Description
List of recommendations from the document "Privacy Impact Assessment (PIA) 3 : knowledge bases, February 2018 Edition" published on the website www.cnil.fr This list is not validated by the CNIL.
Owning organization
Validating JSON schema
Recommendations (provided by MONARC)
Creator
License
Creative Commons Zero v1.0 Universal

Definition of the object
{
    "label": "CNIL",
    "language": "EN",
    "refs": [
        "https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-3-en-knowledgebases.pdf"
    ],
    "uuid": "b2f63ac4-c50c-43e1-8227-7078e6fcfd23",
    "values": [
        {
            "code": "Anonymization_01",
            "description": "Determine what must be anonymized based on the context, the form in which the personal data are stored (including database fields or excerpts from texts, etc.) and the risks identified.",
            "importance": 0,
            "uuid": "a689861b-a722-4457-8171-934354562cab"
        },
        {
            "code": "Anonymization_02",
            "description": "Permanently anonymize the data that require such anonymization based on the form of the data to be anonymized (including databases and textual records, etc.) and the risks identified.",
            "importance": 0,
            "uuid": "cbf48c2f-40e9-4c7e-8131-2393bcb591b5"
        },
        {
            "code": "Anonymization_03",
            "description": "If such data cannot be anonymized permanently, choose tools (including partial deletion, encryption, hashing, key hashing, index, etc.) that most closely meet the functional needs.",
            "importance": 0,
            "uuid": "908a4718-c979-46d4-8d78-1a01d789a9e4"
        },
        {
            "code": "Archiving_01",
            "description": "Confirm that the archive management processes are defined.",
            "importance": 0,
            "uuid": "d2693f41-f525-47da-85ed-5649770be40b"
        },
        {
            "code": "Archiving_02",
            "description": "Confirm that the archiving roles are identified.",
            "importance": 0,
            "uuid": "f8637d15-df22-470c-8a11-c26487193ce5"
        },
        {
            "code": "Archiving_03",
            "description": "Confirm that the measures can ensure, if necessary, the identification and authentication of the origin of the archives, integrity, intelligibility, readability, availability and accessibility of the archives, how long the archives must be kept and the traceability of the operations carried out on the archives (including transfer, consultation, migration, deletion, etc.) and take additional measures if this is not the case.",
            "importance": 0,
            "uuid": "0ad651e5-8fa6-40d9-81a6-747c203f7f13"
        },
        {
            "code": "Archiving_04",
            "description": "Determine the methods for protecting the confidentiality of the archived personal data based on the risks identified.",
            "importance": 0,
            "uuid": "5171d119-7ab3-41f5-8789-1b16f4c14c40"
        },
        {
            "code": "Archiving_05",
            "description": "Confirm that the archive authorities have an archiving policy.",
            "importance": 0,
            "uuid": "5dc180e8-3e00-42e7-9e60-bcbd8f9bd483"
        },
        {
            "code": "Archiving_06",
            "description": "Confirm that a declaration of archiving practices exists.",
            "importance": 0,
            "uuid": "13b7897c-b7a1-4941-892e-abe056f12c05"
        },
        {
            "code": "Backups_01",
            "description": "Back up the personal data regularly, whether they are on paper or in electronic form, based on the businesses' availability and integrity requirements.",
            "importance": 0,
            "uuid": "bb7cd7b2-4ea0-47a3-a607-e4f25c628698"
        },
        {
            "code": "Backups_02",
            "description": "Implement mechanisms for encrypting the data transmission channel if the network's backup is automated.",
            "importance": 0,
            "uuid": "47ac599e-904b-45c4-9be8-035a75deac14"
        },
        {
            "code": "Backups_03",
            "description": "Protect backed-up personal data with the same level of security as that used in operations.",
            "importance": 0,
            "uuid": "1b99ebd6-776f-4a4b-9e21-117349e5526f"
        },
        {
            "code": "Backups_04",
            "description": "Test the backups regularly.",
            "importance": 0,
            "uuid": "49c46d91-36aa-469f-a743-77a4a35bdfef"
        },
        {
            "code": "Backups_05",
            "description": "Test the integrity of the backed-up personal data if the businesses' requirements so require.",
            "importance": 0,
            "uuid": "2d890d10-9bf3-4a18-b59a-f2275e43d3de"
        },
        {
            "code": "Backups_06",
            "description": "Formally document the level of commitment of the IT department regarding the recovery of encrypted information in the event of loss or unavailability of the secrets ensuring the encryption (including passwords and certificates) and regularly check the procedures associated with that commitment.",
            "importance": 0,
            "uuid": "3ad1a54b-58fa-4524-b857-6ede9d683ea0"
        },
        {
            "code": "Backups_07",
            "description": "Ensure that the organization, staff, systems and premises necessary to carry out the processing are available within a timeframe that corresponds to the needs of the businesses.",
            "importance": 0,
            "uuid": "fdd84eeb-d249-4d82-a7ca-2edb149dad91"
        },
        {
            "code": "Backups_08",
            "description": "Confirm the geographic location of the backups and, specifically, in which country (countries) the data are stored.",
            "importance": 0,
            "uuid": "05ca0450-a6c3-4e3b-9d85-3052442fb9af"
        },
        {
            "code": "Basis_01",
            "description": "Determine and justify the lawfulness criterion applicable to the data processing.",
            "importance": 0,
            "uuid": "3e967274-f715-44f3-8a95-b1bc30604448"
        },
        {
            "code": "Consent_01",
            "description": "Determine and justify the practical means to be implemented to obtain the consent of the data subjects or justify when they are impossible to implement.",
            "importance": 0,
            "uuid": "7cbad538-4ced-4b90-9563-52bd4620204a"
        },
        {
            "code": "Consent_02",
            "description": "Ensure that consent is obtained before any processing begins.",
            "importance": 0,
            "uuid": "da02a7bf-64ed-4491-b6f9-0f8531479aaf"
        },
        {
            "code": "Consent_03",
            "description": "Ensure that consent is obtained freely.",
            "importance": 0,
            "uuid": "8a1f9342-372e-4aa1-bfb8-36475bf41ddf"
        },
        {
            "code": "Consent_04",
            "description": "Ensure that the consent is obtained in an informed, transparent manner in terms of the purposes of the processing.",
            "importance": 0,
            "uuid": "772ea30e-dcd3-4055-9c52-85aab209968b"
        },
        {
            "code": "Consent_05",
            "description": "Ensure that consent is obtained for a specific purpose.",
            "importance": 0,
            "uuid": "643af31e-c023-4eed-8b54-0b9203a5f54b"
        },
        {
            "code": "Consent_06",
            "description": "When procurement is involved, set out each party's obligations in an explicit written agreement accepted by both parties.",
            "importance": 0,
            "uuid": "c7f946f4-e289-4d25-bea6-514efffb3030"
        },
        {
            "code": "Consent_07",
            "description": "Obtain the parents' consent for minors under 13 years of age.",
            "importance": 0,
            "uuid": "9f8ff069-e841-480b-8710-896978389fae"
        },
        {
            "code": "Consent_08",
            "description": "Obtain the informed, express consent of data subjects prior to initiating the processing, unless the processing relies on a different legal basis or if the law prohibits collecting or processing personal data.",
            "importance": 0,
            "uuid": "5617d7b1-85e7-4441-9f8d-d08b8f02341b"
        },
        {
            "code": "Consent_09",
            "description": "[collecting personal data via a website] Provide a form with boxes that must be checked and that are not checked by default (\"opt-in\" approach).",
            "importance": 0,
            "uuid": "82d00a60-b4de-4579-aea1-3ce851e58170"
        },
        {
            "code": "Consent_10",
            "description": "[collecting personal data via cookies] If a cookie is not strictly necessary to provide the service that the user has expressly requested, obtain the Internet user's consent (e.g. via a banner at the top of a web page), a consent request zone overlaid on the page or boxes that must be checked when subscribing to a service online) after informing the user and before storing the cookie.",
            "importance": 0,
            "uuid": "980f2357-982c-4005-8391-05376c6f0461"
        },
        {
            "code": "Consent_11",
            "description": "[collecting data via a mobile app] Obtain the user's consent when the mobile app or device is first activated.",
            "importance": 0,
            "uuid": "727c77de-66f2-4b06-a0d3-a5cd3afc7aff"
        },
        {
            "code": "Consent_12",
            "description": "[collecting data via a mobile app] Offer consent segmented per data category or processing type, particularly by distinguishing data sharing with other users or third-party companies.",
            "importance": 0,
            "uuid": "4f5abefd-28fa-46de-8d3b-9e1c271f6b51"
        },
        {
            "code": "Consent_13",
            "description": "[geolocation via a smartphone] Enable users to refuse to allow an application to systematically geolocate them.",
            "importance": 0,
            "uuid": "75fffbe7-7dd5-46c4-aada-1263f4a172af"
        },
        {
            "code": "Consent_14",
            "description": "[geolocation via a smartphone] Allow users to choose which application may use geolocation.",
            "importance": 0,
            "uuid": "781d3830-d98a-44e8-844f-3826c63258b3"
        },
        {
            "code": "Consent_15",
            "description": "[geolocation via a smartphone] Allow users to choose the persons authorized to access their geolocation information and at what level of detail.",
            "importance": 0,
            "uuid": "3df7a076-588f-49ae-9fb5-11e9abea46dd"
        },
        {
            "code": "Consent_16",
            "description": "[targeted advertising] Provide users with simple, no-cost methods to accept or refuse advertising based on their navigation behavior and to choose the targeted advertising they would like to receive based on their interests.",
            "importance": 0,
            "uuid": "4aede15b-d689-4561-b73f-f875c82b0a4e"
        },
        {
            "code": "Consent_17",
            "description": "[research using identifiable biological samples] If the samples are preserved for further processing that is different from the initial processing, also be sure to obtain the data subject's express, informed consent to said other processing.",
            "importance": 0,
            "uuid": "7ab2bc36-35db-4dac-84c3-9a9192cbf909"
        },
        {
            "code": "Data minimization_01",
            "description": "Justify the collection of each piece of data.",
            "importance": 0,
            "uuid": "ff1d6815-b9f2-4ad9-bce4-e76774473d5b"
        },
        {
            "code": "Data minimization_02",
            "description": "Clearly distinguish between anonymous and pseudonymous data.",
            "importance": 0,
            "uuid": "cf7c23d2-26e5-4d7d-bbaa-55e314f49c80"
        },
        {
            "code": "Data minimization_03",
            "description": "Avoid free-form text fields (of the \"comments\" space type), because of the risk that users note down information that does not comply with the minimization principles there. Preference should therefore be given to scroll-down list type fields. If free- form text fields cannot be avoided, users' awareness must be raised in how to use such fields, with regard to the standard terms & conditions for service and the law (no offensive words, no undeclared sensitive data, etc.).",
            "importance": 0,
            "uuid": "90a44773-3816-4d4c-9e42-ce744ed70216"
        },
        {
            "code": "Data minimization_04",
            "description": "Confirm that the personal data are adequate, relevant and not excessive with regard to the intended purpose; otherwise, do not collect the data.",
            "importance": 0,
            "uuid": "ba66d448-9b7d-45d6-8cf1-0b425a5e38d2"
        },
        {
            "code": "Data minimization_05",
            "description": "Confirm that the personal data do not reveal (directly or indirectly) racial or ethnic origin, political, philosophical or religious views, trade union membership, health information or information on an individual's sex life and do not collect them if they do, except under exceptional circumstances (for example, with consent, in the public interest or pursuant to Article 9 of the GDPR).",
            "importance": 0,
            "uuid": "da32671d-3bc5-4446-83a4-48ca0c13e0a7"
        },
        {
            "code": "Data minimization_06",
            "description": "Confirm that the personal data do not relate to offences, criminal convictions or security measures and do not collect them if they do, except under exceptional circumstances (for example, in dealing with the courts or court officers pursuant to Article 10 of the GDPR).",
            "importance": 0,
            "uuid": "0ee55672-327d-438f-8335-9d8f78ed6cd2"
        },
        {
            "code": "Data minimization_07",
            "description": "Prevent the collection of additional personal data.",
            "importance": 0,
            "uuid": "fd2e985f-c782-4f1e-94ba-f8320cfc25d2"
        },
        {
            "code": "Data minimization_08",
            "description": "Filter and remove unnecessary data.",
            "importance": 0,
            "uuid": "c759faba-276a-4451-a471-95ceb4b9c223"
        },
        {
            "code": "Data minimization_09",
            "description": "Reduce sensitivity via conversion.",
            "importance": 0,
            "uuid": "164186d3-ddfc-4515-aab0-0a7124997210"
        },
        {
            "code": "Data minimization_10",
            "description": "Reduce the identifying characteristics of data.",
            "importance": 0,
            "uuid": "baa2c6e2-308f-4b50-88ca-75f7f3758fc7"
        },
        {
            "code": "Data minimization_11",
            "description": "Reduce data accumulation.",
            "importance": 0,
            "uuid": "9a0821c6-224e-47cf-bdd3-48cc1e4bb3c9"
        },
        {
            "code": "Data minimization_12",
            "description": "Restrict access to data.",
            "importance": 0,
            "uuid": "9be8c793-8696-448c-b4fb-6d190d8555d4"
        },
        {
            "code": "Data minimization_13",
            "description": "Restrict the transmission of electronic documents containing personal data to the individuals who need them in connection with their work.",
            "importance": 0,
            "uuid": "27568f00-0271-4c31-82ec-6adc48d1e4c1"
        },
        {
            "code": "Data minimization_14",
            "description": "Securely delete personal data that are no longer necessary or that a subject requests be deleted from the system in operation or from backups where applicable.",
            "importance": 0,
            "uuid": "eb37f1b9-4976-4dd4-bdb4-f4543c944229"
        },
        {
            "code": "Data partitioning_01",
            "description": "Identify the sole data necessary to each business process.",
            "importance": 0,
            "uuid": "91bfc9aa-b44a-41ab-bd74-d8820e7bf8a5"
        },
        {
            "code": "Data partitioning_02",
            "description": "Separate the data useful to each process in logical fashion.",
            "importance": 0,
            "uuid": "8a690f8c-64bf-4b15-a62c-b871f6a53395"
        },
        {
            "code": "Data partitioning_03",
            "description": "Regularly confirm that personal data are partitioned effectively and that recipients and interconnections have not been added.",
            "importance": 0,
            "uuid": "f566c1c7-822f-4b49-9a32-119f655d00ef"
        },
        {
            "code": "Data quality_01",
            "description": "Regular checks of the accuracy of the user's personal data.",
