se toman acciones\ + \ para prevenir recurrencias y abordar fallos de control." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7 + ref_id: CC7.4 + description: The entity responds to identified security incidents by executing + a defined incident-response program to understand, contain, remediate, and + communicate security incidents, as appropriate. + translations: + es: + name: null + description: "La entidad responde a incidentes de seguridad identificados\ + \ ejecutando un programa de respuesta a incidentes definido para comprender,\ + \ contener, remediar y comunicar los incidentes de seguridad, seg\xFA\ + n corresponda." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4 + ref_id: CC7.4.1 + description: "Assigns Roles and Responsibilities \u2014 Roles and responsibilities\ + \ for the design, implementation, maintenance, and execution of the incident-response\ + \ program are assigned, including the use of external resources when necessary." + translations: + es: + name: null + description: "Asigna roles y responsabilidades: Los roles y responsabilidades\ + \ para el dise\xF1o, implementaci\xF3n, mantenimiento y ejecuci\xF3n del\ + \ programa de respuesta a incidentes son asignados, incluyendo el uso\ + \ de recursos externos cuando sea necesario." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4 + ref_id: CC7.4.2 + description: "Contains and Responds to Security Incidents \u2014 Procedures\ + \ are in place to respond to and contain security incidents that actively\ + \ threaten entity objectives." + translations: + es: + name: null + description: 'Contiene y responde a incidentes de seguridad: Se implementan + procedimientos para responder y contener incidentes de seguridad que amenacen + activamente los objetivos de la entidad.' + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4 + ref_id: CC7.4.3 + description: "Mitigates Ongoing Security Incidents \u2014 Procedures are in\ + \ place to mitigate the effects of ongoing security incidents." + translations: + es: + name: null + description: 'Mitiga los incidentes de seguridad en curso: Se implementan + procedimientos para mitigar los efectos de incidentes de seguridad en + curso.' + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4 + ref_id: CC7.4.4 + description: "Resolves Security Incidents \u2014 Procedures are in place to\ + \ resolve security incidents through closure of vulnerabilities, removal of\ + \ unauthorized access, and other remediation actions." + translations: + es: + name: null + description: "Resuelve incidentes de seguridad: Se implementan procedimientos\ + \ para resolver incidentes de seguridad mediante el cierre de vulnerabilidades,\ + \ eliminaci\xF3n de accesos no autorizados y otras acciones de remediaci\xF3\ + n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4 + ref_id: CC7.4.5 + description: "Restores Operations \u2014 Procedures are in place to restore\ + \ data and business operations to an interim state that permits the achievement\ + \ of entity objectives." + translations: + es: + name: null + description: 'Restaura operaciones: Se implementan procedimientos para restaurar + datos y operaciones comerciales a un estado provisional que permita el + logro de los objetivos de la entidad.' + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4 + ref_id: CC7.4.6 + description: "Develops and Implements Communication of Security Incidents \u2014\ + \ Protocols for communicating, in a timely manner, information regarding security\ + \ incidents and actions taken to affected parties are developed and implemented\ + \ to support the achievement of the entity's objectives." + translations: + es: + name: null + description: "Desarrolla e implementa la comunicaci\xF3n de incidentes de\ + \ seguridad: Se desarrollan e implementan protocolos para comunicar de\ + \ manera oportuna informaci\xF3n sobre incidentes de seguridad y las acciones\ + \ tomadas a las partes afectadas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4 + ref_id: CC7.4.7 + description: "Obtains Understanding of Nature of Incident and Determines Containment\ + \ Strategy \u2014 An understanding of the nature (for example, the method\ + \ by which the incident occurred and the affected system resources) and severity\ + \ of the security incident is obtained to determine the appropriate response\ + \ and containment strategy, including \n(1) a determination of the appropriate\ + \ response time frame, and \n(2) the determination and execution of the containment\ + \ approach." + translations: + es: + name: null + description: "Obtiene comprensi\xF3n de la naturaleza del incidente y determina\ + \ la estrategia de contenci\xF3n: Se obtiene informaci\xF3n sobre la naturaleza\ + \ y gravedad del incidente para determinar la respuesta y estrategia de\ + \ contenci\xF3n apropiada, incluyendo:(1)La determinaci\xF3n del plazo\ + \ de respuesta adecuado. (2) La ejecuci\xF3n de un enfoque de contenci\xF3\ + n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4 + ref_id: CC7.4.8 + description: "Remediates Identified Vulnerabilities \u2014 Identified vulnerabilities\ + \ are remediated through the development and execution of remediation activities." + translations: + es: + name: null + description: "Remedia vulnerabilidades identificadas: Las vulnerabilidades\ + \ identificadas se remedian mediante el desarrollo y ejecuci\xF3n de actividades\ + \ de remediaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4.9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4 + ref_id: CC7.4.9 + description: "Communicates Remediation Activities \u2014 Remediation activities\ + \ are documented and communicated in accordance with the incident-response\ + \ program." + translations: + es: + name: null + description: "Comunica las actividades de remediaci\xF3n: Las actividades\ + \ de remediaci\xF3n se documentan y comunican conforme al programa de\ + \ respuesta a incidentes." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4.10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4 + ref_id: CC7.4.10 + description: "Evaluates the Effectiveness of Incident Response \u2014 The design\ + \ of incident-response activities is evaluated for effectiveness on a periodic\ + \ basis." + translations: + es: + name: null + description: "Eval\xFAa la efectividad de la respuesta a incidentes: Se\ + \ eval\xFAa peri\xF3dicamente la efectividad de las actividades de respuesta\ + \ a incidentes." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4.11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4 + ref_id: CC7.4.11 + description: "Periodically Evaluates Incidents \u2014 Periodically, management\ + \ reviews incidents related to security, availability, processing integrity,\ + \ confidentiality, and privacy and identifies the need for system changes\ + \ based on incident patterns and root causes." + translations: + es: + name: null + description: "Eval\xFAa peri\xF3dicamente los incidentes: La direcci\xF3\ + n revisa de forma peri\xF3dica los incidentes relacionados con seguridad,\ + \ confidencialidad y privacidad, identificando patrones y causas ra\xED\ + z que requieran cambios en el sistema." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4.12 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4 + ref_id: CC7.4.12 + description: "[P] Applies Breach Response Procedures \u2014 Breach response\ + \ procedures are defined and applied in the event of a confirmed privacy incident." + translations: + es: + name: null + description: '[P] Aplica procedimientos de respuesta a brechas: Se aplican + procedimientos definidos de respuesta en caso de un incidente confirmado + de privacidad.' + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4.13 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4 + ref_id: CC7.4.13 + description: "[P] Communicates Unauthorized Use and Disclosure \u2014 Events\ + \ that resulted in unauthorized use or disclosure of personal information\ + \ are communicated to the data subjects, legal and regulatory authorities,\ + \ and others as required." + translations: + es: + name: null + description: "[P] Comunica usos y divulgaciones no autorizados: Los eventos\ + \ que resultaron en el uso o divulgaci\xF3n no autorizada de informaci\xF3\ + n personal se comunican a los titulares de datos, autoridades legales\ + \ y regulatorias, y otras partes seg\xFAn sea requerido." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4.14 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.4 + ref_id: CC7.4.14 + description: "[P] Application of Sanctions \u2014 The conduct of individuals\ + \ and organizations operating under the authority of the entity and involved\ + \ in the unauthorized use or disclosure of personal information is evaluated\ + \ and, if appropriate, sanctioned in accordance with entity policies and legal\ + \ and regulatory requirements." + translations: + es: + name: null + description: "[P] Aplicaci\xF3n de sanciones: Se eval\xFAa la conducta de\ + \ individuos u organizaciones involucradas en el uso o divulgaci\xF3n\ + \ no autorizada de informaci\xF3n personal, aplicando sanciones seg\xFA\ + n las pol\xEDticas de la entidad y los requisitos legales y regulatorios\ + \ aplicables." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7 + ref_id: CC7.5 + description: The entity identifies, develops, and implements activities to recover + from identified security incidents. + translations: + es: + name: null + description: La entidad identifica, desarrolla e implementa actividades + para recuperarse de los incidentes de seguridad identificados. + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.5.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.5 + ref_id: CC7.5.1 + description: "Restores the Affected Environment \u2014 The activities restore\ + \ the affected environment to functional operation by rebuilding systems,\ + \ updating software, installing patches, modifying access controls, and changing\ + \ configurations, as needed." + translations: + es: + name: null + description: "Restaura el Entorno Afectado - Las actividades restauran el\ + \ entorno afectado a su operaci\xF3n funcional reconstruyendo sistemas,\ + \ actualizando software, instalando parches, modificando controles de\ + \ acceso y cambiando configuraciones, seg\xFAn sea necesario." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.5.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.5 + ref_id: CC7.5.2 + description: "Communicates Information About the Incident \u2014 Communications\ + \ about the nature of the incident, recovery actions taken, and activities\ + \ required for the prevention of future security incidents are made to management\ + \ and others as appropriate (internal and external)." + translations: + es: + name: null + description: "Comunica informaci\xF3n sobre el incidente - Las comunicaciones\ + \ sobre la naturaleza del incidente, las medidas de recuperaci\xF3n adoptadas\ + \ y las actividades necesarias para la prevenci\xF3n de futuros incidentes\ + \ de seguridad se realizan a la direcci\xF3n y a otras personas, seg\xFA\ + n proceda (internas y externas)." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.5.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.5 + ref_id: CC7.5.3 + description: "Determines Root Cause of the Incident \u2014 The root cause of\ + \ the incident is determined." + translations: + es: + name: null + description: "Determina la causa ra\xEDz del incidente - Se determina la\ + \ causa ra\xEDz del incidente." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.5.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.5 + ref_id: CC7.5.4 + description: "Implements Changes to Prevent and Detect Recurrences \u2014 Additional\ + \ architecture or changes to preventive and detective controls are implemented\ + \ to prevent and detect incident recurrences in a timely manner." + translations: + es: + name: null + description: Implementa cambios para prevenir y detectar reincidencias - + Se implementa una arquitectura adicional o cambios a los controles preventivos + y detectivos para prevenir y detectar reincidencias de incidentes de manera + oportuna. + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.5.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.5 + ref_id: CC7.5.5 + description: "Improves Response and Recovery Procedures \u2014 Lessons learned\ + \ are analyzed and the incident-response plan and recovery procedures are\ + \ improved." + translations: + es: + name: null + description: "Mejora de los procedimientos de respuesta y recuperaci\xF3\ + n - Se analizan las lecciones aprendidas y se mejoran el plan de respuesta\ + \ a incidentes y los procedimientos de recuperaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.5.