CCI-003409
CCI-003409 Definition
Status | |
Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
The organization being inspected/assessed documents and implements operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII.
Validation Procedures
The organization conducting the inspection/assessment obtains and examines the operational privacy policies to ensure the organization being inspected/assessed implements operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII.
Compelling Evidence
1.) Signed and dated operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII. Such documentation may include, but is not limited to, the organization's privacy program plan (PPP), the organization's Risk Management Framework implementing guidance, and the organization's RMF implementation guidance intranet. 2.) Documentation that proves implementation of operational privacy policies. Evidence of implementation may include, but is not limited to, documentation of information systems having completed PII Confidentiality Impact Level Categorization process, and documentation of correspondence discussing tailoring of privacy relevant controls from control set among privacy office, information system security officers/manager, and program manager.