            "importance": 0,
            "uuid": "f73c8a25-bfbb-44a1-928d-2b2bc26f7c20"
        },
        {
            "code": "Data quality_02",
            "description": "Ask the user to check and, where necessary, update his or her data at regular intervals.",
            "importance": 0,
            "uuid": "6fd0a2b5-70a0-460b-860e-4cc495bd76cc"
        },
        {
            "code": "Data quality_03",
            "description": "Ensure the traceability of any data changes.",
            "importance": 0,
            "uuid": "698c5493-1b87-4c61-9291-0a775060f3a5"
        },
        {
            "code": "Encryption_01",
            "description": "Determine what should be encrypted (including an entire hard disk, a partition, a container, certain files, data from a database or a communications channel, etc.) based on the form in which data is stored, the risks identified and the performance required.",
            "importance": 0,
            "uuid": "80861066-d211-4a65-be96-e5f6f2e51868"
        },
        {
            "code": "Encryption_02",
            "description": "Choose the type of encryption (symmetric or asymmetric) based on the context and the risks identified.",
            "importance": 0,
            "uuid": "e305b46a-4e52-4b0e-91dd-f8134854e38f"
        },
        {
            "code": "Encryption_03",
            "description": "Adopt encryption solutions based on public algorithms known to be strong.",
            "importance": 0,
            "uuid": "f30b73cb-bd98-4e47-b62b-ba175a2cfb69"
        },
        {
            "code": "Encryption_04",
            "description": "Establish measures to ensure the availability, integrity and confidentiality of the information necessary to recover lost secrets (including administrator passwords and a recovery CD, etc.).",
            "importance": 0,
            "uuid": "474fd10b-8fb9-4939-ab3c-ead2d8c6eb38"
        },
        {
            "code": "Encryption_05",
            "description": "Only use a key for a single purpose.",
            "importance": 0,
            "uuid": "6b169b08-e70c-4449-930a-6391b9c25176"
        },
        {
            "code": "Encryption_06",
            "description": "Formally document the key management system.",
            "importance": 0,
            "uuid": "2b2780eb-06d0-4093-a233-a42affd4e64b"
        },
        {
            "code": "Encryption_07",
            "description": "Choose a mechanism recognized by the appropriate organizations and that provides security proof.",
            "importance": 0,
            "uuid": "8d1c9da7-abe2-412f-a17e-c2fdea323fc7"
        },
        {
            "code": "Encryption_08",
            "description": "Establish mechanisms for verifying the electronic certificates.",
            "importance": 0,
            "uuid": "4548272b-3cd5-437c-aaae-0d2212cb9681"
        },
        {
            "code": "Encryption_09",
            "description": "Protect the security of key generation and use consistent with their level in the key hierarchy.",
            "importance": 0,
            "uuid": "94a30b9d-8146-4463-8bc9-d4eefc447cc2"
        },
        {
            "code": "Encryption_10",
            "description": "[workstations] Choose systems that do not store keys on the equipment that will be encrypted unless this implements a secure storage device (such as a TPM chip for laptops).",
            "importance": 0,
            "uuid": "d538629f-03a2-4192-860f-76c0ab1e64c3"
        },
        {
            "code": "Encryption_11",
            "description": "[workstations] Encrypt the data at operating system level (encryption of a partition, directory or file) or using specialized software (encryption of a container).",
            "importance": 0,
            "uuid": "11d2ba45-f4e0-4859-a978-b47a78e31e2d"
        },
        {
            "code": "Encryption_12",
            "description": "[databases] Based on the risks identified, encrypt the storage area (at the level of the hardware, operating system or database) so as to provide protection from physical theft, of the piece of data itself (encryption by application), with a view to guaranteeing the confidentiality of certain data as regards the administrators themselves. In the event of partitioned IT teams, database encryption can make data accessible only to database administrators, to the exclusion of system administrators.",
            "importance": 0,
            "uuid": "1cd4480b-3e0e-4822-9dfe-2ad7d79d188d"
        },
        {
            "code": "Encryption_13",
            "description": "[email] Encrypt the stored files or the email attachments.",
            "importance": 0,
            "uuid": "9a104879-17fa-4603-8e35-f58ad23473dd"
        },
        {
            "code": "Encryption_14",
            "description": "[email] Encrypt email messages.",
            "importance": 0,
            "uuid": "cbd64008-b687-490b-a204-06993f64d537"
        },
        {
            "code": "Encryption_15",
            "description": "[networks] Encrypt the communications channel between an authenticated server and a remote client.",
            "importance": 0,
            "uuid": "dcfcf16e-908d-421d-8394-a45f02c88b5f"
        },
        {
            "code": "Environmental_01",
            "description": "Store dangerous products (including inflammable, combustible, corrosive, explosive, aerosol and wet items) in appropriate storage areas and at a safe distance from the areas where personal data are processed.",
            "importance": 0,
            "uuid": "eba95781-d206-4855-853d-7fe76e551bc0"
        },
        {
            "code": "Environmental_02",
            "description": "Avoid dangerous geographic areas (flood zones, areas near airports, chemical industry facilities, earthquake zones and volcanic zones, etc.).",
            "importance": 0,
            "uuid": "07af685d-5f82-48f2-9bf1-eacbd7c6e239"
        },
        {
            "code": "Environmental_03",
            "description": "Do not store data in a foreign country without guarantees that can ensure an appropriate level of data protection.",
            "importance": 0,
            "uuid": "9df5f05c-26dc-42f6-adcf-657a53848a65"
        },
        {
            "code": "Hardware_01",
            "description": "Maintain an up-to-date inventory of IT resources used.",
            "importance": 0,
            "uuid": "ae2d2a74-d55f-4da6-86dc-7fd61bf9d536"
        },
        {
            "code": "Hardware_02",
            "description": "Partition off the organization's resources in the event of shared premises.",
            "importance": 0,
            "uuid": "d4a9d060-c84d-4edc-a601-06be90154512"
        },
        {
            "code": "Hardware_03",
            "description": "Block access to personal data stored on discarded IT resources.",
            "importance": 0,
            "uuid": "bd107e40-4118-41d0-bbb9-3281154d3f97"
        },
        {
            "code": "Hardware_04",
            "description": "Set up physical redundancy of storage units using RAID or an equivalent technology.",
            "importance": 0,
            "uuid": "61e6b947-8823-4542-a507-a062a9c883d5"
        },
        {
            "code": "Hardware_05",
            "description": "Make sure that the sizes of storage and processing capacities, as well as the conditions of use, are compatible with the intended use of hardware, particularly in terms of location, humidity and temperature.",
            "importance": 0,
            "uuid": "5c5c2c6c-1642-484e-8516-47c3bc5176a2"
        },
        {
            "code": "Hardware_06",
            "description": "Make sure that the power supplies of most critical hardware are protected from voltage variations and are backed up, or at least allow such hardware to be shut down normally.",
            "importance": 0,
            "uuid": "f28dd275-f6dd-42c1-a43d-1de66a86fed5"
        },
        {
            "code": "Hardware_07",
            "description": "Protect access to hardware that is sensitive or of high market value.",
            "importance": 0,
            "uuid": "e64f2f6c-b462-4598-adae-28deebe06b16"
        },
        {
            "code": "Hardware_08",
            "description": "Limit the possibilities of hardware alteration",
            "importance": 0,
            "uuid": "ef06c517-ac35-4e18-ba7f-3664d60420b9"
        },
        {
            "code": "Hardware_09",
            "description": "[workstations] Retrieve data, except for data defined as private or personal, from workstations before they are assigned to other persons.",
            "importance": 0,
            "uuid": "c7ac7e92-0578-4579-adc2-dc13409f6e9d"
        },
        {
            "code": "Hardware_10",
            "description": "[mobile devices] Limit the amount of personal data stored on mobile devices to the strict minimum, and prohibit such storage during travel abroad if needs be.",
            "importance": 0,
            "uuid": "3d7fe818-5b01-4928-bb97-222697aa367b"
        },
        {
            "code": "Hardware_11",
            "description": "[mobile devices] Configure devices so that they lock after a few minutes of inactivity.",
            "importance": 0,
            "uuid": "c9f7a9a6-5e64-463f-b041-ef3013d543dd"
        },
        {
            "code": "Hardware_12",
            "description": "[removable storage devices] Limit the use of removable storage devices to those provided by the IT department.",
            "importance": 0,
            "uuid": "94f90dd1-bc14-40cd-88f4-6222ef2441cf"
        },
        {
            "code": "Hardware_13",
            "description": "[removable storage devices] Prohibit the use of wireless USB flash drives (e.g.: Bluetooth).",
            "importance": 0,
            "uuid": "022c09ba-3275-43bb-87c7-a1370a534d4d"
        },
        {
            "code": "Hardware_14",
            "description": "[removable storage devices] Prohibit the use of USB flash drives on hardware that is not secure (antivirus, firewall, etc.).",
            "importance": 0,
            "uuid": "1aa1e4fc-de28-4123-9ffe-950d9116e9ae"
        },
        {
            "code": "Hardware_15",
            "description": "[removable storage devices] Restrict the use of USB flash drives to work-related purposes.",
            "importance": 0,
            "uuid": "7ff93175-c45f-4573-866c-843fa93f5609"
        },
        {
            "code": "Hardware_16",
            "description": "[removable storage devices] Disable the autorun functionality on all workstations (group strategy).",
            "importance": 0,
            "uuid": "90e4d611-b595-40f0-963c-abc571001408"
        },
        {
            "code": "Hardware_17",
            "description": "[removable storage devices] Encrypt personal data stored on removable storage devices.",
            "importance": 0,
            "uuid": "f3725d8d-eb72-4b93-8a5d-331b137b4c93"
        },
        {
            "code": "Hardware_18",
            "description": "[removable storage devices] Return removable storage devices that are either defective or no longer necessary, to the IT department.",
            "importance": 0,
            "uuid": "3bf45eda-a432-43b7-a983-e0dfdb18bdbf"
        },
        {
            "code": "Hardware_19",
            "description": "[removable storage devices] Securely destroy unnecessary personal data storage devices.",
            "importance": 0,
            "uuid": "34981e25-763b-4337-b041-e05ef82b820d"
        },
        {
            "code": "Hardware_20",
            "description": "[multifunction printers and copiers] Change \"manufacturer\" default passwords.",
            "importance": 0,
            "uuid": "f3bc733e-1b69-4f0c-93a7-72365c10591d"
        },
        {
            "code": "Hardware_21",
            "description": "[multifunction printers and copiers] Disable unnecessary network interfaces.",
            "importance": 0,
            "uuid": "77d2099a-ddc0-46d9-b29d-d54c60b36ece"
        },
        {
            "code": "Hardware_22",
            "description": "[multifunction printers and copiers] Disable or delete unnecessary services.",
            "importance": 0,
            "uuid": "c9cb46a4-696e-47e6-b047-de4042900586"
        },
        {
            "code": "Hardware_23",
            "description": "[multifunction printers and copiers] Encrypt data stored on hard disks wherever possible.",
            "importance": 0,
            "uuid": "fead86d0-b8b9-45be-9499-7b3c92083dcf"
        },
        {
            "code": "Hardware_24",
            "description": "[multifunction printers and copiers] Restrict the sending of electronic documents to internal email addresses and, in certain cases, restrict the sending of electronic documents to a single email address.",
            "importance": 0,
            "uuid": "5ac8ca33-5366-48ff-a7b3-5d4b70d9e05f"
        },
        {
            "code": "Information for the data subjects_01",
            "description": "Determine and justify the practical means that will be implemented to inform the data subjects, or justify when they are impossible to implement.",
            "importance": 0,
            "uuid": "41c3e30b-3e14-4f9c-a03e-14481ecd8db7"
        },
        {
            "code": "Information for the data subjects_02",
            "description": "Ensure that the notification is complete, clear and appropriate to the target audience based on the nature of the personal data and the practical means chosen.",
            "importance": 0,
            "uuid": "b1a8f108-26ab-40dd-8b69-80f2b2380fb0"
        },
        {
            "code": "Information for the data subjects_03",
            "description": "Ensure that the notification is provided by the time the data are collected.",
            "importance": 0,
            "uuid": "3fe0606e-2a86-4afb-9d73-b72bc90c9012"
        },
        {
            "code": "Information for the data subjects_04",
            "description": "Ensure that the data cannot be collected without providing this information.",
            "importance": 0,
            "uuid": "cd6b1192-ed8b-48f1-99bd-dd0486d07744"
        },
        {
            "code": "Information for the data subjects_05",
            "description": "If possible, provide a means by which to show that notification was provided.",
            "importance": 0,
            "uuid": "0457059d-5f55-4a61-998a-e7ca1f690bad"
        },
        {
            "code": "Information for the data subjects_06",
            "description": "[employees of an organization] Obtain the prior opinion of the staff representative organizations in the cases set forth in Labor Code.",
            "importance": 0,
            "uuid": "2191cdbc-f411-41c6-8b77-baa0c2fdafd9"
        },
        {
            "code": "Information for the data subjects_07",
            "description": "[employees of an organization] Use the method that is most appropriate to the organization.",
            "importance": 0,
            "uuid": "191d466a-3d41-4883-ab9b-f85788e6ce85"
        },
        {
            "code": "Information for the data subjects_08",
            "description": "[collecting personal data via a website] Provide direct or easily accessible information for Internet users.",
            "importance": 0,
            "uuid": "6406b9ab-72d4-4473-879c-2aa2d630f457"
        },
        {
            "code": "Information for the data subjects_09",
            "description": "[collecting data via a mobile app] Provide direct or easily accessible information for users.",
            "importance": 0,
            "uuid": "13aa56e4-2f0c-4439-bdae-8e6fe2420fed"
        },
        {
            "code": "Information for the data subjects_10",
            "description": "[collecting data via a mobile app] Inform the user if the app is likely to access the device's identifiers, by specifying whether these identifiers are communicated to third parties.",
            "importance": 0,
            "uuid": "537329de-73ae-49ec-8a91-97a5f0e2d667"
        },
        {
            "code": "Information for the data subjects_11",
            "description": "[collecting data via a mobile app] Inform the user if the app is likely to run in the background.",
            "importance": 0,
            "uuid": "865b7fe1-779f-4410-a9a1-b54dfc205081"
        },
        {
            "code": "Information for the data subjects_12",
            "description": "[collecting data via a mobile app] Present the protections for accessing the device to the user.",
            "importance": 0,
            "uuid": "f4523be3-7ffc-46d9-b6e9-27ec09507091"
        },
        {
            "code": "Information for the data subjects_13",
            "description": "[collecting personal data by telephone] Issue an automatic message before the conversation begins with information on subjects' rights, the reason for recording the conversation (for training purposes or to monitor service quality), if necessary, and an opportunity to object to recording (on legitimate grounds).",