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc7.5 + ref_id: CC7.5.6 + description: "Implements Incident-Recovery Plan Testing \u2014 Incident-recovery\ + \ plan testing is performed on a periodic basis. The testing includes \n(1)\ + \ development of testing scenarios based on threat likelihood and magnitude;\ + \ \n(2) consideration of relevant system components from across the entity\ + \ that can impair availability; \n(3) scenarios that consider the potential\ + \ for the lack of availability of key personnel; and \n(4) revisi\xF3n of\ + \ resilience posture and continuity plans based on test results." + translations: + es: + name: null + description: "Implementa pruebas del plan de recuperaci\xF3n de incidentes\ + \ - Las pruebas del plan de recuperaci\xF3n de incidentes se realizan\ + \ de forma peri\xF3dica. Las pruebas incluyen \n(1) desarrollo de escenarios\ + \ de prueba basados en la probabilidad y magnitud de la amenaza; \n(2)\ + \ consideraci\xF3n de los componentes relevantes del sistema de toda la\ + \ entidad que pueden perjudicar la disponibilidad; \n(3) escenarios que\ + \ consideren la posibilidad de falta de disponibilidad del personal clave;\ + \ y \n(4) revisi\xF3n de la postura de resiliencia y los planes de continuidad\ + \ basados en los resultados de las pruebas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8 + assessable: false + depth: 1 + ref_id: CC8 + name: Change Management + translations: + es: + name: "Gesti\xF3n del Cambio" + description: null + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8 + ref_id: CC8.1 + description: The entity authorizes, designs, develops or acquires, configures, + documents, tests, approves, and implements changes to infrastructure, data, + software, and procedures to meet its objectives. + translations: + es: + name: null + description: "La entidad autoriza, dise\xF1a, desarrolla o adquiere, configura,\ + \ documenta, prueba, aprueba e implementa cambios en la infraestructura,\ + \ datos, software y procedimientos para cumplir con sus objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.1 + description: "Manages Changes Throughout the System Life Cycle \u2014 A process\ + \ for managing system changes throughout the life cycle of the system and\ + \ its components (infrastructure, data, software, and manual and automated\ + \ procedures) is used to support the achievement of entity objectives." + translations: + es: + name: null + description: 'Gestiona los cambios a lo largo del ciclo de vida del sistema: + Existe un proceso para gestionar los cambios en el sistema durante su + ciclo de vida y el de sus componentes (infraestructura, datos, software + y procedimientos manuales y automatizados) con el fin de apoyar el logro + de los objetivos de la entidad.' + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.2 + description: "Authorizes Changes \u2014 A process is in place to authorize system\ + \ and architecture changes prior to design, development, or acquisition and\ + \ configuration." + translations: + es: + name: null + description: "Autoriza cambios: Existe un proceso para autorizar cambios\ + \ en el sistema y en la arquitectura antes de su dise\xF1o, desarrollo,\ + \ adquisici\xF3n o configuraci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.3 + description: "Designs and Develops Changes \u2014 A process is in place to design\ + \ and develop system changes in a secure manner to support the achievement\ + \ of entity objectives." + translations: + es: + name: null + description: "Dise\xF1a y desarrolla cambios: Se cuenta con un proceso para\ + \ dise\xF1ar y desarrollar cambios en el sistema de manera segura con\ + \ el fin de apoyar el logro de los objetivos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.4 + description: "Documents Changes \u2014 A process is in place to document system\ + \ changes to support ongoing maintenance of the system and to support internal\ + \ and external users in performing their responsibilities." + translations: + es: + name: null + description: "Documenta los cambios: Existe un proceso para documentar los\ + \ cambios del sistema y as\xED apoyar el mantenimiento continuo del sistema\ + \ y ayudar a los usuarios internos y externos en el desempe\xF1o de sus\ + \ responsabilidades." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.5 + description: "Tracks System Changes \u2014 A process is in place to track system\ + \ changes prior to implementation." + translations: + es: + name: null + description: "Rastrea los cambios del sistema: Se dispone de un proceso\ + \ para rastrear los cambios en el sistema antes de su implementaci\xF3\ + n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.6 + description: "Configures Software \u2014 A process is in place to select, implement,\ + \ maintain, and monitor configuration parameters used to control the functionality\ + \ of developed and acquired software." + translations: + es: + name: null + description: "Configura el software: Existe un proceso para seleccionar,\ + \ implementar, mantener y supervisar los par\xE1metros de configuraci\xF3\ + n utilizados para controlar la funcionalidad del software desarrollado\ + \ y adquirido." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.7 + description: "Tests System Changes \u2014 A process is in place to test internally\ + \ developed and acquired system changes prior to implementation into the production\ + \ environment. Examples of testing may include unit, integration, regression,\ + \ static and Dynamic application source code, quality assurance, or automated\ + \ testing (whether point in time or continuous)." + translations: + es: + name: null + description: "Prueba los cambios del sistema: Se implementa un proceso para\ + \ probar los cambios desarrollados y adquiridos en el sistema antes de\ + \ su implementaci\xF3n en el entorno de producci\xF3n. Las pruebas pueden\ + \ incluir unitarias, de integraci\xF3n, regresi\xF3n, c\xF3digo fuente\ + \ est\xE1tico y din\xE1mico, aseguramiento de calidad o pruebas automatizadas\ + \ (puntuales o continuas)." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.8 + description: "Approves System Changes \u2014 A process is in place to approve\ + \ system changes prior to implementation." + translations: + es: + name: null + description: "Aprueba los cambios del sistema: Existe un proceso para aprobar\ + \ los cambios del sistema antes de su implementaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.9 + description: "Deploys System Changes \u2014 A process is in place to implement\ + \ system changes with consideration of segregation of responsibilities (for\ + \ example, restricting unilateral code development or testing and implementation\ + \ by a single user) to prevent or detect unauthorized changes." + translations: + es: + name: null + description: "Despliega los cambios del sistema: Se cuenta con un proceso\ + \ para implementar los cambios en el sistema considerando la segregaci\xF3\ + n de responsabilidades (por ejemplo, restringir que una sola persona desarrolle,\ + \ pruebe e implemente c\xF3digo unilateralmente) para prevenir o detectar\ + \ cambios no autorizados." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.10 + description: "Identifies and Evaluates System Changes \u2014 Objectives affected\ + \ by system changes are identified, and the ability of the modified system\ + \ to support the achievement of the objectives is evaluated throughout the\ + \ system development life cycle." + translations: + es: + name: null + description: "Identifica y eval\xFAa los cambios del sistema: Se identifican\ + \ los objetivos afectados por los cambios del sistema y se eval\xFAa la\ + \ capacidad del sistema modificado para apoyar el cumplimiento de dichos\ + \ objetivos durante el ciclo de vida del desarrollo." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.11 + description: "Identifies Changes in Infrastructure, Data, Software, and Procedures\ + \ Required to Remediate Incidents \u2014 Changes in infrastructure, data,\ + \ software, and procedures required to remediate incidents are identified\ + \ and the change process is initiated upon identification." + translations: + es: + name: null + description: "Identifica cambios en infraestructura, datos, software y procedimientos\ + \ necesarios para remediar incidentes: Se identifican los cambios en infraestructura,\ + \ datos, software y procedimientos requeridos para remediar incidentes,\ + \ y se inicia el proceso de cambio tras su identificaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.12 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.12 + description: "Creates Baseline Configuration of IT Technology \u2014 A baseline\ + \ configuration of IT and control systems is created and maintained." + translations: + es: + name: null + description: "Crea una configuraci\xF3n base de tecnolog\xEDa de TI: Se\ + \ crea y mantiene una configuraci\xF3n base de los sistemas de TI y control." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.13 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.13 + description: "Provides for Changes Necessary in Emergency Situations \u2014\ + \ A process is in place for authorizing, designing, testing, approving, and\ + \ implementing changes necessary in emergency situations (that is, changes\ + \ that need to be implemented in an urgent time frame)." + translations: + es: + name: null + description: "Proporciona cambios necesarios en situaciones de emergencia:\ + \ Existe un proceso para autorizar, dise\xF1ar, probar, aprobar e implementar\ + \ cambios necesarios en situaciones de emergencia (es decir, cambios que\ + \ deben implementarse en un plazo urgente)." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.14 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.14 + description: "Manages Patch Changes \u2014 A process is in place to identify,\ + \ evaluate, test, approve, and implement patches in a timely manner on infrastructure\ + \ and software." + translations: + es: + name: null + description: 'Gestiona cambios de parches: Existe un proceso para identificar, + evaluar, probar, aprobar e implementar parches de manera oportuna en la + infraestructura y el software.' + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.15 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.15 + description: "[A] Considers System Resilience \u2014 The entity considers system\ + \ resilience when designing its systems and tests resilience during development\ + \ to help ensure the entity\u2019s ability to respond to, recover from, and\ + \ resume operations through significant disruptions." + translations: + es: + name: null + description: "[A] Considera la resiliencia del sistema: La entidad considera\ + \ la resiliencia del sistema al dise\xF1ar sus sistemas y realiza pruebas\ + \ de resiliencia durante el desarrollo para garantizar la capacidad de\ + \ la entidad de responder, recuperarse y reanudar operaciones tras interrupciones\ + \ significativas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.16 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.16 + description: "[C] Protects Confidential Information \u2014 The entity protects\ + \ confidential information during system design, development, testing, implementation,\ + \ and change processes to support the achievement of the entity\u2019s objectives\ + \ related to confidentiality." + translations: + es: + name: null + description: "[C] Protege la informaci\xF3n confidencial: La entidad protege\ + \ la informaci\xF3n confidencial durante el dise\xF1o, desarrollo, prueba,\ + \ implementaci\xF3n y procesos de cambio del sistema para cumplir con\ + \ los objetivos de la entidad relacionados con la confidencialidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.17 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.17 + description: "[P] Protects Personal Information \u2014 The entity protects personal\ + \ information during system design, development, testing, implementation,\ + \ and change processes to support the achievement of the entity\u2019s objectives\ + \ related to privacy." + translations: + es: + name: null + description: "[P] Protege la informaci\xF3n personal: La entidad protege\ + \ la informaci\xF3n personal durante el dise\xF1o, desarrollo, prueba,\ + \ implementaci\xF3n y procesos de cambio del sistema para apoyar el cumplimiento\ + \ de los objetivos de privacidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1.18 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc8.1 + ref_id: CC8.1.18 + description: "[P] Privacy by Design \u2014 The entity considers privacy requirements\ + \ in the design of its systems and processes and limits the collection and\ + \ processing of personal information to what is necessary for the identified\ + \ purpose." + translations: + es: + name: null + description: "[P] Privacidad desde el dise\xF1o: La entidad considera los\ + \ requisitos de privacidad en el dise\xF1o de sus sistemas y procesos,\ + \ y limita la recopilaci\xF3n y el procesamiento de informaci\xF3n personal\ + \ a lo que sea necesario para el prop\xF3sito identificado." