...
An external policy or notice to the public, users, or customers, describing how you protect the security and privacy of data
Written internal policies, guidelines, and documented practices for the safe handling and protection of data
Internal audits of the security and privacy program
Third-party audits of the security and privacy program
A risk assessment and risk management process to regularly review the threats your company is exposed to
A program to ensure security in your human resources processes
A process to ensure that your service providers and subcontractors are capable of taking appropriate steps to protect sensitive data and systems
Processes and procedures to ensure that security incidents are discovered in a timely manner and dealt with effectively
A change management process to ensure that all changes to networks, systems, and processes are appropriately reviewed
...