            "importance": 0,
            "uuid": "1d7dcc08-df36-4fd4-9cad-9a6567852aad"
        },
        {
            "code": "Information for the data subjects_14",
            "description": "[collecting personal data by telephone] Set up means for authenticating the caller (e.g.: via information that is known only to the organization and data subject).",
            "importance": 0,
            "uuid": "30d53d6e-c454-483d-bcd6-db29d6f48bd3"
        },
        {
            "code": "Information for the data subjects_15",
            "description": "[collecting data via a form] Place the appropriate notice on the form in a typeface identical to the rest of the document.",
            "importance": 0,
            "uuid": "b65b69c8-4bef-4165-8462-0e1eae30969a"
        },
        {
            "code": "Information for the data subjects_16",
            "description": "[targeted advertising] Make the information available to Internet users in visible, legible form.",
            "importance": 0,
            "uuid": "a29cf640-fc41-45e8-9582-465181e2028a"
        },
        {
            "code": "Information for the data subjects_17",
            "description": "[targeted advertising] Inform Internet users about the various forms of targeted advertising they are likely to see via the service they are accessing and the various procedures used, the categories of information processed to adapt the advertising content and, as needed, the information that is not gathered and how they may agree to the display of behavioral or personalized advertising. Notification must be provided and consent obtained before any information is stored or before accessing information already stored in the terminal equipment.",
            "importance": 0,
            "uuid": "dc20eeec-47fd-4f4f-914a-ff2a81e43a59"
        },
        {
            "code": "Information for the data subjects_18",
            "description": "[updating existing processing] Provide specific notification about new forms of processing (for example, new purposes or new recipients).",
            "importance": 0,
            "uuid": "1a5ebce9-7783-4e5a-9f15-6d4130ed84c4"
        },
        {
            "code": "Integrity monitoring_01",
            "description": "Identify the data that must be monitored for integrity based on the risks identified.",
            "importance": 0,
            "uuid": "81096f3d-434f-4ca6-b263-6402645f3a35"
        },
        {
            "code": "Integrity monitoring_02",
            "description": "Choose a method for monitoring their integrity based on the context, the risks assessed and the robustness required.",
            "importance": 0,
            "uuid": "1ebe2b48-44a6-4976-9f1a-86ae43656806"
        },
        {
            "code": "Integrity monitoring_03",
            "description": "Determine when the function is to be applied and when the integrity monitoring should be performed based on implementation of the business process.",
            "importance": 0,
            "uuid": "70393b55-d5b1-46f9-bb75-dff01c045a30"
        },
        {
            "code": "Integrity monitoring_04",
            "description": "When the data are sent to a database, analytical measures must be set up to prevent scripting or SQL injection attacks.",
            "importance": 0,
            "uuid": "aebd360b-cd9a-4a10-8116-e752edf8f3ff"
        },
        {
            "code": "Integrity monitoring_05",
            "description": "Choose a hash mechanism recognized by the appropriate organizations and that provides security proof.",
            "importance": 0,
            "uuid": "abd478b5-b3e6-4f59-9499-c6e059e37baf"
        },
        {
            "code": "Integrity monitoring_06",
            "description": "Adopt electronic signature solutions based on public algorithms known to be strong.",
            "importance": 0,
            "uuid": "f8939c47-62ad-4e9a-a7f2-c9de2732e655"
        },
        {
            "code": "Logical access_01",
            "description": "Manage users' profiles by separating tasks and areas of responsibility (preferably in centralized fashion) to limit access to personal data exclusively to authorized users by applying need-to-know and least-privilege principles.",
            "importance": 0,
            "uuid": "1aedf963-d4c1-4858-aa6a-83f1172295ca"
        },
        {
            "code": "Logical access_02",
            "description": "Identify every person with legitimate access to personal data (employees, contracting parties and other third parties) by a unique identifier.",
            "importance": 0,
            "uuid": "1cf018d8-33e0-4f03-b87e-d0ecf15b8668"
        },
        {
            "code": "Logical access_03",
            "description": "If the use of generic or shared identifiers cannot be avoided, obtain validation from top management and implement methods for tracing the use of this kind of identifier.",
            "importance": 0,
            "uuid": "24b38f5e-a0a2-41b4-94d4-04ebe1d73f16"
        },
        {
            "code": "Logical access_04",
            "description": "Limit access to the tools and administration interfaces to authorized persons.",
            "importance": 0,
            "uuid": "7940afda-6f90-43ce-93de-9e13c2b388db"
        },
        {
            "code": "Logical access_05",
            "description": "Limit the use of accounts that provide elevated privileges to operations that require them.",
            "importance": 0,
            "uuid": "a9a8432a-73d4-4f0d-8184-c8847a571cb4"
        },
        {
            "code": "Logical access_06",
            "description": "Limit the use of \"administrator\" accounts to the IT department and to administration actions that require them.",
            "importance": 0,
            "uuid": "4d6297a1-0193-41d3-8868-37efa49c968b"
        },
        {
            "code": "Logical access_07",
            "description": "Every account, particularly if it has elevated privileges (for example, an administrator account), must have its own password.",
            "importance": 0,
            "uuid": "ddb71c7d-1e28-4592-b033-f05e1403077e"
        },
        {
            "code": "Logical access_08",
            "description": "Log information connected to the use of privileges.",
            "importance": 0,
            "uuid": "3c9ad118-203a-4e8f-906b-7508506aacba"
        },
        {
            "code": "Logical access_09",
            "description": "Conduct an annual review of privileges to identify and delete unused accounts and to realign the privileges with each user's functions.",
            "importance": 0,
            "uuid": "810ce7c4-c1f2-46d1-a87d-da0e06f10684"
        },
        {
            "code": "Logical access_10",
            "description": "Withdraw the rights of employees, contracting parties and other third parties when they are no longer authorized to access a premises or a resource or when their employment contract ends, and adjust the rights in the event of a job transfer.For individuals with a temporary account (including interns and service providers), configure an expiration date when the account is established.",
            "importance": 0,
            "uuid": "3ff50b19-8155-4e23-aba6-a6538b4d71f0"
        },
        {
            "code": "Logical access_11",
            "description": "Choose an authentication method to open sessions that is appropriate to the context, the risk level and the robustness expected.",
            "importance": 0,
            "uuid": "ac78bbf8-87a7-48ae-8630-568011da98df"
        },
        {
            "code": "Logical access_12",
            "description": "Prohibit the passwords used from appearing unencrypted in programs, files, scripts, traces or log files or on the screen when they are entered.",
            "importance": 0,
            "uuid": "9fc35976-da32-43f0-afae-f1045efac451"
        },
        {
            "code": "Logical access_13",
            "description": "Determine the actions to be taken in the event of a failed authentication.",
            "importance": 0,
            "uuid": "b7911bea-4083-4e81-ba64-f9b114c13b2f"
        },
        {
            "code": "Logical access_14",
            "description": "Limit authentication by identifiers and passwords to the workstation access control (unlocking only).",
            "importance": 0,
            "uuid": "dd4cf1bf-f164-4f4d-a0c2-8826d3e6ea77"
        },
        {
            "code": "Logical access_15",
            "description": "Authenticate the workstation with the remote information system (servers) using cryptographic mechanisms.",
            "importance": 0,
            "uuid": "5663e669-0760-416b-90ef-5e81c909318a"
        },
        {
            "code": "Logical access_16",
            "description": "Adopt a password policy, implement it and monitor it automatically to the extent that applications and resources allow, and inform users about it.",
            "importance": 0,
            "uuid": "27d1daee-57b8-4b19-be2a-66e11b3c61b7"
        },
        {
            "code": "Logical access_17",
            "description": "Adopt a specific password policy for administrators, implement it and monitor it automatically to the extent that the applications and resources allow, and inform administrators of it.",
            "importance": 0,
            "uuid": "bdbf127d-b63f-402a-8897-da74fa058598"
        },
        {
            "code": "Logical access_18",
            "description": "Immediately change default passwords after installing an application or a system.",
            "importance": 0,
            "uuid": "86066bc7-c9fe-4825-904c-98569deb4d93"
        },
        {
            "code": "Logical access_19",
            "description": "Create an initial unique random password for each user account, transmit it securely to the user, for example by using two separate channels (paper and others) or a scratch-off field, and require that it be changed when the first connection is made and when the user receives a new password (for example, if the old password is forgotten).",
            "importance": 0,
            "uuid": "6d751f03-c787-492f-9118-fb7d2da905fb"
        },
        {
            "code": "Logical access_20",
            "description": "Store the authentication information (including passwords for accessing information systems and private keys linked to electronic certificates) so that it is accessible only to authorized users.",
            "importance": 0,
            "uuid": "1aea53f6-194e-40ae-8cc1-c165e01575a6"
        },
        {
            "code": "Logical access_21",
            "description": "If many passwords or secrets (including private keys and certificates) must be used, implement a centralized authentication solution using OTPs or secure vaults.",
            "importance": 0,
            "uuid": "7d2dc652-2129-4e3e-a828-eb5c12e91fad"
        },
        {
            "code": "Maintenance_01",
            "description": "Establish a procurement contract to govern maintenance operations when they are carried out by service providers.",
            "importance": 0,
            "uuid": "4d5e5e9c-cba4-4204-a996-de155230d9b6"
        },
        {
            "code": "Maintenance_02",
            "description": "Record all maintenance operations in a logbook.",
            "importance": 0,
            "uuid": "af3621e5-6901-471d-9367-4f56d41feaff"
        },
        {
            "code": "Maintenance_03",
            "description": "Govern remote maintenance operations.",
            "importance": 0,
            "uuid": "6ce0b616-a0b7-4434-b106-a2ad1aaaf142"
        },
        {
            "code": "Maintenance_04",
            "description": "Encrypt or erase data contained on hardware (desktop computers or laptops, servers, etc.) that are sent for external maintenance. If this is not possible, remove the equipment storage devices before dispatch to maintenance or manage maintenance internally.",
            "importance": 0,
            "uuid": "6b6ca736-930c-44f9-a751-a688fd5163f2"
        },
        {
            "code": "Maintenance_05",
            "description": "[workstations] During maintenance operations that require remote access to a workstation, only perform the operation after obtaining the user's agreement, and indicate to the latter on the screen if the access is effective.",
            "importance": 0,
            "uuid": "bd928759-84d2-4469-8946-b3dbfad554a5"
        },
        {
            "code": "Maintenance_06",
            "description": "[workstations] When a maintenance operation requires physical intervention on a workstation containing sensitive data, delete the data during the maintenance.",
            "importance": 0,
            "uuid": "2d9e26f1-0652-41bd-9f1d-7098aa35ef14"
        },
        {
            "code": "Maintenance_07",
            "description": "[smartphone] Configure telephones before delivering them to users.",
            "importance": 0,
            "uuid": "1f89e0d0-ca12-43eb-8816-49032071bba0"
        },
        {
            "code": "Maintenance_08",
            "description": "[smartphone] Inform users, such as in a memo provided at delivery, about how to use their phone, the applications installed on it (e.g. Business Mail, Exchange, etc.), the services provided, and the security rules to be followed.",
            "importance": 0,
            "uuid": "2c7aafdb-82b9-498e-833f-c1d1d53c8eeb"
        },
        {
            "code": "Maintenance_09",
            "description": "[storage devices] Erase all contents securely or physically destroy storage devices that are discarded.",
            "importance": 0,
            "uuid": "f07bb13a-7363-42ab-a90f-ed746612f2ed"
        },
        {
            "code": "Maintenance_10",
            "description": "[storage devices] During maintenance operations that require remote access to a workstation, only perform the operation after obtaining the user's agreement.",
            "importance": 0,
            "uuid": "46ff3960-e7fb-4696-b4b5-ba9dadafef13"
        },
        {
            "code": "Maintenance_11",
            "description": "[multifunction printers and copiers] If maintenance is performed by a third party, set up measures to block access to personal data.",
            "importance": 0,
            "uuid": "0a3f6ab5-1481-4341-bfab-c87bd7a228fd"
        },
        {
            "code": "Maintenance_12",
            "description": "[multifunction printers and copiers] If a locally networked multifunction printer or copier is maintained remotely by a third party, take specific measures to protect access to this equipment.",
            "importance": 0,
            "uuid": "7145ea83-4e8c-4cd2-b4b3-33971db52618"
        },
        {
            "code": "Maintenance_13",
            "description": "[multifunction printers and copiers] Block access to personal data stored on discarded multifunction printers or copiers.",
            "importance": 0,
            "uuid": "e0064066-b27a-40a1-9b4b-fb5ed06b3896"
        },
        {
            "code": "Malware_01",
            "description": "Install an antivirus application on servers and workstations and configure it.",
            "importance": 0,
            "uuid": "65114d0a-e751-4b45-934f-0e1706d1954c"
        },
        {
            "code": "Malware_02",
            "description": "Update the antivirus software.",
            "importance": 0,
            "uuid": "5011211c-ac04-40c7-90c2-f562d3284ee0"
        },
        {
            "code": "Malware_03",
            "description": "Implement filtering measures that can filter network inflows and outflows (including firewalls and proxies).",
            "importance": 0,
            "uuid": "29496756-8f16-4422-9836-dc8bd7745af9"
        },
        {
            "code": "Malware_04",
            "description": "Transfer antivirus security events to a centralized server for statistical analysis and ex post management of problems (to detect an infected server or a virus that has been detected and not eradicated by the antivirus application, etc.).",
            "importance": 0,
            "uuid": "41c92fbf-3051-4a25-a1bb-991ef2fe0b8b"
        },
        {
            "code": "Malware_05",
            "description": "Install an anti-spyware program on the workstations, configure it and keep it up-to- date.",
            "importance": 0,
            "uuid": "2a24a644-282c-4894-9229-31dd0dcfff56"
        },
        {
            "code": "Management of incidents and data breaches_01",
            "description": "Define the roles and responsibilities of the stakeholders, as well as procedures for providing feedback and responses in the event of a personal data breach.",
            "importance": 0,
            "uuid": "de0f99e6-3155-4c00-b236-5b5ee808bbd0"
        },
        {
            "code": "Management of incidents and data breaches_02",