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9 + assessable: false + depth: 1 + ref_id: CC9 + name: Risk Mitigation + translations: + es: + name: "Mitigaci\xF3n de riesgos" + description: null + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9 + ref_id: CC9.1 + description: The entity identifies, selects, and develops risk mitigation activities + for risks arising from potential business disruptions. + translations: + es: + name: null + description: "La entidad identifica, selecciona y desarrolla actividades\ + \ de mitigaci\xF3n de riesgos para los riesgos derivados de posibles interrupciones\ + \ de la actividad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.1 + ref_id: CC9.1.1 + description: "Considers Mitigation of Risks of Business Disruption \u2014 Risk\ + \ mitigation activities include the development of planned policies, procedures,\ + \ communications, and alternative processing solutions to respond to, mitigate,\ + \ and recover from incidents that disrupt business operations. Those resilience\ + \ policies and procedures include monitoring processes, information, and communications\ + \ to support the achievement of the entity's objectives during response, mitigation,\ + \ and recovery efforts." + translations: + es: + name: null + description: "Considera la Mitigaci\xF3n de los Riesgos de Interrupci\xF3\ + n del Negocio - Las actividades de mitigaci\xF3n de riesgos incluyen el\ + \ desarrollo de pol\xEDticas, procedimientos, comunicaciones y soluciones\ + \ de procesamiento alternativas planificadas para responder, mitigar y\ + \ recuperarse de incidentes que interrumpan las operaciones del negocio.\ + \ Dichas pol\xEDticas y procedimientos de resiliencia incluyen procesos\ + \ de supervisi\xF3n, informaci\xF3n y comunicaciones para apoyar la consecuci\xF3\ + n de los objetivos de la entidad durante los esfuerzos de respuesta, mitigaci\xF3\ + n y recuperaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.1 + ref_id: CC9.1.2 + description: "Considers the Use of Insurance to Mitigate Financial Impact Risks\ + \ \u2014 The risk management activities consider the use of insurance to offset\ + \ the financial impact of los events that would otherwise impair the ability\ + \ of the entity to support the achievement of its objectives." + translations: + es: + name: null + description: "Considera el uso de seguros para mitigar los riesgos de impacto\ + \ financiero - Las actividades de gesti\xF3n de riesgos consideran el\ + \ uso de seguros para compensar el impacto financiero de los eventos que,\ + \ de otro modo, perjudicar\xEDan la capacidad de la entidad para apoyar\ + \ el logro de sus objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9 + ref_id: CC9.2 + description: The entity assesses and manages risks associated with vendors and + business partners. + translations: + es: + name: null + description: "La entidad eval\xFAa y gestiona los riesgos asociados a los\ + \ proveedores y socios comerciales." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2 + ref_id: CC9.2.1 + description: "Establishes Requirements for Vendor and Business Partner Engagements\ + \ \u2014 The entity establishes specific requirements for vendor and business\ + \ partner engagements that include \n(1) scope of services and product specifications,\ + \ \n(2) roles and responsibilities, \n(3) compliance requirements, and \n\ + (4) service levels." + translations: + es: + name: null + description: "\xABEstablece requisitos para las contrataciones de proveedores\ + \ y socios comerciales - La entidad establece requisitos espec\xEDficos\ + \ para las contrataciones de proveedores y socios comerciales que incluyen\ + \ \n(1) alcance de los servicios y especificaciones de los productos,\ + \ \n(2) funciones y responsabilidades \n(3) requisitos de cumplimiento,\ + \ y \n(4) niveles de servicio\xBB." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2 + ref_id: CC9.2.2 + description: "Identifies Vulnerabilities \u2014 The entity evaluates vulnerabilities\ + \ arising from vendor and business partner relationships, including third-party\ + \ access to the entity\u2019s IT systems and connections with third-party\ + \ networks." + translations: + es: + name: null + description: "Identifica vulnerabilidades - La entidad eval\xFAa las vulnerabilidades\ + \ derivadas de las relaciones con proveedores y socios comerciales, incluido\ + \ el acceso de terceros a los sistemas inform\xE1ticos de la entidad y\ + \ las conexiones con redes de terceros." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2 + ref_id: CC9.2.3 + description: "Assesses Vendor and Business Partner Risks \u2014 The entity inventories,\ + \ tiers, and assesses, on a periodic basis, threats arising from relationships\ + \ with vendors and business partners (and those entities\u2019 vendors and\ + \ business partners) and the vulnerability of the entity's objectives to those\ + \ threats. Examples of threats arising from relationships with vendors and\ + \ business partners include those arising from their \n(1) financial failure,\ + \ \n(2) security vulnerabilities, \n(3) operational disruption, and \n(4)\ + \ failure to meet business or regulatory requirements." + translations: + es: + name: null + description: "\xAB Eval\xFAa los riesgos de proveedores y socios comerciales\ + \ - La entidad hace inventario, clasifica y eval\xFAa peri\xF3dicamente\ + \ las amenazas derivadas de las relaciones con proveedores y socios comerciales\ + \ (y con los proveedores y socios comerciales de esas entidades) y la\ + \ vulnerabilidad de los objetivos de la entidad frente a esas amenazas.\ + \ Como ejemplos de amenazas derivadas de las relaciones con proveedores\ + \ y socios comerciales cabe citar las derivadas de su \n(1) quiebra financiera,\ + \ \n(2) vulnerabilidades de seguridad, \n(3) interrupci\xF3n operativa,\ + \ y \n(4) incumplimiento de los requisitos empresariales o reglamentarios\xBB\ + ." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2 + ref_id: CC9.2.4 + description: "Assigns Responsibility and Accountability for Managing Vendors\ + \ and Business Partners \u2014 The entity assigns responsibility and accountability\ + \ for the management of risks and changes to services associated with vendors\ + \ and business partners." + translations: + es: + name: null + description: "Asigna responsabilidad y rendici\xF3n de cuentas para la gesti\xF3\ + n de proveedores y socios comerciales - La entidad asigna responsabilidad\ + \ y rendici\xF3n de cuentas para la gesti\xF3n de riesgos y cambios en\ + \ los servicios asociados a proveedores y socios comerciales." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2 + ref_id: CC9.2.5 + description: "Establishes Communication Protocols for Vendors and Business Partners\ + \ \u2014 The entity establishes communication and resolution protocols for\ + \ service or product issues related to vendors and business partners." + translations: + es: + name: null + description: "Establece protocolos de comunicaci\xF3n para proveedores y\ + \ socios comerciales - La entidad establece protocolos de comunicaci\xF3\ + n y resoluci\xF3n de problemas de servicios o productos relacionados con\ + \ proveedores y socios comerciales." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2 + ref_id: CC9.2.6 + description: "Establishes Exception Handling Procedures From Vendors and Business\ + \ Partners \u2014 The entity establishes exception handling procedures for\ + \ service or product issues related to vendors and business partners." + translations: + es: + name: null + description: "Establece procedimientos de gesti\xF3n de excepciones de proveedores\ + \ y socios comerciales - La entidad establece procedimientos de gesti\xF3\ + n de excepciones para problemas de servicios o productos relacionados\ + \ con proveedores y socios comerciales." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2 + ref_id: CC9.2.7 + description: "Assesses Vendor and Business Partner Performance \u2014 The entity\ + \ assesses the performance of vendors and business partners, as frequently\ + \ as warranted, based on the risk associated with the vendor or business partner." + translations: + es: + name: null + description: "Eval\xFAa el rendimiento de los proveedores y socios comerciales\ + \ - La entidad eval\xFAa el rendimiento de los proveedores y socios comerciales,\ + \ con la frecuencia que se justifique, en funci\xF3n del riesgo asociado\ + \ al proveedor o socio comercial." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2 + ref_id: CC9.2.8 + description: "Implements Procedures for Addressing Issues Identified During\ + \ Vendor and Business Partner Assessments \u2014 The entity implements procedures\ + \ for addressing issues identified with vendor and business partner relationships." + translations: + es: + name: null + description: Implementa procedimientos para abordar los problemas identificados + durante las evaluaciones de proveedores y socios comerciales - La entidad + implementa procedimientos para abordar los problemas identificados en + las relaciones con proveedores y socios comerciales. + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2.9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2 + ref_id: CC9.2.9 + description: "Implements Procedures for Terminating Vendor and Business Partner\ + \ Relationships \u2014 The entity implements procedures for terminating vendor\ + \ and business partner relationships based on predefined considerations. Those\ + \ procedures may include safe return of data and its removal from the vendor\ + \ or business partner system." + translations: + es: + name: null + description: "Implementa Procedimientos para Terminar Relaciones con Proveedores\ + \ y Socios de Negocio - La entidad implementa procedimientos para terminar\ + \ relaciones con proveedores y socios de negocio basados en consideraciones\ + \ predefinidas. Estos procedimientos pueden incluir la devoluci\xF3n segura\ + \ de los datos y su eliminaci\xF3n del sistema del proveedor o socio comercial." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2.10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2 + ref_id: CC9.2.10 + description: "[C] Obtains Confidentiality Commitments From Vendors and Business\ + \ Partners \u2014 The entity obtains confidentiality commitments that are\ + \ consistent with the entity\u2019s confidentiality commitments and requirements\ + \ from vendors and business partners who have access to confidential information." + translations: + es: + name: null + description: "[C] Obtenci\xF3n de compromisos de confidencialidad por parte\ + \ de proveedores y socios comerciales - La entidad obtiene compromisos\ + \ de confidencialidad coherentes con los compromisos y requisitos de confidencialidad\ + \ de la entidad por parte de los proveedores y socios comerciales que\ + \ tienen acceso a informaci\xF3n confidencial." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2.11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2 + ref_id: CC9.2.11 + description: "[C] Assesses Compliance With Confidentiality Commitments of Vendors\ + \ and Business Partners \u2014 On a periodic and as-needed basis, the entity\ + \ assesses compliance by vendors and business partners with the entity\u2019\ + s confidentiality commitments and requirements." + translations: + es: + name: null + description: "[C] Eval\xFAa el cumplimiento de los compromisos de confidencialidad\ + \ de los proveedores y socios comerciales - De forma peri\xF3dica y seg\xFA\ + n sea necesario, la entidad eval\xFAa el cumplimiento por parte de los\ + \ proveedores y socios comerciales de los compromisos y requisitos de\ + \ confidencialidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2.12 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2 + ref_id: CC9.2.12 + description: "[P] Obtains Privacy Commitments From Vendors and Business Partners\ + \ \u2014 The entity obtains privacy commitments, consistent with the entity\u2019\ + s privacy commitments andrequirements, from vendors and business partners\ + \ who have access to personal information." + translations: + es: + name: null + description: "[P] Obtiene compromisos de privacidad de proveedores y socios\ + \ comerciales - La entidad obtiene compromisos de privacidad, coherentes\ + \ con los compromisos y requisitos de privacidad de la entidad, de los\ + \ proveedores y socios comerciales que tienen acceso a informaci\xF3n\ + \ personal." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2.13 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:cc9.2 + ref_id: CC9.2.13 + description: "[P] Assesses Compliance With Privacy Commitments of Vendors and\ + \ Business Partners \u2014 On a periodic and as-needed basis, the entity assesses\ + \ compliance by vendors and business partners with the entity\u2019s privacy\ + \ commitments and requirements and takes corrective action as necessary." + translations: + es: + name: null + description: "[P] Eval\xFAa el cumplimiento de los compromisos de privacidad\ + \ de los proveedores y socios comerciales - De forma peri\xF3dica y seg\xFA\ + n sea necesario, la entidad eval\xFAa el cumplimiento por parte de los\ + \ proveedores y socios comerciales de los compromisos y requisitos de\ + \ privacidad de la entidad y toma las medidas correctivas necesarias." