GV.OC-03: How to manage legal, regulatory, and cybersecurity obligations ?

GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity – including privacy and civil liberties obligations – are understood and managed. 

Example 1: Determine a process to track and manage legal and regulatory requirements regarding protection of individuals’ information (e.g., Health Insurance Portability and Accountability Act, California Consumer Privacy Act, General Data Protection Regulation).

Example 2: Determine a process to track and manage contractual requirements for cybersecurity management of supplier, customer, and partner information.

Example 3: Align the organization’s cybersecurity strategy with legal, regulatory, and contractual requirements.

Source: The NIST Cybersecurity Framework 2.0 Core with Implementation Examples.