            "description": "Establish a directory of individuals responsible for managing personal data breaches.",
            "importance": 0,
            "uuid": "bf83096f-1f4a-41aa-ab7b-f74c9611edb9"
        },
        {
            "code": "Management of incidents and data breaches_03",
            "description": "Develop a response plan in the event of a personal data breach for each high risk, update it and test it periodically.",
            "importance": 0,
            "uuid": "9e2deca0-636b-48ef-a730-f658625a6645"
        },
        {
            "code": "Management of incidents and data breaches_04",
            "description": "Categorize the personal data breaches based on their impact on data subjects' privacy.",
            "importance": 0,
            "uuid": "fd5f40a6-766d-44a1-b5f3-ad3d733c2d08"
        },
        {
            "code": "Management of incidents and data breaches_05",
            "description": "Handle the incidents based on their categorization (event, incident, damaging event or crisis.).",
            "importance": 0,
            "uuid": "8aae7bf3-966e-4948-8709-72df31e775c2"
        },
        {
            "code": "Management of incidents and data breaches_06",
            "description": "Keep up-to-date documentation on data breaches.",
            "importance": 0,
            "uuid": "fd65829e-e1e4-441e-80ae-0a8bfc4c3139"
        },
        {
            "code": "Management of incidents and data breaches_07",
            "description": "Analyze the possibility of improving the security measures based on the personal data breaches that have occurred.",
            "importance": 0,
            "uuid": "7a89917d-7dce-42c4-84dc-84d8bdad5d2e"
        },
        {
            "code": "Networks_01",
            "description": "Keep up-to-date a detailed map of the network.",
            "importance": 0,
            "uuid": "ce24b7a9-b37c-478c-9998-90632c530a6a"
        },
        {
            "code": "Networks_02",
            "description": "Make an inventory of all Internet access points and add them to the network map, make sure that measures put in place are enforced at each access point.",
            "importance": 0,
            "uuid": "60cb8791-6373-4e0c-9869-fbfb8c9d9882"
        },
        {
            "code": "Networks_03",
            "description": "Ensure the availability of computer communications networks.",
            "importance": 0,
            "uuid": "2d883236-aa41-47ff-b49f-7da0f12c5d37"
        },
        {
            "code": "Networks_04",
            "description": "Segment the network into impenetrable logical subnets based on the services intended to be deployed.",
            "importance": 0,
            "uuid": "7507e56f-24f9-4c08-9362-40e3a4ffb193"
        },
        {
            "code": "Networks_05",
            "description": "Prohibit all direct communication between internal workstations and external networks.",
            "importance": 0,
            "uuid": "e835c995-7944-4046-8f73-395f1d0601e6"
        },
        {
            "code": "Networks_06",
            "description": "Only use connections that are explicitly allowed (restrict absolutely necessary communication ports to the proper execution of installed applications) by a firewall.",
            "importance": 0,
            "uuid": "3c73630e-ec15-4323-92a1-bf5dc390d692"
        },
        {
            "code": "Networks_07",
            "description": "Monitor network activity after informing data subjects of such monitoring.",
            "importance": 0,
            "uuid": "591fd1ac-fc95-4277-907d-68f114f09862"
        },
        {
            "code": "Networks_08",
            "description": "Set up a major intrusion response plan with organizational and technical measures for identifying and containing compromises.",
            "importance": 0,
            "uuid": "271513a6-75d7-44ee-9331-f4b6f1e09f26"
        },
        {
            "code": "Networks_09",
            "description": "Automatically identify hardware as a means of authenticating connections from specific locations and hardware.",
            "importance": 0,
            "uuid": "5a634931-316e-49e4-9e55-e4f167ec3f9c"
        },
        {
            "code": "Networks_10",
            "description": "Secure management traffic and restrict or prohibit physical and logical access to remote diagnostic and configuration ports.",
            "importance": 0,
            "uuid": "d1150e3f-8480-45bf-96cb-720c5f8ff3d7"
        },
        {
            "code": "Networks_11",
            "description": "Prohibit the connection of uncontrolled hardware.",
            "importance": 0,
            "uuid": "530c47bc-d615-45ce-9895-046e5169d6c1"
        },
        {
            "code": "Networks_12",
            "description": "Transmit secret information guaranteeing the confidentiality of personal data (decryption key, password, etc.) in a separate transmission using, where possible, a channel different from that used to transmit data.",
            "importance": 0,
            "uuid": "4909075a-3ccd-4b55-bf06-16d292736a41"
        },
        {
            "code": "Networks_13",
            "description": "[active network hardware] Use the SSH protocol or a direct hardware connection for connecting to active network hardware (firewall, routers, switches) and prohibit the use of the Telnet protocol except for direct connections.",
            "importance": 0,
            "uuid": "1b072b0d-6b8f-4edb-9e0f-be780020b985"
        },
        {
            "code": "Networks_14",
            "description": "[remote-administration tools] Restrict the remote administration of local IT resources to IT department staff and to IT resources within the limits of their duties.",
            "importance": 0,
            "uuid": "09d79fda-1949-4f39-a5dc-a6c2bf9dd052"
        },
        {
            "code": "Networks_15",
            "description": "[remote-administration tools] Uniquely identify users of remote-administration tools.",
            "importance": 0,
            "uuid": "eb4da876-2842-40f1-b2d5-3d238176c8dd"
        },
        {
            "code": "Networks_16",
            "description": "[remote-administration tools] Authenticate users of remote-administration tools with at least a robust password and, where possible, a digital certificate.",
            "importance": 0,
            "uuid": "7cfd31d6-4f3e-409e-8a35-93f99653a822"
        },
        {
            "code": "Networks_17",
            "description": "[remote-administration tools] Keep a log of the activity of users of remote-administration tools.",
            "importance": 0,
            "uuid": "138ee3bc-171c-4084-9ae9-5a6816b31044"
        },
        {
            "code": "Networks_18",
            "description": "[remote-administration tools] Secure the secure authentication flow.",
            "importance": 0,
            "uuid": "005c6c29-079b-4802-954d-cb2fac3055a8"
        },
        {
            "code": "Networks_19",
            "description": "[remote-administration tools] Remote administration must be covered by prior agreement on the part of the user.",
            "importance": 0,
            "uuid": "04afbb2f-8830-4b8a-8298-b7c5a40f2143"
        },
        {
            "code": "Networks_20",
            "description": "[remote-administration tools] Prohibit changes to the tool's security settings and the viewing of passwords or secret information used.",
            "importance": 0,
            "uuid": "49218fd1-80f0-4242-a481-9ef57205abbb"
        },
        {
            "code": "Networks_21",
            "description": "[remote-administration tools] Block the retrieval of secret information for the purposes of establishing a connection from a workstation.",
            "importance": 0,
            "uuid": "f6cceae4-a755-44cf-9742-98c8551a9a0b"
        },
        {
            "code": "Networks_22",
            "description": "[remote-administration tools] Encrypt all traffic flows.",
            "importance": 0,
            "uuid": "1aa37c6a-20e4-4423-a9cc-bb07ab7bc1c5"
        },
        {
            "code": "Networks_23",
            "description": "[remote-administration tools] The user must be informed that remote administration is under way on his/her workstation (for example via an icon).",
            "importance": 0,
            "uuid": "76acdf16-872a-4fae-84f3-1b962de9b521"
        },
        {
            "code": "Networks_24",
            "description": "[mobile or remote devices] Set up a strong solution for authenticating users who access internal information systems (when this is possible).",
            "importance": 0,
            "uuid": "9830b820-50b1-4ec2-ba3a-36aedc6d7123"
        },
        {
            "code": "Networks_25",
            "description": "[mobile or remote devices] Encrypt communications between mobile devices and internal information systems.",
            "importance": 0,
            "uuid": "566e4419-d66d-4742-aff6-ec82328e75a9"
        },
        {
            "code": "Networks_26",
            "description": "[mobile or remote devices] Install a firewall to protect network traffic to and from mobile devices. This firewall must be enabled as soon as a mobile device leaves the organization's premises.",
            "importance": 0,
            "uuid": "2918ca8c-11e7-4a36-9d04-8e992764eb2e"
        },
        {
            "code": "Networks_27",
            "description": "[wireless interfaces] Prohibit non-secure communications for connections via wireless interfaces.",
            "importance": 0,
            "uuid": "efb6ed9b-a3f1-4440-95d6-b714d8b05c81"
        },
        {
            "code": "Networks_28",
            "description": "[wireless interfaces] Prohibit simultaneous network connections via a wireless interface and the Ethernet interface.",
            "importance": 0,
            "uuid": "6cbd4df9-8d32-4120-b4c4-53a5b7ee9c2f"
        },
        {
            "code": "Networks_29",
            "description": "[wireless interfaces] Disable unused wireless connection interfaces (Wi-Fi, Bluetooth, infrared, 4G, etc.) on hardware and software.",
            "importance": 0,
            "uuid": "568092c7-943f-4202-9686-6f745cf3b514"
        },
        {
            "code": "Networks_30",
            "description": "[wireless interfaces] Control wireless networks.",
            "importance": 0,
            "uuid": "ec7afbcd-496b-4d6d-a168-6c96947fe3eb"
        },
        {
            "code": "Networks_31",
            "description": "[Wifi] Use the WPA or WPA2 protocol with AES-CCMP encryption or the \"Enterprise\" mode of the WPA and WPA2 protocols (using a RADIUS server as well as the EAP- TLS or PEAP subprotocols).",
            "importance": 0,
            "uuid": "7c223c18-678f-4c3d-be0e-643eb66eddb5"
        },
        {
            "code": "Networks_32",
            "description": "[Wifi] Prohibit ad-hoc networks.",
            "importance": 0,
            "uuid": "c0fab12f-6d49-415b-a1d9-289fe8c81e4b"
        },
        {
            "code": "Networks_33",
            "description": "[Wifi] Use and configure a firewall at network entry and exit points in order to partition off connected hardware as needed.",
            "importance": 0,
            "uuid": "bd03815c-8243-4ea7-af45-a805eda8691f"
        },
        {
            "code": "Networks_34",
            "description": "[Bluetooth] Impose mutual authentication with remote devices.",
            "importance": 0,
            "uuid": "511b5ca4-89c6-4383-858c-d45133a0a778"
        },
        {
            "code": "Networks_35",
            "description": "[Bluetooth] Restrict usage to file sharing with hardware controlled by the IT department.",
            "importance": 0,
            "uuid": "8e0244ad-ce81-4c00-be5a-6f8e0eb8ab53"
        },
        {
            "code": "Networks_36",
            "description": "[Bluetooth] Encrypt sharing traffic.",
            "importance": 0,
            "uuid": "d4d34379-d6f7-4dca-b465-8f47fed709a7"
        },
        {
            "code": "Networks_37",
            "description": "[infrared] Perform authentication prior to establishing connections and sending/receiving files or commands.",
            "importance": 0,
            "uuid": "a08e87a9-84b6-48cc-a735-dd9f1d29e835"
        },
        {
            "code": "Networks_38",
            "description": "[mobile telephony networks] Protect SIM cards with PINs that must be entered each time a device is used.",
            "importance": 0,
            "uuid": "588f6c93-b675-4f82-9494-da2984833a13"
        },
        {
            "code": "Networks_39",
            "description": "[Web browsing] Use the SSL protocol (HTTPS) to ensure server authentication and confidentiality of communications.",
            "importance": 0,
            "uuid": "0960767a-3798-42d2-9766-8a544d6454aa"
        },
        {
            "code": "Networks_40",
            "description": "[file transfers] Use the SFTP protocol or possibly the SCP protocol.",
            "importance": 0,
            "uuid": "3ab07920-30d5-4368-b5b7-96c085dfa4b9"
        },
        {
            "code": "Networks_41",
            "description": "[fax machines] Place fax machines in a physically secure room only accessible by authorized personnel.",
            "importance": 0,
            "uuid": "aeca1cdd-0dba-4a08-86a9-199d0dc1a44c"
        },
        {
            "code": "Networks_42",
            "description": "[fax machines] Set up a personal access code system for the printing of messages.",
            "importance": 0,
            "uuid": "45b46846-ae73-4f1e-ad1f-56085fa7f0c7"
        },
        {
            "code": "Networks_43",
            "description": "[fax machines] When sending faxes, have the identity of the destination fax displayed so that the recipient's identity may be checked.",
            "importance": 0,
            "uuid": "392f2a2d-b717-4230-9d65-feb6f8f3c0e9"
        },
        {
            "code": "Networks_44",
            "description": "[fax machines] When sending faxes, have the identity of the destination fax displayed so that the recipient's identity may be checked.",
            "importance": 0,
            "uuid": "847559d4-6855-475d-8099-28dfcf8c6a53"
        },
        {
            "code": "Networks_45",
            "description": "[fax machines] Follow up each fax by sending the originals to the recipient.",
            "importance": 0,
            "uuid": "9dc411bc-b69e-4413-8191-882b5cb070b6"
        },
        {
            "code": "Networks_46",
            "description": "[fax machines] Pre-enter the numbers of potential recipients in the fax machine's built-in phone book (where available).",
            "importance": 0,
            "uuid": "5a66bc71-a621-4eee-b9af-5bdaae2fc18b"
        },
        {
            "code": "Networks_47",
            "description": "[ADSL/Fiber] Make an inventory of the local Internet access points.",
            "importance": 0,
            "uuid": "f5c1911b-6dec-45da-a702-656048918d03"
        },
        {
            "code": "Networks_48",
            "description": "[ADSL/Fiber] Physically isolate the local Internet access points from the internal network.",
            "importance": 0,
            "uuid": "f135d1b6-595d-4b6f-9129-654ad0131024"
        },
        {
            "code": "Networks_49",
            "description": "[local access points] Only use them for specific legitimate needs (e.g. loss of availability of access to the direct distance dialing network).",
            "importance": 0,
            "uuid": "6fa31f5c-5905-4849-ac5a-f6e5679d3eaf"
        },
        {
            "code": "Networks_50",
            "description": "[local access points] Enable them only when they are used.",
            "importance": 0,
            "uuid": "fd7e5584-6f01-4d2a-8428-51efe44ba9ad"
        },
        {
            "code": "Networks_51",
            "description": "[local access points] Disable their wireless interface (Wi-Fi) if they have one.",
            "importance": 0,
            "uuid": "62ee5964-4a5e-4bf6-8d8d-54d73f283a4d"
        },
        {
            "code": "Networks_52",
            "description": "[email] Encrypt attachments containing personal data.",
            "importance": 0,
            "uuid": "69e8a5ad-1b0d-4544-8d98-2c4a57aeb5bb"
        },
        {
            "code": "Networks_53",
            "description": "[email] Make users aware that they must avoid opening email of unknown origin, and especially risky attachments (with extensions such as .pif, .com, .bat, .exe, .vbs, and .lnk), or configure the system so that it is impossible to open them.",
            "importance": 0,
            "uuid": "3cf88fb5-6356-4b3e-a291-e2228852ac45"
        },
        {
            "code": "Networks_54",
            "description": "[email] Make users aware that they should not pass on hoaxes, etc.",
            "importance": 0,