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a + assessable: false + depth: 1 + ref_id: A + name: Additional Criteria for Avalability + translations: + es: + name: Criterios adicionales de disponibilidad + description: null + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a + ref_id: A1.1 + description: The entity maintains, monitors, and evaluates current processing + capacity and use of system components (infrastructure, data, and software) + to manage capacity demand and to enable the implementation of additional capacity + to help meet its objectives. + translations: + es: + name: null + description: "La entidad mantiene, supervisa y eval\xFAa la capacidad de\ + \ procesamiento actual y el uso de los componentes del sistema (infraestructura,\ + \ datos y software) para gestionar la demanda de capacidad y permitir\ + \ la implementaci\xF3n de capacidad adicional para ayudar a cumplir sus\ + \ objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.1 + ref_id: A1.1.1 + description: "Measures Current Usage \u2014 The use of the system components\ + \ is measured to establish a baseline for capacity management and to use when\ + \ monitoring and evaluating the risk of impaired availability due to capacity\ + \ constraints." + translations: + es: + name: null + description: "Mide el uso actual - El uso de los componentes del sistema\ + \ se mide para establecer una l\xEDnea de base para la gesti\xF3n de la\ + \ capacidad y para utilizar cuando se supervisa y eval\xFAa el riesgo\ + \ de deterioro de la disponibilidad debido a limitaciones de capacidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.1 + ref_id: A1.1.2 + description: "Forecasts Capacity \u2014 The expected average and peak use of\ + \ system components is forecasted and compared to system capacity and associated\ + \ tolerances. Forecasting considers system resilience and capacity in the\ + \ event of the failure of system components that constrain capacity." + translations: + es: + name: null + description: "Previsi\xF3n de capacidad - Se prev\xE9 el uso medio y m\xE1\ + ximo previsto de los componentes del sistema y se compara con la capacidad\ + \ del sistema y las tolerancias asociadas. La previsi\xF3n tiene en cuenta\ + \ la resistencia del sistema y la capacidad en caso de fallo de los componentes\ + \ del sistema que limitan la capacidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.1 + ref_id: A1.1.3 + description: "Makes Changes Based on Forecasts \u2014 The system change management\ + \ process is initiated when forecasted usage exceeds capacity tolerances." + translations: + es: + name: null + description: "Realiza cambios en funci\xF3n de las previsiones - El proceso\ + \ de gesti\xF3n de cambios del sistema se inicia cuando el uso previsto\ + \ supera las tolerancias de capacidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a + ref_id: A1.2 + description: The entity authorizes, designs, develops or acquires, implements, + operates, approves, maintains, and monitors environmental protections, software, + data backup processes, and recovery infrastructure to meet its objectives. + translations: + es: + name: null + description: "La entidad autoriza, dise\xF1a, desarrolla o adquiere, implementa,\ + \ opera, aprueba, mantiene y supervisa protecciones ambientales, software,\ + \ procesos de copia de seguridad de datos e infraestructura de recuperaci\xF3\ + n para cumplir con sus objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2 + ref_id: A1.2.1 + description: "Identifies Environmental Threats \u2014 As part of the risk assessment\ + \ process, management identifies environmental threats that could impair the\ + \ availability of the system, including threats resulting from adverse weather,\ + \ failure of environmental control systems, electrical discharge, fire, and\ + \ water." + translations: + es: + name: null + description: "Identifica amenazas ambientales: Como parte del proceso de\ + \ evaluaci\xF3n de riesgos, la direcci\xF3n identifica las amenazas ambientales\ + \ que podr\xEDan afectar la disponibilidad del sistema, incluidas las\ + \ amenazas derivadas de condiciones clim\xE1ticas adversas, fallos en\ + \ los sistemas de control ambiental, descargas el\xE9ctricas, incendios\ + \ e inundaciones." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2 + ref_id: A1.2.2 + description: "Designs Detection Measures \u2014 Detection measures are implemented\ + \ to identify anomalies that could result from environmental threat events." + translations: + es: + name: null + description: "Dise\xF1a medidas de detecci\xF3n: Se implementan medidas\ + \ de detecci\xF3n para identificar anomal\xEDas que podr\xEDan ser resultado\ + \ de eventos de amenaza ambiental." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2 + ref_id: A1.2.3 + description: "Implements and Maintains Environmental Protection Mechanisms \u2014\ + \ Management implements and maintains environmental protection mechanisms\ + \ to prevent and mitigate environmental events." + translations: + es: + name: null + description: "Implementa y mantiene mecanismos de protecci\xF3n ambiental:\ + \ La direcci\xF3n implementa y mantiene mecanismos de protecci\xF3n ambiental\ + \ para prevenir y mitigar eventos ambientales." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2.4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2 + ref_id: A1.2.4 + description: "Implements Alerts to Analyze Anomalies \u2014 Management implements\ + \ alerts that are communicated to personnel for analysis to identify environmental\ + \ threat events." + translations: + es: + name: null + description: "Implementa alertas para analizar anomal\xEDas: La direcci\xF3\ + n implementa alertas que se comunican al personal para su an\xE1lisis,\ + \ con el objetivo de identificar eventos de amenaza ambiental." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2.5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2 + ref_id: A1.2.5 + description: "Responds to Environmental Threat Events \u2014 Procedures are\ + \ in place for responding to environmental threat events and for evaluating\ + \ the effectiveness of those policies and procedures on a periodic basis.\ + \ This includes automatic mitigation systems (for example, uninterruptable\ + \ power system and generator backup subsystem)." + translations: + es: + name: null + description: "Responde a eventos de amenaza ambiental: Existen procedimientos\ + \ para responder a eventos de amenaza ambiental y evaluar la efectividad\ + \ de dichas pol\xEDticas y procedimientos de manera peri\xF3dica. Esto\ + \ incluye sistemas autom\xE1ticos de mitigaci\xF3n (por ejemplo, sistemas\ + \ de alimentaci\xF3n ininterrumpida y subsistemas de respaldo de generadores)." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2.6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2 + ref_id: A1.2.6 + description: "Communicates and Reviews Detected Environmental Threat Events\ + \ \u2014 Detected environmental threat events are communicated to and reviewed\ + \ by the individuals responsable for the management of the system, and actions\ + \ are taken, if necessary." + translations: + es: + name: null + description: "Comunica y revisa los eventos de amenaza ambiental detectados:\ + \ Los eventos de amenaza ambiental detectados se comunican y revisan con\ + \ las personas responsables de la gesti\xF3n del sistema, y se toman acciones\ + \ si es necesario." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2.7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2 + ref_id: A1.2.7 + description: "Determines Data Requiring Backup \u2014 Data is evaluated to determine\ + \ whether backup is required." + translations: + es: + name: null + description: "Determina los datos que requieren copia de seguridad: Los\ + \ datos se eval\xFAan para determinar si requieren ser respaldados." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2.8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2 + ref_id: A1.2.8 + description: "Performs Data Backup \u2014 Procedures are in place for backing\ + \ up data, monitoring to detect backup failures, and initiating corrective\ + \ action when such failures occur." + translations: + es: + name: null + description: 'Realiza copias de seguridad de los datos: Existen procedimientos + para realizar copias de seguridad de los datos, supervisar para detectar + fallos en las copias de seguridad e iniciar acciones correctivas cuando + ocurran dichos fallos.' + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2.9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2 + ref_id: A1.2.9 + description: "Addresses Offsite Storage \u2014 Backup data is stored in a location\ + \ at a distance from its principal storage location sufficient that the likelihood\ + \ of a security or environmental threat event affecting both sets of data\ + \ is reduced to an appropriate level." + translations: + es: + name: null + description: "Gestiona el almacenamiento externo: Las copias de seguridad\ + \ de los datos se almacenan en una ubicaci\xF3n distante de su ubicaci\xF3\ + n principal, de forma que se reduzca la probabilidad de que un evento\ + \ de amenaza de seguridad o ambiental afecte a ambos conjuntos de datos\ + \ a un nivel apropiado." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2.10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2 + ref_id: A1.2.10 + description: "Implements Alternate Processing Infrastructure \u2014 Measures\ + \ are implemented for migrating processing to alternate infrastructure in\ + \ the event normal processing infrastructure becomes unavailable. Measures\ + \ may include geographic separation, redundancy, and failover capabilities\ + \ for components." + translations: + es: + name: null + description: "Implementa infraestructura alternativa de procesamiento: Se\ + \ implementan medidas para migrar el procesamiento a una infraestructura\ + \ alternativa en caso de que la infraestructura de procesamiento habitual\ + \ quede inoperativa. Estas medidas pueden incluir separaci\xF3n geogr\xE1\ + fica, redundancia y capacidades de conmutaci\xF3n por fallo de los componentes." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2.11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.2 + ref_id: A1.2.11 + description: "Considers Data Recoverability \u2014 Management identifies threats\ + \ to data recoverability (for example, ransomware attacks) that could impair\ + \ the availability of the system and related data and implements mitigation\ + \ procedures." + translations: + es: + name: null + description: "Considera la recuperabilidad de los datos: La direcci\xF3\ + n identifica amenazas a la recuperabilidad de los datos (por ejemplo,\ + \ ataques de ransomware) que podr\xEDan afectar la disponibilidad del\ + \ sistema y de los datos relacionados, e implementa procedimientos de\ + \ mitigaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a + ref_id: A1.3 + description: The entity tests recovery plan procedures supporting system recovery + to meet its objectives. + translations: + es: + name: null + description: "La entidad prueba los procedimientos del plan de recuperaci\xF3\ + n que apoyan la recuperaci\xF3n del sistema para cumplir sus objetivos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.3.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.3 + ref_id: A1.3.1 + description: "Implements Business Continuity Plan Testing \u2014 Business continuity\ + \ plan testing is performed on a periodic basis to test the entity\u2019s\ + \ ability to respond to, recover from, and resume operations through significant\ + \ disruptions. Testing includes \n(1) development of testing scenarios based\ + \ on threat likelihood and magnitude; \n(2) consideration of system components\ + \ from across the entity and vendors that can impair availability; \n(3) scenarios\ + \ that consider the potential for the lack of availability of key personnel\ + \ or vendors; and \n(4) revision of continuity plans and systems based on\ + \ test results." + translations: + es: + name: null + description: "Implementa pruebas del plan de continuidad del negocio - Las\ + \ pruebas del plan de continuidad del negocio se realizan de forma peri\xF3\ + dica para comprobar la capacidad de la entidad para responder, recuperarse\ + \ y reanudar las operaciones tras interrupciones significativas. Las pruebas\ + \ incluyen \n(1) desarrollo de escenarios de prueba basados en la probabilidad\ + \ y magnitud de las amenazas; \n(2) consideraci\xF3n de los componentes\ + \ del sistema de toda la entidad y de los proveedores que pueden perjudicar\ + \ la disponibilidad; \n(3) escenarios que consideren la posible falta\ + \ de disponibilidad de personal o proveedores clave; y \n(4) revisi\xF3\ + n de los planes y sistemas de continuidad en funci\xF3n de los resultados\ + \ de las pruebas\xBB." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.3.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:a1.3 + ref_id: A1.3.2 + description: "Tests Integrity and Completeness of Backup Data \u2014 The integrity\ + \ and completeness of backup information is tested on a periodic basis." + translations: + es: + name: null + description: "Pruebas de integridad y exhaustividad de los datos de las\ + \ copias de seguridad - La integridad y exhaustividad de la informaci\xF3\ + n de las copias de seguridad se comprueba peri\xF3dicamente." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c + assessable: false + depth: 1 + ref_id: C + name: Additional Criteria for Confidentiality + translations: + es: + name: Criterios adicionales de confidencialidad + description: null + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c1.