            "uuid": "acdc4e21-c206-495f-a618-c16cc0ea5325"
        },
        {
            "code": "Networks_55",
            "description": "[instant messaging] Prohibit the installation and use of instant messaging software. If such software is necessary, inform users about the risks involved and the good practices to follow.",
            "importance": 0,
            "uuid": "387e8c03-52ed-4f29-854f-7c77a9a36ea9"
        },
        {
            "code": "Non-human risk sources_01",
            "description": "Establish fire prevention, detection and protection systems.",
            "importance": 0,
            "uuid": "e9a6a6c2-36d4-43e2-97d7-a758160ae171"
        },
        {
            "code": "Non-human risk sources_02",
            "description": "Install temperature monitoring systems.",
            "importance": 0,
            "uuid": "91cfea4c-20b0-4be1-aeea-ec68b813ffcc"
        },
        {
            "code": "Non-human risk sources_03",
            "description": "Establish a power supply monitoring and relief system.",
            "importance": 0,
            "uuid": "fddb164a-8cd8-4c88-9865-eb09e168eae6"
        },
        {
            "code": "Non-human risk sources_04",
            "description": "Install systems to prevent water damage.",
            "importance": 0,
            "uuid": "83c2a188-77b1-4a96-857d-39c5d2c9d147"
        },
        {
            "code": "Non-human risk sources_05",
            "description": "Ensure that the essential services (including power, water and air conditioning) are sized appropriately based on the systems they support.",
            "importance": 0,
            "uuid": "443af974-738a-474f-994e-a8555d57eb35"
        },
        {
            "code": "Non-human risk sources_06",
            "description": "Specify an appropriate response time, in the event of failure, in maintenance contracts covering the equipment used in the operation of essential and security services (including extinguishers, air conditioners, water, smoke and heat detectors, opening and unauthorized entry detection and generator) and check the equipment at least annually.",
            "importance": 0,
            "uuid": "67ce43a0-8ed7-4ab2-9343-de474df5d54d"
        },
        {
            "code": "Non-human risk sources_07",
            "description": "In the case of high availability requirements, connect the telecommunications infrastructure via at least two different, independent access points and ensure that they can switch from one to the other very quickly. If availability needs are very high, consider a backup site.",
            "importance": 0,
            "uuid": "a7ddedda-ca2a-4fc8-9a27-f414f06ff038"
        },
        {
            "code": "Operating security_01",
            "description": "Document the operating procedures, update them and make them available to all users concerned (every action on the system, whether it involves administration operations or the use of an application, must be explained in the users' reference documents).",
            "importance": 0,
            "uuid": "0c906d42-562d-4d6c-817d-c237697026c7"
        },
        {
            "code": "Operating security_02",
            "description": "Maintain an up-to-date inventory of the software and hardware used in operation.",
            "importance": 0,
            "uuid": "971e238f-6539-4309-9fbd-bbe551184a3d"
        },
        {
            "code": "Operating security_03",
            "description": "Conduct monitoring of vulnerabilities discovered in the software (including firmware) used in operation, and correct them at the earliest possible opportunity.",
            "importance": 0,
            "uuid": "a58cb9b6-3c4b-4718-ad26-96971c6e8da2"
        },
        {
            "code": "Operating security_04",
            "description": "Maintain an up-to-date inventory of the software and hardware used in operation.",
            "importance": 0,
            "uuid": "59afc518-72aa-4698-a8dd-d414e90416c2"
        },
        {
            "code": "Operating security_05",
            "description": "Prohibit the use of production servers (database servers, Web servers, messaging server, etc.) for other purposes than those initially intended",
            "importance": 0,
            "uuid": "4b1d4939-dcf8-4449-bffb-7ecf309593e6"
        },
        {
            "code": "Operating security_06",
            "description": "Use data storage units that use physical redundancy mechanisms (such as RAID), or mechanisms for duplicating data between several servers and/or sites.",
            "importance": 0,
            "uuid": "e310d89d-cb9f-4a4f-9478-f0214fd81bf6"
        },
        {
            "code": "Operating security_07",
            "description": "Check that the size of storage and computing capacities is sufficient for allowing the processing to operate correctly – even during activity peaks.",
            "importance": 0,
            "uuid": "1e14c624-18e7-4db4-b7d0-67f3c5a94c64"
        },
        {
            "code": "Operating security_08",
            "description": "Check that the physical hosting conditions (temperature, humidity, energy supply, etc.) are compatible with the intended use of hardware, and include backup mechanisms (inverter and/or backup supply and/or generator).",
            "importance": 0,
            "uuid": "4ce6491a-dfb5-4a39-b09c-e229f4d4a3ab"
        },
        {
            "code": "Operating security_09",
            "description": "Limit access to hardware that is sensitive and/or of high market value.",
            "importance": 0,
            "uuid": "0f707a1a-3beb-4c0c-8662-7dfd7c9fd437"
        },
        {
            "code": "Operating security_10",
            "description": "Limit the possibilities of hardware alteration.",
            "importance": 0,
            "uuid": "001e35ba-544b-43a1-a94e-3cc3aecde0c5"
        },
        {
            "code": "Operating security_11",
            "description": "Provide for an Activity Recovery Plan (PRA) or Activity Continuity Plan (PCA), based on the availability objectives of the processing carried out.",
            "importance": 0,
            "uuid": "2f02df3f-b652-449f-9e47-018baa1b4a7e"
        },
        {
            "code": "Operating security_12",
            "description": "Set up a security incident management procedure allowing such incidents to be detected, recorded, described and resolved.",
            "importance": 0,
            "uuid": "97d227c8-215b-4b24-a858-f0e181476b03"
        },
        {
            "code": "Organization_01",
            "description": "Have the data controller appoint an assistant to help them enforce the General Data Protection Regulation (GDPR) and provide such assistant with the means to perform their duties.",
            "importance": 0,
            "uuid": "e296be10-3b93-4ed0-bbb2-3e84e330f639"
        },
        {
            "code": "Organization_02",
            "description": "Define the roles, responsibilities and interactions between all data protection stakeholders.",
            "importance": 0,
            "uuid": "83f5e4ad-f20e-4bbc-8912-56923387da9b"
        },
        {
            "code": "Organization_03",
            "description": "Set up a monitoring committee formed of the data controller, the person in charge of assisting the controller in enforcing compliance with the GDPR and the stakeholders. This committee must meet regularly (at least once a year) to set objectives and review the organization's entire range of processing operations.",
            "importance": 0,
            "uuid": "82b6cd19-b2e2-405e-9728-a7bd7251ac6f"
        },
        {
            "code": "Paper document_01",
            "description": "Include a visible, explicit reference on each page of the documents that include sensitive personal data.",
            "importance": 0,
            "uuid": "d41faa6b-99bd-4b71-9bec-66a2d5334c95"
        },
        {
            "code": "Paper document_02",
            "description": "Include a visible, explicit reference in the business applications that provide access to personal data.",
            "importance": 0,
            "uuid": "38b3b764-c6b1-447a-81aa-90ba5fb02472"
        },
        {
            "code": "Paper document_03",
            "description": "Choose paper formats and printing methods that are suitable to the storage conditions (storage duration, ambient humidity, etc.).",
            "importance": 0,
            "uuid": "43021e79-ec81-4867-8bc4-55bc5330a32b"
        },
        {
            "code": "Paper document_04",
            "description": "Retrieve printed documents containing personal data immediately after they are printed or, where possible, carry out secure printing.",
            "importance": 0,
            "uuid": "6e1ba563-e4ff-452b-b793-34b6c42c3837"
        },
        {
            "code": "Paper document_05",
            "description": "Restrict the distribution of paper documents containing personal data to individuals who require them for work-related purposes.",
            "importance": 0,
            "uuid": "c9e78377-c4ef-49e6-937b-6d3720206b38"
        },
        {
            "code": "Paper document_06",
            "description": "Store paper documents containing personal data in a secure cabinet.",
            "importance": 0,
            "uuid": "b3cd646a-9ee6-4e60-bb21-74c086e1a89a"
        },
        {
            "code": "Paper document_07",
            "description": "Destroy, using a shredder of the appropriate certification level, paper documents that are no longer necessary and which contain personal data.",
            "importance": 0,
            "uuid": "1c5b07c9-70c4-44b7-9d23-0d5112589210"
        },
        {
            "code": "Paper document_08",
            "description": "Only send paper documents containing personal data that are necessary for processing.",
            "importance": 0,
            "uuid": "9d218324-5fec-4547-a1bc-502b3ba86905"
        },
        {
            "code": "Paper document_09",
            "description": "Keep close track of the circulation of paper documents containing personal data.",
            "importance": 0,
            "uuid": "d2b72130-8771-49a7-aa39-eb9e3c3abe43"
        },
        {
            "code": "Paper document_10",
            "description": "Choose a transmission channel that is suited to the risks and frequency of transmission.",
            "importance": 0,
            "uuid": "97f4548c-8a5a-4128-848f-5c44b886adf1"
        },
        {
            "code": "Paper document_11",
            "description": "Improve trust in companies used to deliver paper documents containing personal data.",
            "importance": 0,
            "uuid": "c9004d16-3c95-4491-a581-e8493e5ac7bb"
        },
        {
            "code": "Paper document_12",
            "description": "Protect paper documents containing personal data.",
            "importance": 0,
            "uuid": "b20a6adb-cb65-4dca-9401-fe0f08f67b18"
        },
        {
            "code": "Physical access_01",
            "description": "Categorize areas of the buildings by risk.",
            "importance": 0,
            "uuid": "c50ec4bf-c87b-450f-99d3-7444767bb529"
        },
        {
            "code": "Physical access_02",
            "description": "Maintain an up-to-date list of individuals (including visitors, employees, authorized employees, trainees and service providers) who are authorized to enter each area.",
            "importance": 0,
            "uuid": "c688ba0f-d671-4718-ba97-6bfbc999257a"
        },
        {
            "code": "Physical access_03",
            "description": "Select methods for authenticating employees that are proportional to the risks associated with each area.",
            "importance": 0,
            "uuid": "c71ee1c8-164c-4aff-9796-412f2018ef81"
        },
        {
            "code": "Physical access_04",
            "description": "Select visitor authentication methods (for example, persons coming to attend a meeting, external service providers or auditors) proportional to the risks associated with each area.",
            "importance": 0,
            "uuid": "3d8139f7-6e50-4613-b17e-d54c00188544"
        },
        {
            "code": "Physical access_05",
            "description": "Define actions to take if authentication fails (identity cannot be confirmed or lack of authorization to enter a security area).",
            "importance": 0,
            "uuid": "19de6071-7aa0-4c45-bee8-563c7c6446e2"
        },
        {
            "code": "Physical access_06",
            "description": "Keep a record of access granted after notifying the data subjects.",
            "importance": 0,
            "uuid": "a482d122-b761-403f-b916-7757918cfb45"
        },
        {
            "code": "Physical access_07",
            "description": "Visitors needing to access premises outside public reception areas should be escorted (from the time they arrive, during their visit and until they exit the premises) by a member of the organization.",
            "importance": 0,
            "uuid": "be8b8190-8b98-45c1-8f72-4d1a565b1a5c"
        },
        {
            "code": "Physical access_08",
            "description": "Protect the most sensitive areas in proportion to the risks.",
            "importance": 0,
            "uuid": "19576116-27b2-4eda-ad2f-c0ffdc51f09b"
        },
        {
            "code": "Physical access_09",
            "description": "Install a warning system in the event of unauthorized entry.",
            "importance": 0,
            "uuid": "764b70e6-79be-4338-8a85-df02a0845424"
        },
        {
            "code": "Physical access_10",
            "description": "Establish a system to slow individuals who may have penetrated an area they are prohibited from entering and a system for intervening in such situations to ensure intervention before the unauthorized persons can leave the area.",
            "importance": 0,
            "uuid": "6935ed7e-c2ff-41e1-84f0-abb94789e6c6"
        },
        {
            "code": "Policy_01",
            "description": "Set out important aspects relating to data protection within a documentary base making up the data protection policy and in a form suited to each type of content (risks, key principles to be followed, target objectives, rules to be applied, etc.) and each communication target (users, IT department, policymakers, etc.).",
            "importance": 0,
            "uuid": "3044ec83-7f6c-4f36-9b41-fd8f4148f0db"
        },
        {
            "code": "Policy_02",
            "description": "Distribute the data protection policy to those in charge of enforcing it.",
            "importance": 0,
            "uuid": "5c8cfba8-eaaf-49d4-a8c2-eb80e38bedf3"
        },
        {
            "code": "Policy_03",
            "description": "Allow individuals in charge of enforcing the data protection policy to formally request exceptions in the event of implementation difficulties, review the impacts of all exception requests on the related risks and, where applicable, have acceptable exceptions approved by the data controller and amend the data protection policy accordingly.",
            "importance": 0,
            "uuid": "0cfa2120-97ad-4553-9634-eb882d082611"
        },
        {
            "code": "Policy_04",
            "description": "Establish a multi-annual action plan and monitor implementation of data protection policy.",
            "importance": 0,
            "uuid": "f5325095-e849-4311-929f-4f98b1a3f6b9"
        },
        {
            "code": "Policy_05",
            "description": "Allow for exceptions to the data protection policy.",
            "importance": 0,
            "uuid": "265e4f9a-c3fa-45a4-bb88-329c9842a610"
        },
        {
            "code": "Policy_06",
            "description": "Anticipate how to take into account difficulties in enforcing the data protection policy.",
            "importance": 0,
            "uuid": "7da96d90-bb4b-4a7a-843d-d34404a6af91"
        },
        {
            "code": "Policy_07",
            "description": "Regularly check compliance with the rules of the data protection policy and the implementation of the action plan.",
            "importance": 0,
            "uuid": "860682f8-a917-436b-8c3b-e1204cef9c88"
        },
        {
            "code": "Policy_08",
            "description": "Regularly revise the data protection policy.",
            "importance": 0,
            "uuid": "9bc3437a-1156-41bc-a5a7-7f227acecb9c"
        },
        {
            "code": "Prior formalities_01",
            "description": "Check that the data processing does indeed comply with the declared purpose.",
            "importance": 0,
            "uuid": "e35056d7-f710-494a-b88d-b889cca71b24"
        },
        {
            "code": "Prior formalities_02",
            "description": "Perform a Privacy Impact Assessment (PIA) and have it validated.",