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c + ref_id: C1.1 + description: "The entity identifies and maintains confidential information to\ + \ meet the entity\u2019s objectives related to confidentiality." + translations: + es: + name: null + description: "La entidad identifica y mantiene la informaci\xF3n confidencial\ + \ para cumplir los objetivos de la entidad relacionados con la confidencialidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c1.1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c1.1 + ref_id: C1.1.1 + description: "Defines and Identifies Confidential information \u2014 Procedures\ + \ are in place to define, identify, and designate confidential information\ + \ when it is received or created." + translations: + es: + name: null + description: "Define e identifica la informaci\xF3n confidencial - Existen\ + \ procedimientos para definir, identificar y designar la informaci\xF3\ + n confidencial cuando se recibe o se crea." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c1.1.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c1.1 + ref_id: C1.1.2 + description: "Retains Confidential Information \u2014 Confidential information\ + \ is retained for no longer than necessary to fulfill the identified purpose,\ + \ unless a law or regulation specifically requires otherwise." + translations: + es: + name: null + description: "Conserva la informaci\xF3n confidencial - La informaci\xF3\ + n confidencial no se conserva m\xE1s tiempo del necesario para cumplir\ + \ el objetivo identificado, a menos que una ley o reglamento exija espec\xED\ + ficamente lo contrario." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c1.1.3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c1.1 + ref_id: C1.1.3 + description: "Protects Confidential Information From Destruction \u2014 Policies\ + \ and procedures are in place to protect confidential information from erasure\ + \ or destruction during the specified retention period of the information." + translations: + es: + name: null + description: "Protege la informaci\xF3n confidencial frente a la destrucci\xF3\ + n - Existen pol\xEDticas y procedimientos para proteger la informaci\xF3\ + n confidencial frente al borrado o la destrucci\xF3n durante el periodo\ + \ de conservaci\xF3n especificado de la informaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c1.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c + ref_id: C1.2 + description: "The entity disposes of confidential information to meet the entity\u2019\ + s objectives related to confidentiality." + translations: + es: + name: null + description: "La entidad elimina la informaci\xF3n confidencial para cumplir\ + \ los objetivos de la entidad relacionados con la confidencialidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c1.2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c1.2 + ref_id: C1.2.1 + description: "Identifies Confidential Information for Destruction \u2014 Procedures\ + \ are in place to identify confidential information requiring destruction\ + \ when the end of the retention period is reached." + translations: + es: + name: null + description: "Identifica la informaci\xF3n confidencial que debe destruirse\ + \ - Existen procedimientos para identificar la informaci\xF3n confidencial\ + \ que debe destruirse una vez finalizado el per\xEDodo de conservaci\xF3\ + n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c1.2.2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:c1.2 + ref_id: C1.2.2 + description: "Destroys Confidential Information \u2014 Policies and procedures\ + \ are in place to automatically or manually erase or otherwise destroy confidential\ + \ information that has been identified for destruction." + translations: + es: + name: null + description: "Destruye la informaci\xF3n confidencial - Existen pol\xED\ + ticas y procedimientos para borrar autom\xE1tica o manualmente o destruir\ + \ de cualquier otra forma la informaci\xF3n confidencial que ha sido identificada\ + \ para su destrucci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pi + assessable: false + depth: 1 + ref_id: PI + name: Additional Criteria for Processing Integrity (OVER THE PROVISION OF SERVICES + OR THE PRODUCTION, MANUFACTURING, OR DISTRIBUTION OF GOODS) + translations: + es: + name: "Criterios adicionales para la integridad del tratamiento (SOBRE LA\ + \ PRESTACI\xD3N DE SERVICIOS O LA PRODUCCI\xD3N, FABRICACI\xD3N O DISTRIBUCI\xD3\ + N DE BIENES)" + description: null + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pp1.1 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pi + ref_id: PP1.1 + description: The entity obtains or generates, uses, and communicates relevant, + quality information regarding the objectives related to processing, including + definitions of data processed and product and service specifications, to support + the use of products and services. + translations: + es: + name: null + description: "La entidad obtiene o genera, utiliza y comunica informaci\xF3\ + n pertinente y de calidad sobre los objetivos relacionados con el tratamiento,\ + \ incluidas las definiciones de los datos tratados y las especificaciones\ + \ de los productos y servicios, para respaldar el uso de productos y servicios." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pp1.2 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pi + ref_id: PP1.2 + description: "The entity implements policies and procedures over system inputs,\ + \ including controls over completeness and accuracy, to result in products,\ + \ services, and reporting to meet the entity\u2019s objectives." + translations: + es: + name: null + description: "La entidad aplica pol\xEDticas y procedimientos a las entradas\ + \ del sistema, incluidos controles de integridad y exactitud, para obtener\ + \ productos, servicios e informes que cumplan los objetivos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pp1.3 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pi + ref_id: PP1.3 + description: "The entity implements policies and procedures over system processing\ + \ to result in products, services, and reporting to meet the entity\u2019\ + s objectives." + translations: + es: + name: null + description: "La entidad aplica pol\xEDticas y procedimientos sobre el procesamiento\ + \ de sistemas para obtener productos, servicios e informes que cumplan\ + \ los objetivos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pp1.4 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pi + ref_id: PP1.4 + description: "The entity implements policies and procedures to make available\ + \ or deliver output completely, accurately, and timely in accordance with\ + \ specifications to meet the entity\u2019s objectives." + translations: + es: + name: null + description: "La entidad aplica pol\xEDticas y procedimientos para poner\ + \ a disposici\xF3n o entregar resultados de forma completa, precisa y\ + \ puntual de acuerdo con las especificaciones para cumplir los objetivos\ + \ de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pp1.5 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:pi + ref_id: PP1.5 + description: "The entity implements policies and procedures to store inputs,\ + \ items in processing, and outputs completely, accurately, and timely in accordance\ + \ with system specifications to meet the entity\u2019s objectives." + translations: + es: + name: null + description: "La entidad aplica pol\xEDticas y procedimientos para almacenar\ + \ las entradas, los elementos en proceso y las salidas de forma completa,\ + \ precisa y oportuna de acuerdo con las especificaciones del sistema para\ + \ cumplir los objetivos de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p + assessable: false + depth: 1 + ref_id: P + name: Additional Criteria for Privacity + translations: + es: + name: Criterios adicionales de Privacidad + description: null + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p1.0 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p + ref_id: P1.0 + description: Privacy Criteria Related to Notice and Communication of Objectives + Related to Privacy + translations: + es: + name: null + description: "Criterios de privacidad relativos a la notificaci\xF3n y comunicaci\xF3\ + n de objetivos relacionados con la privacidad" + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p1.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p1.0 + ref_id: P1.1 + description: "The entity provides notice to data subjects about its privacy\ + \ practices to meet the entity\u2019s objectives related to privacy. The notice\ + \ is updated and communicated to data subjects in a timely manner for changes\ + \ to the entity\u2019s privacy practices, including changes in the use of\ + \ personal information, to meet the entity\u2019s objectives related to privacy." + translations: + es: + name: null + description: "La entidad notifica a los interesados sus pr\xE1cticas de\ + \ protecci\xF3n de la intimidad para cumplir los objetivos de la entidad\ + \ en materia de protecci\xF3n de la intimidad. La notificaci\xF3n se actualiza\ + \ y se comunica a los interesados de manera oportuna en caso de cambios\ + \ en las pr\xE1cticas de privacidad de la entidad, incluidos los cambios\ + \ en el uso de la informaci\xF3n personal, para cumplir los objetivos\ + \ de la entidad relacionados con la privacidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p2.0 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p + ref_id: P2.0 + description: Privacy Criteria Related to Choice and Consent + translations: + es: + name: null + description: "Criterios de privacidad relacionados con la elecci\xF3n y\ + \ el consentimiento" + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p2.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p2.0 + ref_id: P2.1 + description: "The entity communicates choices available regarding the collection,\ + \ use, retention, disclosure, and disposal of personal information to the\ + \ data subjects and the consequences, if any, of each choice. Explicit consent\ + \ for the collection, use, retention, disclosure, and disposal of personal\ + \ information is obtained from data subjects or other authorized persons,\ + \ if required. Such consent is obtained only for the intended purpose of the\ + \ information to meet the entity\u2019s objectives related to privacy. The\ + \ entity\u2019s basis for determining implicit consent for the collection,\ + \ use, retention, disclosure, and disposal of personal information is documented." + translations: + es: + name: null + description: "La entidad comunica a los interesados las opciones disponibles\ + \ en relaci\xF3n con la recogida, uso, conservaci\xF3n, divulgaci\xF3\ + n y eliminaci\xF3n de la informaci\xF3n personal, as\xED como las consecuencias,\ + \ en su caso, de cada opci\xF3n. El consentimiento expl\xEDcito para la\ + \ recogida, uso, conservaci\xF3n, divulgaci\xF3n y eliminaci\xF3n de informaci\xF3\ + n personal se obtiene de los interesados o de otras personas autorizadas,\ + \ si es necesario. Dicho consentimiento se obtiene \xFAnicamente para\ + \ la finalidad prevista de la informaci\xF3n a fin de cumplir los objetivos\ + \ de la entidad relacionados con la privacidad. La base de la entidad\ + \ para determinar el consentimiento impl\xEDcito para la recogida, uso,\ + \ conservaci\xF3n, divulgaci\xF3n y eliminaci\xF3n de informaci\xF3n personal\ + \ est\xE1 documentada." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p3.0 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p + ref_id: P3.0 + description: Privacy Criteria Related to Collection + translations: + es: + name: null + description: Criterios de privacidad relacionados con la recogida + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p3.1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p3.0 + ref_id: P3.1 + description: "Personal information is collected consistent with the entity\u2019\ + s objectives related to privacy." + translations: + es: + name: null + description: "La informaci\xF3n personal se recoge de acuerdo con los objetivos\ + \ de la entidad en materia de privacidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p3.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p3.0 + ref_id: P3.2 + description: "For information requiring explicit consent, the entity communicates\ + \ the need for such consent as well as the consequences of a failure to provide\ + \ consent for the request for personal information and obtains the consent\ + \ prior to the collection of the information to meet the entity\u2019s objectives\ + \ related to privacy." + translations: + es: + name: null + description: "Para la informaci\xF3n que requiere el consentimiento expl\xED\ + cito, la entidad comunica la necesidad de dicho consentimiento, as\xED\ + \ como las consecuencias de la falta de consentimiento para la solicitud\ + \ de informaci\xF3n personal, y obtiene el consentimiento antes de la\ + \ recogida de la informaci\xF3n para cumplir los objetivos de la entidad\ + \ relacionados con la privacidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p3.2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p3.2 + ref_id: P3.2.1 + description: "Informs Data Subjects of Consequences of Failure to Provide Consent\ + \ [C] \u2014 Data subjects are informed of the consequences of failing to\ + \ provide the entity with explicit consent." + translations: + es: + name: null + description: "Informa a los interesados de las consecuencias de no dar su\ + \ consentimiento [C] - Se informa a los interesados de las consecuencias\ + \ de no dar su consentimiento expl\xEDcito a la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p3.2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p3.2 + ref_id: P3.2.2 + description: "Documents Explicit Consent to Retain Information [C] \u2014 Documentation\ + \ of explicit consent for the collection, use, or disclosure of sensitive\ + \ personal information is retained to support the achievement of entity objectives\ + \ related to privacy." + translations: + es: + name: null + description: "Documenta el consentimiento expl\xEDcito para conservar la\ + \ informaci\xF3n [C] - La documentaci\xF3n del consentimiento expl\xED\ + cito para la recogida, uso o divulgaci\xF3n de informaci\xF3n personal\ + \ sensible se conserva para apoyar la consecuci\xF3n de los objetivos\ + \ de la entidad relacionados con la privacidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.0 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p + ref_id: P4.0 + description: Privacy Criteria Related to Use, Retention, and Disposal + translations: + es: + name: null + description: "Criterios de privacidad relacionados con el uso, la retenci\xF3\ + n y la eliminaci\xF3n" + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.0 + ref_id: P4.1 + description: "The entity limits the use of personal information to the purposes\ + \ identified in the entity\u2019s objectives\nrelated to privacy." + translations: + es: + name: null + description: "La entidad limita el uso de la informaci\xF3n personal a los\ + \ fines identificados en los objetivos de privacidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.1 + ref_id: P4.1.1 + description: "Uses Personal Information for Intended Purposes [P][C] \u2014\ + \ Personal information is used only for the intended purposes for which it\ + \ was collected and only when implicit or explicit consent has been obtained,\ + \ unless a law or regulation specifically requires otherwise." + translations: + es: + name: null + description: "Utiliza la informaci\xF3n personal para los fines previstos\ + \ [P][C]: La informaci\xF3n personal se utiliza \xFAnicamente para los\ + \ fines previstos para los cuales fue recopilada y solo cuando se ha obtenido\ + \ consentimiento impl\xEDcito o expl\xEDcito, a menos que una ley o regulaci\xF3\ + n espec\xEDficamente indique lo contrario." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.0 + ref_id: P4.2 + description: "The entity retains personal information consistent with the entity\u2019\ + s objectives related to privacy." + translations: + es: + name: null + description: "La entidad retiene la informaci\xF3n personal de manera coherente\ + \ con los objetivos de privacidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.2 + ref_id: P4.2.1 + description: "Retains Personal Information [P][C] \u2014 Personal information\ + \ is retained for no longer than necessary to fulfill the stated purposes,\ + \ unless a law or regulation specifically requires otherwise." + translations: + es: + name: null + description: "Retiene la informaci\xF3n personal [P][C]: La informaci\xF3\ + n personal se conserva durante un per\xEDodo no mayor al necesario para\ + \ cumplir con los fines establecidos, a menos que una ley o regulaci\xF3\ + n exija lo contrario." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.2 + ref_id: P4.2.2 + description: "Protects Personal Information [P][C] \u2014 Policies and procedures\ + \ have been implemented to protect personal information from erasure or destruction\ + \ during the specified retention period of the information." + translations: + es: + name: null + description: "Protege la informaci\xF3n personal [P][C]: Se implementan\ + \ pol\xEDticas y procedimientos para proteger la informaci\xF3n personal\ + \ contra la eliminaci\xF3n o destrucci\xF3n durante el per\xEDodo de retenci\xF3\ + n especificado de la informaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.0 + ref_id: P4.3 + description: "The entity securely disposes of personal information to meet the\ + \ entity\u2019s objectives related to privacy." + translations: + es: + name: null + description: "La entidad elimina de manera segura la informaci\xF3n personal\ + \ para cumplir con los objetivos de privacidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.3 + ref_id: P4.3.1 + description: "Captures, Identifies, and Flags Requests for Deletion [P][C] \u2014\ + \ Requests for deletion of personal information are captured and information\ + \ related to the requests is identified and flagged for destruction to support\ + \ the achievement of the entity\u2019s objectives related to privacy." + translations: + es: + name: null + description: "Captura, identifica y marca solicitudes de eliminaci\xF3n\ + \ [P][C]: Las solicitudes de eliminaci\xF3n de informaci\xF3n personal\ + \ se capturan y la informaci\xF3n relacionada con dichas solicitudes se\ + \ identifica y marca para su destrucci\xF3n, a fin de apoyar el cumplimiento\ + \ de los objetivos de privacidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.3 + ref_id: P4.3.2 + description: "Disposes of, Destroys, and Redacts Personal Information [P][C]\ + \ \u2014 Personal information no longer retained is anonymized, disposed of,\ + \ or destroyed in a manner that prevents loss, theft, misuse, or unauthorized\ + \ access." + translations: + es: + name: null + description: "Elimina, destruye y redacta informaci\xF3n personal [P][C]:\ + \ La informaci\xF3n personal que ya no se retiene se anonimiza, elimina\ + \ o destruye de manera que se prevenga la p\xE9rdida, robo, mal uso o\ + \ acceso no autorizado." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p4.3 + ref_id: P4.3.3 + description: "Destroys Personal Information [P][C] \u2014 Policies and procedures\ + \ are implemented to erase or otherwise destroy personal information that\ + \ has been identified for destruction" + translations: + es: + name: null + description: "Destruye la informaci\xF3n personal [P][C]: Se implementan\ + \ pol\xEDticas y procedimientos para borrar o destruir de otro modo la\ + \ informaci\xF3n personal que ha sido identificada para su destrucci\xF3\ + n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.0 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p + ref_id: P5.0 + description: Privacy Criteria Related to Access + translations: + es: + name: null + description: Criterios de privacidad relacionados con el acceso + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.0 + ref_id: P5.1 + description: "The entity grants identified and authenticated data subjects the\ + \ ability to access their stored personal information for review and, upon\ + \ request, provides physical or electronic copies of that information to data\ + \ subjects to meet the entity\u2019s objectives related to privacy. If access\ + \ is denied, data subjects are informed of the denial and reason for such\ + \ denial, as required, to meet the entity\u2019s objectives related to privacy." + translations: + es: + name: null + description: "La entidad concede a los interesados identificados y autenticados\ + \ la posibilidad de acceder a su informaci\xF3n personal almacenada para\ + \ revisarla y, previa solicitud, proporciona copias f\xEDsicas o electr\xF3\ + nicas de dicha informaci\xF3n a los interesados para cumplir los objetivos\ + \ de la entidad relacionados con la privacidad. Si se deniega el acceso,\ + \ se informa a los interesados de la denegaci\xF3n y del motivo de la\ + \ misma, seg\xFAn proceda, para cumplir los objetivos de la entidad relacionados\ + \ con la privacidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.1 + ref_id: P5.1.1 + description: "Responds to Data Controller Requests [P] \u2014 The entity has\ + \ a process to respond to data subject requests received from data controllers\ + \ in accordance with service agreements and privacy objectives. Such process\ + \ may include authentication of the request, permitting access where appropriate,\ + \ responding within a reasonable time, and notification if the request is\ + \ denied." + translations: + es: + name: null + description: "Responde a las solicitudes de los responsables del tratamiento\ + \ [P]: La entidad dispone de un proceso para responder a las solicitudes\ + \ de los titulares de datos recibidas de responsables del tratamiento,\ + \ de acuerdo con acuerdos de servicio y objetivos de privacidad. Dicho\ + \ proceso puede incluir la autenticaci\xF3n de la solicitud, la concesi\xF3\ + n de acceso cuando corresponda, la respuesta en un plazo razonable y la\ + \ notificaci\xF3n en caso de denegaci\xF3n de la solicitud." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.1 + ref_id: P5.1.2 + description: "Authenticates Data Subjects\u2019 Identity [P][C] \u2014 The identity\ + \ of data subjects who request access to their personal information is authenticated\ + \ before they are given access to that information." + translations: + es: + name: null + description: "Autentica la identidad de los titulares de los datos [P][C]:\ + \ La identidad de los titulares de datos que solicitan acceso a su informaci\xF3\ + n personal es verificada antes de proporcionarles dicho acceso." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.1 + ref_id: P5.1.3 + description: "Permits Data Subjects Access to Their Personal Information [P][C]\ + \ \u2014 Data subjects are able to determine whether the entity maintains\ + \ personal information about them and, upon request, may obtain access to\ + \ their personal information." + translations: + es: + name: null + description: "Permite a los titulares de datos acceder a su informaci\xF3\ + n personal [P][C]: Los titulares de datos pueden determinar si la entidad\ + \ mantiene informaci\xF3n personal sobre ellos y, previa solicitud, obtener\ + \ acceso a dicha informaci\xF3n personal." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.1 + ref_id: P5.1.4 + description: "Provides Understandable Personal Information Within Reasonable\ + \ Time [P][C] \u2014 Personal information is provided to data subjects in\ + \ an understandable form, in a reasonable time frame, and at a reasonable\ + \ cost, if any." + translations: + es: + name: null + description: "Proporciona informaci\xF3n personal comprensible en un plazo\ + \ razonable [P][C]: La informaci\xF3n personal se proporciona a los titulares\ + \ de datos en un formato comprensible, dentro de un plazo razonable y\ + \ a un coste razonable, si lo hubiera." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.1.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.1 + ref_id: P5.1.5 + description: "Informs Data Subjects If Access Is Denied [P][C] \u2014 When data\ + \ subjects are denied access to their personal information, the entity informs\ + \ them of the denial and the reason for the denial in a timely manner, unless\ + \ prohibited by law or regulation." + translations: + es: + name: null + description: "Informa a los titulares de datos si el acceso es denegado\ + \ [P][C]: Cuando se deniega a los titulares de datos el acceso a su informaci\xF3\ + n personal, la entidad les informa de la denegaci\xF3n y de los motivos\ + \ de la misma de manera oportuna, salvo que est\xE9 prohibido por ley\ + \ o regulaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.0 + ref_id: P5.2 + description: "The entity corrects, amends, or appends personal information based\ + \ on information provided by data subjects and communicates such information\ + \ to third parties, as committed or required, to meet the entity\u2019s objectives\ + \ related to privacy. If a request for correction is denied, data subjects\ + \ are informed of the denial and reason for such denial to meet the entity\u2019\ + s objectives related to privacy." + translations: + es: + name: null + description: "La entidad corrige, modifica o a\xF1ade informaci\xF3n personal\ + \ bas\xE1ndose en la informaci\xF3n proporcionada por los titulares de\ + \ datos y comunica dicha informaci\xF3n a terceros, seg\xFAn lo comprometido\ + \ o requerido, para cumplir con los objetivos de privacidad de la entidad.