            "importance": 0,
            "uuid": "a68526c7-2924-4d5b-8e3c-46e4ff4e661a"
        },
        {
            "code": "Prior formalities_03",
            "description": "Consult the supervisory authority if the residual risks are high, pursuant to Article 36 of the General Data Protection Regulation (GDPR).",
            "importance": 0,
            "uuid": "2cfe236e-a265-4ad6-b465-3f1c54e4b583"
        },
        {
            "code": "Prior formalities_04",
            "description": "Carry out the other sectoral and contractual formalities applicable to the processing (e.g. formalities associated with other codes and regulations, contract with an external data source, etc.)",
            "importance": 0,
            "uuid": "5f305f28-fae7-427e-a438-2a94270a8eed"
        },
        {
            "code": "Processors_01",
            "description": "A procurement contract must be signed with each processor, setting out all of the points stipulated in Art. 28 of the GDPR.",
            "importance": 0,
            "uuid": "56e18e09-aba6-45e7-bcad-b6e095d3c109"
        },
        {
            "code": "Processors_02",
            "description": "Regulate the procurement relations via a contract signed intuitu personæ.",
            "importance": 0,
            "uuid": "7368415c-5c8e-4388-8f37-e0a12b42e27c"
        },
        {
            "code": "Processors_03",
            "description": "Require the processor to forward its Information Systems Security Policy (PSSI) along with all supporting documents of its information security certifications and append said documents to the contract.",
            "importance": 0,
            "uuid": "1ae3cecb-b8c2-4513-8a7e-87ef4737b586"
        },
        {
            "code": "Processors_04",
            "description": "Precisely determine and set, on a contractual basis, the operations that the processor will be required to carry out on personal data.",
            "importance": 0,
            "uuid": "c923a487-93d3-4ad7-a0a9-a379b586903f"
        },
        {
            "code": "Processors_05",
            "description": "Determine, on a contractual basis, the division of responsibility regarding the legal processes aimed at allowing the data subjects to exercise their rights.",
            "importance": 0,
            "uuid": "df423c35-2f36-4da7-8b9b-45c420faede5"
        },
        {
            "code": "Processors_06",
            "description": "Explicitly prohibit or regulate use of tier-2 processors.",
            "importance": 0,
            "uuid": "f2c8f0fd-8e8c-4977-9b6a-3935cfcbfe5c"
        },
        {
            "code": "Processors_07",
            "description": "Clarify in the contract that compliance with the data protection obligations is a binding requirement of the contract.",
            "importance": 0,
            "uuid": "117e287b-32ca-47b9-8fb5-bf5ec461b9c8"
        },
        {
            "code": "Processors_08",
            "description": "[providers of cloud computing services] Require the provider to apply at least logical separation between the organization's data and the data of its other clients.",
            "importance": 0,
            "uuid": "d508b338-1c29-4d0f-815c-f8724b16817d"
        },
        {
            "code": "Processors_09",
            "description": "[providers of cloud computing services] Very clearly define the locations in which the data are likely to be stored, and the countries from which the data stored in the cloud are likely to be accessible.",
            "importance": 0,
            "uuid": "b2b88c80-8c5e-47e7-bf45-03a92fcaa049"
        },
        {
            "code": "Project management_01",
            "description": "Use a risk management approach as soon as a service is devised or an application designed.",
            "importance": 0,
            "uuid": "0943a203-920c-4869-a562-c739bd1f14c1"
        },
        {
            "code": "Project management_02",
            "description": "Favor the use of trusted names in ISS and data protection (procedures, products, management systems, organizations, individuals, etc.).",
            "importance": 0,
            "uuid": "66063408-245e-4027-a2bc-86f360996e2a"
        },
        {
            "code": "Project management_03",
            "description": "Favor the use of recognized and proven guidelines.",
            "importance": 0,
            "uuid": "b5c8636e-490e-4989-89d5-9816c36ed059"
        },
        {
            "code": "Project management_04",
            "description": "Carry out supervisory authority formalities before launching new processing operations.",
            "importance": 0,
            "uuid": "a5225278-26a4-4920-abe0-5256c40435d7"
        },
        {
            "code": "Project management_05",
            "description": "[software acquisitions] Make sure that developers and maintainers have sufficient resources to perform their tasks.",
            "importance": 0,
            "uuid": "0e76309c-a1e9-4361-bd60-fe30cad19371"
        },
        {
            "code": "Project management_06",
            "description": "[software acquisitions] Favor interoperable and user-friendly applications.",
            "importance": 0,
            "uuid": "d344ad67-fe91-477a-b150-87d78e59f02f"
        },
        {
            "code": "Project management_07",
            "description": "[software acquisitions] Carry out IT developments in an IT environment distinct from the running environment.",
            "importance": 0,
            "uuid": "c25ecdc1-1eff-4101-af9b-34d31c5a1f2c"
        },
        {
            "code": "Project management_08",
            "description": "[software acquisitions] Protect the availability, integrity and, where necessary, confidentiality of source codes.",
            "importance": 0,
            "uuid": "68d3ef08-0b9a-4341-a335-afb27e80021a"
        },
        {
            "code": "Project management_09",
            "description": "[software acquisitions] Impose data entry and recording formats that minimize the amount of data collected.",
            "importance": 0,
            "uuid": "ea1e195a-de83-4e5b-97f3-d5d7c74dddf3"
        },
        {
            "code": "Project management_10",
            "description": "[software acquisitions] Make sure that data formats are compatible with the implementation of a storage duration.",
            "importance": 0,
            "uuid": "f0a432b1-5c69-4a69-950f-b2e37bc3963f"
        },
        {
            "code": "Project management_11",
            "description": "[software acquisitions] Integrate access control to data by user categories during development.",
            "importance": 0,
            "uuid": "c06e557e-2436-4b3d-8fa0-552d184f69f9"
        },
        {
            "code": "Project management_12",
            "description": "[software acquisitions] Avoid using free-form text fields. If such fields are required, the following wording must either appear as a watermark or disappear once a user starts typing inside the field: \"Individuals have a right of access to the information about them entered in this field. The information you enter in this field must be RELEVANT to the context. Such information must neither include any subjective opinions nor reveal \"either directly or indirectly, an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, or any information relating to said individual's health or sex life\".",
            "importance": 0,
            "uuid": "5f06b644-3743-486c-8431-1bac8186c729"
        },
        {
            "code": "Project management_13",
            "description": "[software acquisitions] Prohibit the use of actual data prior to the implementation, and anonymize them where necessary.",
            "importance": 0,
            "uuid": "ccbce76a-86fe-4cce-a46b-bab851fcbf78"
        },
        {
            "code": "Project management_14",
            "description": "[software acquisitions] Make sure that software runs correctly and as specified during acceptance testing.",
            "importance": 0,
            "uuid": "0c846c96-c091-4e40-a9d8-bec9828fd839"
        },
        {
            "code": "Purpose_01",
            "description": "Describe the data processing purposes in detail and justify their legitimacy.",
            "importance": 0,
            "uuid": "0af91e8e-6412-4ec2-86f0-d00b4f1c83dc"
        },
        {
            "code": "Purpose_02",
            "description": "Explain the purposes of sharing with third parties as well as the data processing purposes for improving the service.",
            "importance": 0,
            "uuid": "c9133806-5bfe-4c1b-85cf-7717b7316936"
        },
        {
            "code": "Purpose_03",
            "description": "Explain the specific conditions under which the processing will take place, particularly by clarifying data matching where applicable.",
            "importance": 0,
            "uuid": "325f56ec-a483-4ee3-8b70-1a36e8218ad2"
        },
        {
            "code": "Relations with third parties_01",
            "description": "Identify all third parties who have or could have legitimate access to personal data.",
            "importance": 0,
            "uuid": "70118f99-45c3-4068-aac2-0970b75078a3"
        },
        {
            "code": "Relations with third parties_02",
            "description": "Determine their role in the processing (including IT administrators, processors, recipients, persons responsible for processing data and authorized third parties) based on the actions they will perform.",
            "importance": 0,
            "uuid": "e67de690-620b-4dfc-84b9-f1b41789ebae"
        },
        {
            "code": "Relations with third parties_03",
            "description": "Determine the respective responsibilities based on the risks connected to the personal data.",
            "importance": 0,
            "uuid": "8fbc269e-b6bc-4fcb-99a9-d3e01b2dbd11"
        },
        {
            "code": "Relations with third parties_04",
            "description": "Determine the appropriate form for establishing rights and obligations based on the third parties' legal structure and their geographic location.",
            "importance": 0,
            "uuid": "affffb06-4f24-4609-b02c-dc94f9eef84d"
        },
        {
            "code": "Relations with third parties_05",
            "description": "Formally document the rules that persons must comply with throughout the life cycle of the relationship related to the processing or the personal data, based on the person's category and the actions that he/she will perform.",
            "importance": 0,
            "uuid": "bc2c32c5-0d94-470c-965b-1362354d0170"
        },
        {
            "code": "Relations with third parties_06",
            "description": "[internal service providers] Apply to said service providers the same measures as for the organization's employees: training in data protection issues, requirement to comply with the rules for using the organization's IT resources, appended to the rules of procedure.",
            "importance": 0,
            "uuid": "addc6cd5-341c-4e65-9f97-80363edc2d23"
        },
        {
            "code": "Relations with third parties_07",
            "description": "[internal service providers] Provide said service providers with a workstation inside the organization or check that use of the workstation supplied by their employer is compatible with the organization's security objectives.",
            "importance": 0,
            "uuid": "4188ca8c-6e9d-47f3-afb2-14f6524f1d69"
        },
        {
            "code": "Relations with third parties_08",
            "description": "[internal service providers] Make sure said service providers are properly bound with their employer by a confidentiality clause applicable to their employer's client organizations.",
            "importance": 0,
            "uuid": "5a653d24-a00c-47e9-9df8-c5da8f03fa59"
        },
        {
            "code": "Relations with third parties_09",
            "description": "[internal service providers] Manage clearance authorizations for such service providers specifically by granting time-bound authorizations that automatically end on the provisional end date for their assignment.",
            "importance": 0,
            "uuid": "cb8a4285-4740-43dd-ad88-3fec51d119de"
        },
        {
            "code": "Relations with third parties_10",
            "description": "[third-party recipients] Govern the transmission of data to said third-parties via a contract setting out.",
            "importance": 0,
            "uuid": "9e9a5a6c-fc2d-4248-afe3-30457f3c8718"
        },
        {
            "code": "Relations with third parties_11",
            "description": "[third-party recipients] Require the third party to publish a privacy protection policy covering the processing making use of the data transmitted and outlining the security objectives pursuant to the IT system security policy.",
            "importance": 0,
            "uuid": "2ebe062a-a1f9-432c-9b15-4c44c1e121e6"
        },
        {
            "code": "Relations with third parties_12",
            "description": "[third-party recipients] If data are transmitted via the Internet, always encrypt the data flows.",
            "importance": 0,
            "uuid": "ecfa059a-ce80-46b6-80a3-49d09eefff9b"
        },
        {
            "code": "Relations with third parties_13",
            "description": "[third-party recipients] Systematically inform the third party when the data subjects exercise their right to rectification.",
            "importance": 0,
            "uuid": "71b7fe30-963e-4ff8-9744-0fd5b34747c7"
        },
        {
            "code": "Relations with third parties_14",
            "description": "[authorized third parties] Only reply to requests that are officially sent (by mail or fax) and reply using the same communications channel. Do not take account of requests sent by email and do not reply using this communications channel.",
            "importance": 0,
            "uuid": "f50afe3d-22eb-453b-9c0f-3a8209ee42d0"
        },
        {
            "code": "Relations with third parties_15",
            "description": "[authorized third parties] Check the legal basis of each request for communication.",
            "importance": 0,
            "uuid": "8cdc1082-78c0-4064-8ee0-2f43560f2a4f"
        },
        {
            "code": "Relations with third parties_16",
            "description": "[authorized third parties] Authenticate the parties submitting the requests and only reply to them.",
            "importance": 0,
            "uuid": "4235ff42-c907-4089-9b07-1443ee2cbbb2"
        },
        {
            "code": "Relations with third parties_17",
            "description": "[authorized third parties] Reply strictly to the request by only supplying the data asked for in the request.",
            "importance": 0,
            "uuid": "39a72d0c-9c2e-43ee-8725-478cd01397e4"
        },
        {
            "code": "Right of access and data portability_01",
            "description": "Determine the practical means that will be implemented to allow the exercise of the right of access. Individuals must be able to exercise this right as quickly as possible, within two months without exception (one month under the GDPR) for data, in a form similar to the form used for the processing (by regular mail and/or by email). In addition, the process must not discourage the data subjects and they must not incur expenses that exceed copying costs.",
            "importance": 0,
            "uuid": "676fcbe6-c3f9-45a5-8338-4cbfa5a8d1b7"
        },
        {
            "code": "Right of access and data portability_02",
            "description": "Ensure that the right of access can always be exercised.",
            "importance": 0,
            "uuid": "e95147b7-c5ea-478b-9a58-1ff58779a065"
        },
        {
            "code": "Right of access and data portability_03",
            "description": "Confirm that requests to exercise the right of access submitted on-site provide the identity of the individuals submitting requests and the identity of the individuals they may appoint as their representative.",
            "importance": 0,
            "uuid": "c10b1012-d440-426d-919e-4314090bb711"
        },
        {
            "code": "Right of access and data portability_04",
            "description": "Confirm that requests to exercise the right of access submitted by regular mail are signed and accompanied by a photocopy of a piece of identification (which should not be retained unless proof must be kept) and that they specify a reply-to address.",
            "importance": 0,
            "uuid": "4a6e08eb-25a3-4705-87a6-00ae4dc26e0d"
        },
        {
            "code": "Right of access and data portability_05",
            "description": "Confirm that requests to exercise the right of access submitted by email (using an encrypted channel if transmitted via the Internet) are accompanied by a digitized piece of identification (which should not be retained unless proof must be kept and, in that case, in black and white, low definition and as an encrypted file).",
            "importance": 0,
            "uuid": "d2f46aae-123a-4047-be3d-9c77d1b1cfe0"
        },
        {
            "code": "Right of access and data portability_06",
            "description": "Ensure that all information that data subjects may request can be provided while still protecting the personal data of third parties.",
            "importance": 0,
            "uuid": "7a3dd186-475f-471d-9f5b-702cdf2aaed0"
        },
        {
            "code": "Right of access and data portability_07",
            "description": "[medical files] Provide the information within eight days following the request and within two months if the information is more than five years old (as of the date on which the medical information was assembled).",
            "importance": 0,
            "uuid": "b0308ad7-11e9-440a-8a19-234b47f54bb9"
        },
        {
            "code": "Right of access and data portability_08",
            "description": "[medical files] Allow those who hold parental rights (for minors) and legal representatives (for individuals subject to guardianship) to exercise the right of access.",
            "importance": 0,
            "uuid": "51777d5c-5290-4861-ada7-4b1fadac38a4"
        },
        {
            "code": "Rights to rectification and erasure_01",
            "description": "Determine the practical means that will be implemented to permit the exercise of the right to rectification. Individuals must be able to exercise this right as quickly as possible, within two months without exception, in a form similar to the form used for the processing (by regular mail and/or by email). In addition, the process must not discourage the data subjects and must not involve any cost to them.",
            "importance": 0,
            "uuid": "3e5aca0a-a8eb-4005-b549-e14091d02295"
        },
        {
            "code": "Rights to rectification and erasure_02",
            "description": "Ensure that the right to rectification may always be exercised.",
            "importance": 0,
            "uuid": "820e628b-f40d-4454-87b1-eb33e2c4cf7e"
        },
        {
            "code": "Rights to rectification and erasure_03",
            "description": "Ensure that the right to rectification may always be exercised.",
            "importance": 0,
            "uuid": "2ae0587e-65dc-4c2a-9e02-557642a9ffce"
        },
        {
            "code": "Rights to rectification and erasure_04",
            "description": "Ensure that the identity of individuals submitting requests will be verified.",
            "importance": 0,
            "uuid": "749726d9-1fad-4f68-97f9-9a9d6d3b7701"
        },
        {
            "code": "Rights to rectification and erasure_05",
            "description": "Ensure that the accuracy of the corrections requested will be verified.",
            "importance": 0,
            "uuid": "3f2092db-7b8b-47b4-a1e3-5ad2e03c2b99"
        },
        {
            "code": "Rights to rectification and erasure_06",
            "description": "Ensure that the data to be deleted are properly erased.",
            "importance": 0,
            "uuid": "443cde40-ee08-4089-b4d0-239af70e728f"
        },
        {
            "code": "Rights to rectification and erasure_07",
            "description": "Ensure that the individuals submitting requests receive confirmation.",
            "importance": 0,
            "uuid": "89f0882c-0b65-47c9-85dd-c6a675ec890e"
        },
        {
            "code": "Rights to rectification and erasure_08",
            "description": "Ensure that the third parties to whom the data may have been sent are informed of the corrections made.",
            "importance": 0,
            "uuid": "4dd00be3-f30a-4401-8bb8-475e79bf21d7"
        },
        {
            "code": "Rights to rectification and erasure_09",
            "description": "Upon receiving an erasure request, inform the user if the personal data are going to be kept all the same (technical requirements, legal obligations.)",
            "importance": 0,
            "uuid": "fa8b29ba-bef5-484f-90ec-60dd75ea91bf"
        },
        {
            "code": "Rights to rectification and erasure_10",
            "description": "Implementing the right to be forgotten for minors.",
            "importance": 0,
            "uuid": "8222db32-6b4d-4b60-b70b-422764a49dc5"
        },
        {
            "code": "Rights to rectification and erasure_11",
            "description": "[online targeted advertising] Provide a way for individuals to access the areas of interest in their profile and a way to modify them. The individual's identity may be authenticated based on the information used to access his or her account or on the cookie (or equivalent) on his or her computer.",
            "importance": 0,
            "uuid": "68485fa9-6933-4444-81e8-91690350a102"
        },
        {
            "code": "Rights to restriction and to object_01",
            "description": "Determine the practical means that will be implemented to allow individuals to exercise the right to object. Individuals must be able to exercise this right as quickly as possible, within two months without exception, in a form similar to the form used for the processing (by regular mail and/or by email). In addition, the process must not discourage the data subjects and must not involve any cost to them.",
            "importance": 0,
            "uuid": "7a35cf66-ace9-44fc-ae3d-4cbacab0d099"
        },
        {
            "code": "Rights to restriction and to object_02",
            "description": "Ensure that the right to object may always be exercised and that the personal data collected and processed actually allow the exercise of the right to object.",
            "importance": 0,
            "uuid": "9ef3e939-b392-4567-9253-36e67d0657a1"
        },
        {
            "code": "Rights to restriction and to object_03",
            "description": "Ensure that \"the interested party is able to express his or her choice prior to the final validation of his or her responses\".",
            "importance": 0,
            "uuid": "8f61de26-82bc-40bb-bbe7-b2205e26a885"
        },
        {
            "code": "Rights to restriction and to object_04",
            "description": "Confirm that requests to exercise the right to object submitted on-site provide for verification of the identity of the individuals submitting requests and the identity of the individuals they may appoint as their representative.",
            "importance": 0,
            "uuid": "595a5219-5458-4c44-8593-0dd33334c199"
        },
        {
            "code": "Rights to restriction and to object_05",
            "description": "Confirm that requests to exercise the right to object submitted by regular mail are signed and accompanied by a photocopy of a piece of identification (which should not be retained unless proof must be kept) and that they specify a reply-to address.",
            "importance": 0,
            "uuid": "5c557a20-1b92-4182-8712-b81b469ccd27"
        },
        {
            "code": "Rights to restriction and to object_06",
            "description": "Confirm that requests to exercise the right to object submitted by email (using an encrypted channel if transmitted via the Internet) include a digitized piece of identification (which should not be retained unless proof must be kept and, in that case, in black and white, low definition and as an encrypted file).",
            "importance": 0,
            "uuid": "bb7a66aa-2629-4922-bb39-ea134171eea8"
        },
        {
            "code": "Rights to restriction and to object_07",
            "description": "Ensure that individuals exercising their right to object provide legitimate grounds and that those grounds are evaluated (except in the case of marketing and processing for the purpose of health research, which provides the individual a discretionary right to object).",
            "importance": 0,
            "uuid": "97c2d533-638f-4b8a-974b-74d767f11301"
        },
        {
            "code": "Rights to restriction and to object_08",
            "description": "Ensure that all recipients of the processing are notified of the objections submitted by the data subjects.",
            "importance": 0,
            "uuid": "e2421127-348a-4457-b196-1e7d88c67e82"
        },
        {
            "code": "Rights to restriction and to object_09",
            "description": "[processing via telephone] Provide a mechanism allowing data subjects to express their objection by telephone.",
            "importance": 0,
            "uuid": "b53d86b0-4b43-45e2-bc95-d38f27521377"
        },
        {
            "code": "Rights to restriction and to object_10",
            "description": "[processing via electronic form] Create an easily accessible form with opt-out boxes to check or allow the user to unsubscribe from a service (delete an account).",
            "importance": 0,
            "uuid": "a5742264-b164-426c-be4f-a8a2030e4768"
        },
        {
            "code": "Rights to restriction and to object_11",
            "description": "[processing via email] Ensure that the sender of the messages is clearly identified.",
            "importance": 0,
            "uuid": "2b0fb90e-89d0-4030-b177-3bb617a63893"
        },
        {
            "code": "Rights to restriction and to object_12",
            "description": "[processing via email] Ensure that the body of the messages relates to the subject of the messages.",
            "importance": 0,
            "uuid": "8d9c1918-8b86-47b3-a9f7-d7d78fe9c3fb"
        },
        {
            "code": "Rights to restriction and to object_13",
            "description": "[processing via email] Allow recipients to object by responding to the message or by clicking on a link. Individuals should not be required to identify themselves to unsubscribe.",
            "importance": 0,
            "uuid": "cb78228a-4041-44a8-a689-bf6578874463"
        },
        {
            "code": "Rights to restriction and to object_14",
            "description": "[processing via a connected object or mobile app] Existence of \"Privacy\" settings in mobile apps.",
            "importance": 0,
            "uuid": "6bb37898-960e-4ca7-98e7-95e81e4bddd3"
        },
        {
            "code": "Rights to restriction and to object_15",
            "description": "[processing via a connected object or mobile app] Allow the mobile app user to object to the collection of special data.",
            "importance": 0,
            "uuid": "7459271b-d172-4ad6-81da-cb209817a995"
        },
        {
            "code": "Rights to restriction and to object_16",
            "description": "[processing via a connected object or mobile app] Take underage users into account.",
            "importance": 0,
            "uuid": "44daf7b1-6e18-4b46-a66c-f79b94e4cfe2"
        },
        {
            "code": "Rights to restriction and to object_17",
            "description": "[processing via a connected object or mobile app] Properly stop any collection of data where the user withdraws his/her consent.",
            "importance": 0,
            "uuid": "145b5b1e-fadd-46ee-942a-645112753615"
        },
        {
            "code": "Risk management_01",
            "description": "List the personal data processing operations, whether automated or otherwise, the data processed (e.g. client files, contracts) and the supporting assets on which they rely.",
            "importance": 0,
            "uuid": "fe95ad70-790a-456e-a46e-1585608fe899"
        },
        {
            "code": "Risk management_02",
            "description": "Assess the way in which the fundamental principles (information, consent, right of access, etc.) are respected.",
            "importance": 0,
            "uuid": "814d402c-daf5-4f3b-88e7-82cfc5f7b1c9"
        },
        {
            "code": "Risk management_03",
            "description": "Assess the risks of each processing.",
            "importance": 0,
            "uuid": "c70188fa-c058-415e-a704-5f089a20faec"
        },
        {
            "code": "Risk management_04",
            "description": "Implement and check the planned measures. Where the existing and planned measures are considered appropriate for guaranteeing the right level of security in light of the risks, their application and monitoring must be ensured.",
            "importance": 0,
            "uuid": "f5f11b9a-a9f1-4836-8da4-a3a7ef479e93"
        },
        {
            "code": "Risk management_05",
            "description": "Make sure a security audit is carried out periodically – annually where possible. Each audit must be accompanied by an action plan, the implementation of which should be monitored at the highest level.",
            "importance": 0,
            "uuid": "9335ac84-9854-4c75-8841-c059c9e9ed6a"
        },
        {
            "code": "Risk management_06",
            "description": "Update the map periodically and at each major change.",
            "importance": 0,
            "uuid": "09c8fe47-6d8e-4130-b6f4-98127bfe2eb2"
        },
        {
            "code": "Staff management_01",
            "description": "Make sure that individuals who have access to personal data and the processing of such data are qualified for their jobs.",
            "importance": 0,
            "uuid": "7f6b0b2f-b85a-4b3d-a7ab-69d4d1a08f4d"
        },
        {
            "code": "Staff management_02",
            "description": "Make sure that the working conditions of individuals with access to personal data and the processing of such data are satisfactory.",
            "importance": 0,
            "uuid": "c80aacb6-80d5-4222-92b7-d7482e0da130"
        },
        {
            "code": "Staff management_03",
            "description": "Raise the awareness of individuals with access to personal data and the processing of such data about the risks associated with exploitation of their vulnerabilities.",
            "importance": 0,
            "uuid": "2aaa85f4-a8a1-4d03-940c-fed3552a5943"
        },
        {
            "code": "Storage durations_01",
            "description": "Define, for each data category, storage durations that are time-limited and appropriate to the purpose of the processing and/or legal requirements.",
            "importance": 0,
            "uuid": "9364fb43-09ae-42e0-b273-8b2b0ff24d39"
        },
        {
            "code": "Storage durations_02",
            "description": "Check that the processing enables the end of the storage duration to be detected (set up an automatic mechanism based on the date on which the data are created or last used).",
            "importance": 0,
            "uuid": "2d0ddcc8-aca7-4833-b10a-1ce35039f496"
        },
        {
            "code": "Storage durations_03",
            "description": "Confirm that the processing allows the deletion of personal data when the storage duration expires and that the method chosen to delete them is appropriate to the risks to privacy of the data subjects.",
            "importance": 0,
            "uuid": "fb34159c-869f-47fd-afdb-07d7c5c6add6"
        },
        {
            "code": "Storage durations_04",
            "description": "Once the storage duration has expired, subject to intermediate archiving of the necessary data, delete the data with immediate effect.",
            "importance": 0,
            "uuid": "e662c3c9-6b20-48fc-afbf-4940f89193a6"
        },
        {
            "code": "Supervision_01",
            "description": "Regularly inspect personal data processing operations to ensure that they comply with GDPR as well as the effectiveness and appropriateness of planned measures.",
            "importance": 0,
            "uuid": "ab36dcfc-8acd-4ef4-9670-0951f2d038b4"
        },
        {
            "code": "Supervision_02",
            "description": "Set data protection objectives in the field of privacy and define indicators for determining whether these objectives are met.",
            "importance": 0,
            "uuid": "46bac0c0-104c-498f-bb3e-af702c95c734"
        },
        {
            "code": "Supervision_03",
            "description": "Regularly assess data protection.",
            "importance": 0,
            "uuid": "93b8e97a-f1bb-4962-a3e2-c78138ff0c93"
        },
        {
            "code": "Surveillance_01",
            "description": "Set up a logging architecture that retains a record of security incidents and the time they occurred.",
            "importance": 0,
            "uuid": "5480b920-a87a-4e8d-903c-4e2b959a0749"
        },
        {
            "code": "Surveillance_02",
            "description": "Select the incidents to be logged based on the context, supporting assets (including workstations, firewall, network equipment and servers), risks and legal framework.",