\ + \ Si se deniega una solicitud de correcci\xF3n, se informa a los titulares\ + \ de datos sobre la denegaci\xF3n y la raz\xF3n de la misma, con el fin\ + \ de cumplir con los objetivos de privacidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.2 + ref_id: P5.2.1 + description: "Responds to Data Controller Requests [P] \u2014 The entity has\ + \ a process to respond to data controllers\u2019 update requests, including\ + \ updates to personal information and denial of requests, in accordance with\ + \ service agreements to support the achievement of the entity\u2019s objectives\ + \ related to privacy." + translations: + es: + name: null + description: "Responde a las solicitudes de los responsables del tratamiento\ + \ [P]: La entidad dispone de un proceso para responder a las solicitudes\ + \ de actualizaci\xF3n de los responsables del tratamiento, incluyendo\ + \ actualizaciones de informaci\xF3n personal y denegaci\xF3n de solicitudes,\ + \ conforme a acuerdos de servicio para apoyar el cumplimiento de los objetivos\ + \ de privacidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.2 + ref_id: P5.2.2 + description: "Communicates Denial of Access Requests [P][C] \u2014 Data subjects\ + \ are informed, in writing, of the reason a request for access to their personal\ + \ information was denied, the source of the entity\u2019s legal right to deny\ + \ such access, if applicable, and the individual\u2019s right, if any, to\ + \ challenge such denial, as specifically permitted or required by law or regulation." + translations: + es: + name: null + description: "Comunica la denegaci\xF3n de solicitudes de acceso [P][C]:\ + \ Los titulares de datos son informados, por escrito, del motivo por el\ + \ cual se deneg\xF3 una solicitud de acceso a su informaci\xF3n personal,\ + \ la base legal que permite dicha denegaci\xF3n, si corresponde, y el\ + \ derecho del individuo, si lo tiene, a impugnar dicha denegaci\xF3n,\ + \ seg\xFAn lo permitido o requerido por la ley o regulaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.2 + ref_id: P5.2.3 + description: "Permits Data Subjects to Update or Correct Personal Information\ + \ [P][C] \u2014 Data subjects are able to update or correct personal information\ + \ held by the entity. The entity communicates updates, corrections, and deletion\ + \ requests to third parties that were previously provided with the data subject\u2019\ + s personal information consistent with the entity\u2019s objectives related\ + \ to privacy." + translations: + es: + name: null + description: "Permite a los titulares de datos actualizar o corregir su\ + \ informaci\xF3n personal [P][C]: Los titulares de datos pueden actualizar\ + \ o corregir su informaci\xF3n personal que est\xE1 en posesi\xF3n de\ + \ la entidad. La entidad comunica actualizaciones, correcciones y solicitudes\ + \ de eliminaci\xF3n a terceros que hayan recibido previamente la informaci\xF3\ + n personal del titular, de acuerdo con los objetivos de privacidad de\ + \ la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.2.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p5.2 + ref_id: P5.2.4 + description: "Communicates Denial of Correction Requests [P][C] \u2014 Data\ + \ subjects are informed, in writing, about the reason a request for correction\ + \ of personal information was denied and how they may appeal." + translations: + es: + name: null + description: "Comunica la denegaci\xF3n de solicitudes de correcci\xF3n\ + \ [P][C]: Los titulares de datos son informados, por escrito, del motivo\ + \ por el cual se deneg\xF3 una solicitud de correcci\xF3n de informaci\xF3\ + n personal y c\xF3mo pueden apelar dicha decisi\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.0 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p + ref_id: P6.0 + description: Privacy Criteria Related to Disclosure and Notification + translations: + es: + name: null + description: "Criterios de privacidad relacionados con la divulgaci\xF3\ + n y notificaci\xF3n" + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.0 + ref_id: P6.1 + description: "The entity discloses personal information to third parties with\ + \ the explicit consent of data subjects and such consent is obtained prior\ + \ to disclosure to meet the entity\u2019s objectives related to privacy." + translations: + es: + name: null + description: "La entidad divulga informaci\xF3n personal a terceros con\ + \ el consentimiento expl\xEDcito de los titulares de los datos y dicho\ + \ consentimiento se obtiene antes de la divulgaci\xF3n para cumplir con\ + \ los objetivos de privacidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.1 + ref_id: P6.1.1 + description: "Communicates Privacy Policies to Third Parties [P][C] \u2014 Privacy\ + \ policies or other specific instructions or requirements for handling personal\ + \ information are communicated to third parties to whom personal information\ + \ is disclosed." + translations: + es: + name: null + description: "Comunica las pol\xEDticas de privacidad a terceros [P][C]:\ + \ Las pol\xEDticas de privacidad u otras instrucciones o requisitos espec\xED\ + ficos para el manejo de la informaci\xF3n personal se comunican a los\ + \ terceros a quienes se divulga dicha informaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.1 + ref_id: P6.1.2 + description: "Discloses Personal Information Only When Appropriate [P][C] \u2014\ + \ Personal information is disclosed to third parties only for the purposes\ + \ for which it was collected or created and only when implicit or explicit\ + \ consent has been obtained from the data subject, unless a law or regulation\ + \ specifically requires otherwise." + translations: + es: + name: null + description: "Divulga informaci\xF3n personal solo cuando es apropiado [P][C]:\ + \ La informaci\xF3n personal se divulga a terceros \xFAnicamente para\ + \ los fines para los cuales fue recopilada o creada y solo cuando se ha\ + \ obtenido el consentimiento impl\xEDcito o expl\xEDcito del titular de\ + \ los datos, a menos que una ley o regulaci\xF3n exija lo contrario." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.1 + ref_id: P6.1.3 + description: "Discloses Personal Information Only to Appropriate Third Parties\ + \ [P][C] \u2014 Personal information is disclosed only to third parties who\ + \ have agreements with the entity to protect personal information in a manner\ + \ consistent with the relevant aspects of the entity\u2019s privacy notice\ + \ or other specific instructions or requirements." + translations: + es: + name: null + description: "Divulga informaci\xF3n personal \xFAnicamente a terceros apropiados\ + \ [P][C]: La informaci\xF3n personal se divulga \xFAnicamente a terceros\ + \ que tengan acuerdos con la entidad para proteger dicha informaci\xF3\ + n de manera consistente con los aspectos relevantes del aviso de privacidad\ + \ de la entidad u otras instrucciones o requisitos espec\xEDficos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.1 + ref_id: P6.1.4 + description: "Discloses Information to Third Parties for New Purposes and Uses\ + \ [P][C] \u2014 Personal information is disclosed to third parties for new\ + \ purposes or uses only with the prior implicit or explicit consent of data\ + \ subjects." + translations: + es: + name: null + description: "Divulga informaci\xF3n a terceros para nuevos fines y usos\ + \ [P][C]: La informaci\xF3n personal se divulga a terceros para nuevos\ + \ fines o usos \xFAnicamente con el consentimiento previo, impl\xEDcito\ + \ o expl\xEDcito, de los titulares de los datos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.0 + ref_id: P6.2 + description: "The entity creates and retains a complete, accurate, and timely\ + \ record of authorized disclosures of personal information to meet the entity\u2019\ + s objectives related to privacy." + translations: + es: + name: null + description: "La entidad crea y mantiene un registro completo, preciso y\ + \ oportuno de las divulgaciones autorizadas de informaci\xF3n personal\ + \ para cumplir con los objetivos de privacidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.2 + ref_id: P6.2.1 + description: "Creates and Retains Record of Authorized Disclosures [P][C] \u2014\ + \ The entity creates and maintains a record of authorized disclosures of personal\ + \ information that is complete, accurate, and timely." + translations: + es: + name: null + description: "Crea y mantiene un registro de las divulgaciones autorizadas\ + \ [P][C]: La entidad crea y mantiene un registro de las divulgaciones\ + \ autorizadas de informaci\xF3n personal que sea completo, preciso y oportuno." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.0 + ref_id: P6.3 + description: "The entity creates and retains a complete, accurate, and timely\ + \ record of detected or reported unauthorized disclosures (including breaches)\ + \ of personal information to meet the entity\u2019s objectives related to\ + \ privacy." + translations: + es: + name: null + description: "La entidad crea y mantiene un registro completo, preciso y\ + \ oportuno de las divulgaciones no autorizadas detectadas o reportadas\ + \ (incluyendo violaciones) de informaci\xF3n personal para cumplir con\ + \ los objetivos de privacidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.3 + ref_id: P6.3.1 + description: "Creates and Retains Record of Detected or Reported Unauthorized\ + \ Disclosures [P] [C] \u2014 The entity creates and maintains a record of\ + \ detected or reported unauthorized disclosures of personal information that\ + \ is complete, accurate, and timely." + translations: + es: + name: null + description: "Crea y mantiene un registro de las divulgaciones no autorizadas\ + \ detectadas o reportadas [P][C]: La entidad crea y mantiene un registro\ + \ de las divulgaciones no autorizadas detectadas o reportadas de informaci\xF3\ + n personal que sea completo, preciso y oportuno." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.0 + ref_id: P6.4 + description: "The entity obtains privacy commitments from vendors and other\ + \ third parties who have access to personal information to meet the entity\u2019\ + s objectives related to privacy. The entity assesses those parties\u2019 compliance\ + \ on a periodic and as-needed basis and takes corrective action, if necessary." + translations: + es: + name: null + description: "La entidad obtiene compromisos de privacidad de proveedores\ + \ y otras terceras partes que tienen acceso a la informaci\xF3n personal\ + \ para cumplir con los objetivos de privacidad de la entidad. La entidad\ + \ eval\xFAa el cumplimiento de dichas partes de manera peri\xF3dica y\ + \ cuando sea necesario, tomando medidas correctivas si procede." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.4 + ref_id: P6.4.1 + description: "Evaluates Third-Party Compliance With Privacy Commitments [P][C]\ + \ \u2014 The entity has procedures in place to evaluate whether third parties\ + \ have effective controls to meet the terms of the agreement, instructions,\ + \ or requirements." + translations: + es: + name: null + description: "Eval\xFAa el cumplimiento de los compromisos de privacidad\ + \ por terceros [P][C]: La entidad cuenta con procedimientos para evaluar\ + \ si los terceros tienen controles efectivos para cumplir con los t\xE9\ + rminos del acuerdo, instrucciones o requisitos." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.4 + ref_id: P6.4.2 + description: "Remediates Misuse of Personal Information by a Third Party [P][C]\ + \ \u2014 The entity takes remedial action in response to misuse of personal\ + \ information by a third party to whom the entity has transferred such information." + translations: + es: + name: null + description: "Corrige el uso indebido de la informaci\xF3n personal por\ + \ parte de un tercero [P][C]: La entidad toma medidas correctivas en respuesta\ + \ al uso indebido de la informaci\xF3n personal por parte de un tercero\ + \ al que se le ha transferido dicha informaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.4 + ref_id: P6.4.3 + description: "Obtains Commitments to Report Unauthorized Disclosures [P][C]\ + \ \u2014 A process exists for obtaining commitments from vendors and other\ + \ third parties to report to the entity actual or suspected unauthorized disclosures\ + \ of personal information." + translations: + es: + name: null + description: "Obtiene compromisos para reportar divulgaciones no autorizadas\ + \ [P][C]: Existe un proceso para obtener compromisos de proveedores y\ + \ otras terceras partes para notificar a la entidad sobre divulgaciones\ + \ reales o sospechadas no autorizadas de informaci\xF3n personal." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.0 + ref_id: P6.5 + description: "The entity obtains commitments from vendors and other third parties\ + \ with access to personal information to notify the entity in the event of\ + \ actual or suspected unauthorized disclosures of personal information. Such\ + \ notifications are reported to appropriate personnel and acted on in accordance\ + \ with established incident-response procedures to meet the entity\u2019s\ + \ objectives related to privacy." + translations: + es: + name: null + description: "La entidad obtiene compromisos de proveedores y otras terceras\ + \ partes con acceso a informaci\xF3n personal para notificar a la entidad\ + \ en caso de divulgaciones no autorizadas reales o sospechadas de informaci\xF3\ + n personal. Dichas notificaciones son reportadas al personal apropiado\ + \ y tratadas conforme a los procedimientos de respuesta a incidentes establecidos,\ + \ con el fin de cumplir con los objetivos de privacidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.5 + ref_id: P6.5.1 + description: "Remediates Misuse of Personal Information by a Third Party [P][C]\ + \ \u2014 The entity takes remedial action in response to misuse of personal\ + \ information by a third party to whom the entity has transferred such information." + translations: + es: + name: null + description: "Corrige el uso indebido de la informaci\xF3n personal por\ + \ parte de un tercero [P][C]: La entidad toma medidas correctivas en respuesta\ + \ al uso indebido de la informaci\xF3n personal por parte de un tercero\ + \ al que se le ha transferido dicha informaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.5 + ref_id: P6.5.2 + description: "Reports Actual or Suspected Unauthorized Disclosures [P][C] \u2014\ + \ A process exists for obtaining commitments from vendors and other third\ + \ parties to report to the entity actual or suspected unauthorized disclosures\ + \ of personal information." + translations: + es: + name: null + description: "Reporta divulgaciones no autorizadas reales o sospechadas\ + \ [P][C]: Existe un proceso para obtener compromisos de proveedores y\ + \ otras terceras partes para notificar a la entidad sobre divulgaciones\ + \ reales o sospechadas no autorizadas de informaci\xF3n personal." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.0 + ref_id: P6.6 + description: "The entity provides notification of breaches and incidents to\ + \ affected data subjects, regulators, and others to meet the entity\u2019\ + s objectives related to privacy." + translations: + es: + name: null + description: "La entidad proporciona notificaci\xF3n de brechas e incidentes\ + \ a los titulares de datos afectados, reguladores y otras partes, para\ + \ cumplir con los objetivos de privacidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.6 + ref_id: P6.6.1 + description: "Identifies Reporting Requirements [P][C] \u2014 The entity has\ + \ a process for determining whether notification of a privacy breach is required,\ + \ including the method to be used, the timeline, and the identification of\ + \ recipients of such notifications." + translations: + es: + name: null + description: "Identifica los requisitos de notificaci\xF3n [P][C]: La entidad\ + \ cuenta con un proceso para determinar si es necesario notificar una\ + \ brecha de privacidad, incluyendo el m\xE9todo a utilizar, los plazos\ + \ y la identificaci\xF3n de los destinatarios de dichas notificaciones." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.6 + ref_id: P6.6.2 + description: "Provides Notice of Breaches and Incidents [P][C] \u2014 The entity\ + \ has a process for providing notice of breaches and incidents to affected\ + \ data subjects, regulators, and others to support the achievement of the\ + \ entity\u2019s objectives related to privacy." + translations: + es: + name: null + description: "Proporciona notificaci\xF3n de brechas e incidentes [P][C]:\ + \ La entidad tiene un proceso para proporcionar notificaci\xF3n de brechas\ + \ e incidentes a los titulares de datos afectados, reguladores y otras\ + \ partes, con el fin de apoyar el cumplimiento de los objetivos de privacidad\ + \ de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.0 + ref_id: P6.7 + description: "The entity provides data subjects with an accounting of the personal\ + \ information held and disclosure of the data subjects\u2019 personal information,\ + \ upon the data subjects\u2019 request, to meet the entity\u2019s objectives\ + \ related to privacy." + translations: + es: + name: null + description: "La entidad proporciona a los titulares de datos un registro\ + \ de la informaci\xF3n personal que posee y las divulgaciones de dicha\ + \ informaci\xF3n personal, a solicitud de los titulares de los datos,\ + \ para cumplir con los objetivos de privacidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.7 + ref_id: P6.7.1 + description: "Responds to Data Controller Requests [P] \u2014 The entity has\ + \ a process to respond to data controller requests for an accounting of personal\ + \ information held in accordance with service agreements and privacy objectives." + translations: + es: + name: null + description: "Responde a solicitudes de los responsables del tratamiento\ + \ [P]: La entidad cuenta con un proceso para responder a las solicitudes\ + \ de los responsables del tratamiento sobre un registro de la informaci\xF3\ + n personal mantenida, de acuerdo con los acuerdos de servicio y los objetivos\ + \ de privacidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.7.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.7 + ref_id: P6.7.2 + description: "Identifies Types of Personal Information and Handling Process\ + \ [P][C] \u2014 The types of personal information and sensitive personal information\ + \ and the related processes, systems, and third parties involved in the handling\ + \ of such information are identified." + translations: + es: + name: null + description: "Identifica los tipos de informaci\xF3n personal y el proceso\ + \ de manejo [P][C]: Se identifican los tipos de informaci\xF3n personal\ + \ y de informaci\xF3n personal sensible, as\xED como los procesos, sistemas\ + \ y terceras partes involucradas en el manejo de dicha informaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.7.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p6.7 + ref_id: P6.7.3 + description: "Captures, Identifies, and Communicates Requests for Information\ + \ [P][C] \u2014 Requests for an accounting of personal information held and\ + \ disclosures of the data subjects\u2019 personal information are captured\ + \ and information related to the requests is identified and communicated to\ + \ data subjects to support the achievement of the entity\u2019s objectives\ + \ related to privacy." + translations: + es: + name: null + description: "Captura, identifica y comunica solicitudes de informaci\xF3\ + n [P][C]: Se capturan las solicitudes de registro de la informaci\xF3\ + n personal mantenida y las divulgaciones de la informaci\xF3n personal\ + \ de los titulares de datos. Adem\xE1s, se identifica y comunica la informaci\xF3\ + n relacionada con dichas solicitudes a los titulares de datos para cumplir\ + \ con los objetivos de privacidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p7.0 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p + ref_id: P7.0 + description: Privacy Criteria Related to Quality + translations: + es: + name: null + description: Criterios de privacidad relacionados con la calidad + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p7.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p7.0 + ref_id: P7.1 + description: "The entity collects and maintains accurate, up-to-date, complete,\ + \ and relevant personal information to meet the entity\u2019s objectives related\ + \ to privacy." + translations: + es: + name: null + description: "La entidad recopila y mantiene informaci\xF3n personal precisa,\ + \ actualizada, completa y relevante para cumplir con los objetivos de\ + \ privacidad de la entidad." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p7.1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p7.1 + ref_id: P7.1.1 + description: "Ensures Accuracy and Completeness of Personal Information [P][C]\ + \ \u2014 Personal information is accurate and complete for the purposes for\ + \ which it is to be used." + translations: + es: + name: null + description: "Garantiza la exactitud y completitud de la informaci\xF3n\ + \ personal [P][C]: La informaci\xF3n personal es precisa y completa para\ + \ los fines para los que va a ser utilizada." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p7.1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p7.1 + ref_id: P7.1.2 + description: "Ensures Relevance of Personal Information [P][C] \u2014 Personal\ + \ information is relevant to the purposes for which it is to be used." + translations: + es: + name: null + description: "Garantiza la relevancia de la informaci\xF3n personal [P][C]:\ + \ La informaci\xF3n personal es relevante para los fines para los que\ + \ va a ser utilizada." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p8.0 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p + ref_id: P8.0 + description: Privacy Criteria Related to Monitoring and Enforcement + translations: + es: + name: null + description: "Criterios de privacidad relacionados con la monitorizaci\xF3\ + n y aplicaci\xF3n" + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p8.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p8.0 + ref_id: P8.1 + description: "The entity implements a process for receiving, addressing, resolving,\ + \ and communicating the resolution of inquiries, complaints, and disputes\ + \ from data subjects and others and periodically monitors compliance to meet\ + \ the entity\u2019s objectives related to privacy. Corrections and other necessary\ + \ actions related to identified deficiencies are made or taken in a timely\ + \ manner." + translations: + es: + name: null + description: "La entidad implementa un proceso para recibir, abordar, resolver\ + \ y comunicar la resoluci\xF3n de consultas, quejas y disputas de los\ + \ titulares de datos y otras partes, y monitoriza peri\xF3dicamente el\ + \ cumplimiento para cumplir con los objetivos de privacidad de la entidad.\ + \ Se realizan correcciones y otras acciones necesarias relacionadas con\ + \ deficiencias identificadas de manera oportuna." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p8.1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p8.1 + ref_id: P8.1.1 + description: "Communicates to Data Subjects or Data Controllers [P][C] \u2014\ + \ Data subjects or data controllers are informed about how to contact the\ + \ entity with inquiries, complaints, and disputes." + translations: + es: + name: null + description: "Comunica a los titulares de datos o responsables del tratamiento\ + \ [P][C]: Los titulares de datos o los responsables del tratamiento son\ + \ informados sobre c\xF3mo contactar con la entidad para consultas, quejas\ + \ y disputas." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p8.1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p8.1 + ref_id: P8.1.2 + description: "Addresses Inquiries, Complaints, and Disputes [P][C] \u2014 A\ + \ process is in place to address inquiries, complaints, and disputes." + translations: + es: + name: null + description: 'Aborda consultas, quejas y disputas [P][C]: Existe un proceso + para abordar consultas, quejas y disputas.' + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p8.1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p8.1 + ref_id: P8.1.3 + description: "Documents and Communicates Dispute Resolution and Recourse [P][C]\ + \ \u2014 Each complaint is addressed and the resolution is documented and\ + \ communicated to the individual." + translations: + es: + name: null + description: "Documenta y comunica la resoluci\xF3n de disputas y recursos\ + \ [P][C]: Cada queja es atendida y su resoluci\xF3n es documentada y comunicada\ + \ al individuo." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p8.1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p8.1 + ref_id: P8.1.4 + description: "Documents and Reports Compliance Review Results [P][C] \u2014\ + \ Compliance with objectives related to privacy are reviewed and documented\ + \ and the results of such reviews are reported to management. If problems\ + \ are identified, remediation plans are developed and implemented." + translations: + es: + name: null + description: "Documenta y reporta los resultados de las revisiones de cumplimiento\ + \ [P][C]: El cumplimiento de los objetivos de privacidad se revisa y documenta,\ + \ y los resultados de dichas revisiones se reportan a la direcci\xF3n.\ + \ Si se identifican problemas, se desarrollan e implementan planes de\ + \ remediaci\xF3n." + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p8.1.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p8.1 + ref_id: P8.1.5 + description: "Documents and Reports Instances of Noncompliance [P][C] \u2014\ + \ Instances of noncompliance with objectives related to privacy are documented\ + \ and reported and, if needed, corrective and disciplinary measures are taken\ + \ on a timely basis." + translations: + es: + name: null + description: 'Documenta y reporta casos de incumplimiento [P][C]: Los casos + de incumplimiento de los objetivos de privacidad se documentan y reportan, + y, si es necesario, se toman medidas correctivas y disciplinarias de manera + oportuna.' + - urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p8.1.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:soc2-2017-rev-2022:p8.1 + ref_id: P8.1.6 + description: "Performs Ongoing Monitoring [P][C] \u2014 Ongoing procedures are\ + \ performed for monitoring the effectiveness of controls over personal information\ + \ and for taking timely corrective actions when necessary." + translations: + es: + name: null + description: "Realiza monitorizaci\xF3n continua [P][C]: Se llevan a cabo\ + \ procedimientos continuos para monitorizar la efectividad de los controles\ + \ sobre la informaci\xF3n personal y para tomar acciones correctivas oportunas\ + \ cuando sea necesario." diff --git a/tools/aicpa/SOC2_2017_with_rev_2022.xlsx b/tools/aicpa/SOC2_2017_with_rev_2022.xlsx index 7c4ddff78..aabe21c59 100644 Binary files a/tools/aicpa/SOC2_2017_with_rev_2022.xlsx and b/tools/aicpa/SOC2_2017_with_rev_2022.xlsx differ