            "importance": 0,
            "uuid": "1e9bfd52-15f3-4d71-aded-d530a582999f"
        },
        {
            "code": "Surveillance_03",
            "description": "Comply with the requirements of GDPR if the logged events include personal data.",
            "importance": 0,
            "uuid": "1c5e91ea-3a5e-4e49-a151-2d221f650842"
        },
        {
            "code": "Surveillance_04",
            "description": "Conduct periodic analyses of the logged information, and if needs be establish a system that detects weak signals automatically.",
            "importance": 0,
            "uuid": "36c52a02-e84b-4850-aef7-6643002bbe07"
        },
        {
            "code": "Surveillance_05",
            "description": "Retain the incident logs for six months unless legal and regulatory restrictions require specific storage durations.",
            "importance": 0,
            "uuid": "860a6f94-976b-4761-985c-c3a4d220be70"
        },
        {
            "code": "Surveillance_06",
            "description": "[firewall] Establish a filtering policy that prohibits any direct communication between the internal workstations and the exterior (permit connections only via the firewall) and allow only those flows that are explicitly authorized (firewall blockage of all connections except those identified as necessary).",
            "importance": 0,
            "uuid": "b0998e5c-5e6f-4f1a-97f0-4997f2b1a8f2"
        },
        {
            "code": "Surveillance_07",
            "description": "[firewall] Log all successful authorized connections and all rejected attempts to connect.",
            "importance": 0,
            "uuid": "bbaedcb2-560f-43a1-a28b-3a3fb9a77181"
        },
        {
            "code": "Surveillance_08",
            "description": "[firewall] Export the logs via a secure channel to a dedicated server.",
            "importance": 0,
            "uuid": "6ef6c9a0-bcab-4aa5-9fe6-e848a88ad46a"
        },
        {
            "code": "Surveillance_09",
            "description": "[network equipment] Log the activity on each port of a switch or a router.",
            "importance": 0,
            "uuid": "c0cd756e-dc5a-4cf7-aa43-da45f3fcbd60"
        },
        {
            "code": "Surveillance_10",
            "description": "[network equipment] Export the logs to a dedicated server using an integrated client syslog or via a netflow.",
            "importance": 0,
            "uuid": "c2e4f784-1347-499f-a76d-180a78756afd"
        },
        {
            "code": "Surveillance_11",
            "description": "[network equipment] Monitor the volume based on times and monitor compliance with any access control lists (ACL) for the routers.",
            "importance": 0,
            "uuid": "90a8ee4a-7138-44e2-a52d-a55ddeaf0b15"
        },
        {
            "code": "Surveillance_12",
            "description": "[server] Log as much information as possible regarding client requests on the web servers to identify configuration defects and injections of SQL queries.",
            "importance": 0,
            "uuid": "e1b1359e-d937-4028-a6a2-1d3da2c2c44a"
        },
        {
            "code": "Surveillance_13",
            "description": "[server] Log users' activity on the proxy servers.",
            "importance": 0,
            "uuid": "657c1b9d-6675-40b5-9a6d-5f29e4d12d7c"
        },
        {
            "code": "Surveillance_14",
            "description": "[server] Log all queries made to the DNS servers, whether issued by Internet users or internal network clients.",
            "importance": 0,
            "uuid": "89954a92-cae7-4685-8ec1-552af649cc8f"
        },
        {
            "code": "Surveillance_15",
            "description": "[server] Log the time- and date-stamped authentication data and the length of each connection on the remote access servers.",
            "importance": 0,
            "uuid": "43f776b1-40c5-4c10-b220-306e85583ac7"
        },
        {
            "code": "Surveillance_16",
            "description": "[server] Log the reception and management of messages on the messaging servers.",
            "importance": 0,
            "uuid": "ebda03ad-7d72-45ab-8c85-f71b89ed797e"
        },
        {
            "code": "Traceability_01",
            "description": "Depending on the country in question, justify the choice of remote hosting and indicate the legal supervision arrangements implemented in order to ensure adequate protection of the data which are subject to a cross-border transfer.",
            "importance": 0,
            "uuid": "c124943d-08c4-45b2-97ce-17eeff247a10"
        },
        {
            "code": "Traceability_02",
            "description": "Set up user authentication making it possible to attribute the logged incidents.",
            "importance": 0,
            "uuid": "94de88c6-f55d-451b-a844-4c97bc3b677c"
        },
        {
            "code": "Traceability_03",
            "description": "Comply with the requirements of GDPR as regards logged events attached to an identified user.",
            "importance": 0,
            "uuid": "e0e84602-ed80-4927-bd9e-cc4fc032869c"
        },
        {
            "code": "Traceability_04",
            "description": "Conduct periodic analyses of the logged information and, if needs be, establish a system that detects abnormal activity automatically.",
            "importance": 0,
            "uuid": "04f41149-f24e-4120-aa99-78c0e30448c6"
        },
        {
            "code": "Transfer outside EU_01",
            "description": "State the geographic storage location for the different types of processing data.",
            "importance": 0,
            "uuid": "9f6b1062-13cd-4ecb-a43c-bcbab3655af6"
        },
        {
            "code": "Transfer outside EU_02",
            "description": "Depending on the country in question, justify the choice of remote hosting and indicate the legal supervision arrangements implemented in order to ensure adequate protection of the data which are subject to a cross-border transfer.",
            "importance": 0,
            "uuid": "94e7783a-5e67-45a6-a439-01f0492fdc1e"
        },
        {
            "code": "Website_01",
            "description": "Use a certificate signed by an \"approved\" trusted root authority.",
            "importance": 0,
            "uuid": "d49de769-1ea6-4046-a829-5e1990c6042f"
        },
        {
            "code": "Website_02",
            "description": "Traffic encryption must be guaranteed by TLS; then, it is necessary to configure the web server so that this only accepts this type of protocol (particularly exclude the SSL protocol and render encryption compulsory during SSL negotiations)",
            "importance": 0,
            "uuid": "d8f38e66-61a1-4033-b530-3cef1ec16aed"
        },
        {
            "code": "Website_03",
            "description": "Define a Content-Security-Policy only including stakeholders whom you authorize to place content on your website.",
            "importance": 0,
            "uuid": "2e7e68ce-861c-417a-893e-5034dcb9f559"
        },
        {
            "code": "Website_04",
            "description": "Conduct on-site security audits.",
            "importance": 0,
            "uuid": "ffca4dc3-0dff-4c78-95bd-0aca191f8f23"
        },
        {
            "code": "Workstations_01",
            "description": "Ensure that the IT department provides users with workstations that are kept secure and in working order.",
            "importance": 0,
            "uuid": "b1fcea2c-d822-4ccf-9fb2-ba401a747610"
        },
        {
            "code": "Workstations_02",
            "description": "Small workstations, especially laptops, can be easily stolen. They must therefore be equipped with anti-theft cables whenever their users are not nearby and the premises are not protected by physical security measures.",
            "importance": 0,
            "uuid": "6b75e464-9a3f-4e3f-8605-e6bf06e320df"
        },
        {
            "code": "Workstations_03",
            "description": "Retrieve data, except for data defined as private or personal, from workstations before they are assigned to other persons.",
            "importance": 0,
            "uuid": "dd87892a-27d0-4680-be98-aa1d9372c722"
        },
        {
            "code": "Workstations_04",
            "description": "Erase data from workstations before assigning them to other persons or if such workstations are shared.",
            "importance": 0,
            "uuid": "82ed5d4a-9600-407e-898e-eac4c2936f4f"
        },
        {
            "code": "Workstations_05",
            "description": "Delete temporary data each time a person logs onto a shared workstation.",
            "importance": 0,
            "uuid": "c15b93e3-9ef1-4efb-a5f6-018c1d176b53"
        },
        {
            "code": "Workstations_06",
            "description": "If a workstation becomes compromised, inspect the system for all signs of intrusion in order to determine whether other information has been compromised by the attacker.",
            "importance": 0,
            "uuid": "5b1d0450-a746-4688-97f5-08b1283c1db4"
        },
        {
            "code": "Workstations_07",
            "description": "Maintain systems and applications up-to-date (versions, security patches, etc.) or, where this is not possible (e.g. applications available only on a system that is no longer supported by the software company), isolate the machine and closely monitor the logs.",
            "importance": 0,
            "uuid": "a50db22c-4108-4c18-8209-d860708f07a0"
        },
        {
            "code": "Workstations_08",
            "description": "Document configurations and update them whenever major changes are made.",
            "importance": 0,
            "uuid": "caec7b23-f185-4bac-ac21-275f8c109b52"
        },
        {
            "code": "Workstations_09",
            "description": "Reduce the possibilities of misuse.",
            "importance": 0,
            "uuid": "7002e5b3-1696-4cbb-b698-8e019bb3b0ef"
        },
        {
            "code": "Workstations_10",
            "description": "Protect workstations access.",
            "importance": 0,
            "uuid": "5e0092bc-7eb8-4599-8a0a-728aa7e224cf"
        },
        {
            "code": "Workstations_11",
            "description": "Enable protection measures afforded by the system and the applications.",
            "importance": 0,
            "uuid": "390ad031-333f-4449-bf96-5aa2b34f02ac"
        },
        {
            "code": "Workstations_12",
            "description": "Prohibit local sharing of directories or data on workstations.",
            "importance": 0,
            "uuid": "7b5ff016-d3fc-4468-88a0-8a73cb5e153c"
        },
        {
            "code": "Workstations_13",
            "description": "Store user data on a backed-up network space, not on workstations.",
            "importance": 0,
            "uuid": "9dc44b61-d124-47f5-a272-25023edea841"
        },
        {
            "code": "Workstations_14",
            "description": "If data must be stored on a local workstation, provide users with means of synchronization or backup and inform them how to use these means.",
            "importance": 0,
            "uuid": "130bf4ae-d3f4-4409-96a1-0d91c37f261e"
        },
        {
            "code": "Workstations_15",
            "description": "Secure the configuration of Web browsers.",
            "importance": 0,
            "uuid": "6481e72d-5c49-40a0-bedb-452ac59836ff"
        },
        {
            "code": "Workstations_16",
            "description": "Deploy a secure browser on all servers that are to be used to access the Internet or an intranet.",
            "importance": 0,
            "uuid": "72bf8a1c-b98c-476d-8d6a-4feb688d8e70"
        },
        {
            "code": "Workstations_17",
            "description": "Limit the number of plugins, remove any that are not used, regularly update those that are left installed.",
            "importance": 0,
            "uuid": "319fcc62-4d32-4903-9ba1-aef7d58c0900"
        },
        {
            "code": "Workstations_18",
            "description": "Prohibit the use of downloaded applications that are not from safe sources.",
            "importance": 0,
            "uuid": "df180601-4736-4f3f-a3ff-aee76f31a5ea"
        },
        {
            "code": "Workstations_19",
            "description": "Search for exploitable vulnerabilities.",
            "importance": 0,
            "uuid": "1399ed3f-423f-4a7f-8143-646477f3bb22"
        },
        {
            "code": "Workstations_20",
            "description": "Check system integrity using integrity checkers (which check the integrity of selected files).",
            "importance": 0,
            "uuid": "87b654c1-47a5-4c35-848b-f53a8404907a"
        },
        {
            "code": "Workstations_21",
            "description": "Confirm that the maximum size of the incident logs is adequate and, in particular, that the oldest incidents are not automatically deleted if the maximum size is reached.",
            "importance": 0,
            "uuid": "f36a4d0b-ba0b-4c36-bca6-39f5ee193e1d"
        },
        {
            "code": "Workstations_22",
            "description": "Log application, security and system-related incidents.",
            "importance": 0,
            "uuid": "02cc65ae-2522-4ebf-97a0-4f3d3230736e"
        },
        {
            "code": "Workstations_23",
            "description": "Export the logs using domain management functionalities or via a client syslog.",
            "importance": 0,
            "uuid": "c74af249-f469-40e3-bee4-631299caf240"
        },
        {
            "code": "Workstations_24",
            "description": "Analyze primarily the connection and disconnection times, the type of protocol used to connect and the type of user who uses it, the original IP connection address, successive connection failures and unplanned interruptions of applications or tasks.",
            "importance": 0,
            "uuid": "3a08d397-5234-43c4-bef4-74c23bd83bab"
        },
        {
            "code": "Workstations_25",
            "description": "[mobile devices] Encrypt personal data stored on mobile devices.",
            "importance": 0,
            "uuid": "3c61efd4-f671-49ac-8137-e942341c0d75"
        },
        {
            "code": "Workstations_26",
            "description": "[mobile devices] Limit the amount of personal data stored on mobile devices to the strict minimum, and prohibit such storage during travel abroad if needs be.",
            "importance": 0,
            "uuid": "1e3d14e1-2acd-4510-9428-52222cb5366e"
        },
        {
            "code": "Workstations_27",
            "description": "[mobile devices] Ensure the availability of personal data stored on mobile devices.",
            "importance": 0,
            "uuid": "afd91008-7339-4160-8193-998cc570f2e5"
        },
        {
            "code": "Workstations_28",
            "description": "[mobile devices] Erase personal data from mobile devices as soon as such data is entered in the organization's information system.",
            "importance": 0,
            "uuid": "07b2d2df-e1b9-4752-9be9-aab849ac6bda"
        },
        {
            "code": "Workstations_29",
            "description": "[mobile devices] Place privacy filters on mobile devices whenever they are used outside the organization.",
            "importance": 0,
            "uuid": "55607dc8-949c-4d95-a216-f602a0d61958"
        },
        {
            "code": "Workstations_30",
            "description": "[smartphones] Configure smartphones before delivering them to users.",
            "importance": 0,
            "uuid": "b84dfff8-2705-4b25-8fc7-eea8b61f9af4"
        },
        {
            "code": "Workstations_31",
            "description": "[smartphones] Inform users, such as in a memo provided at delivery, about how to use their phone, the applications installed on it (e.g. Business Mail, Exchange, etc.), the services provided, and the security rules to be followed.",
            "importance": 0,
            "uuid": "96e207b0-160a-4d9f-818c-5a6098b88685"
        },
        {
            "code": "Workstations_32",
            "description": "[server] Isolate the server from the rest of the network in a specific DMZ or VLAN, use up-to-date virus, spyware and spam protection, immediately install operating system security updates, authenticate devices with digital certificates (where possible), etc.",
            "importance": 0,
            "uuid": "df5cfbbc-c589-49ac-ac0c-4eafe4e815ee"
        },
        {
            "code": "Workstations_33",
            "description": "[smartphones] Secure phones at the end of their life cycle.",
            "importance": 0,
            "uuid": "28662b29-7c3b-43cd-8ba8-952298ae3a8f"
        }
    ],
    "version": 1
}