CCI-003417

The organization documents a privacy risk management process which assesses the privacy risk to individuals.

Implementation Guidance

The organization being inspected/assessed documents a privacy risk management process which assesses the privacy risk to individuals.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented privacy risk management process which assesses the privacy risk to individuals.

Compelling Evidence

documentation of information systems having completed PII Confidentiality Impact Level Categorization process; documentation demonstrating incorporation of PII Confidentiality Impact Level categorization into information system's FIPS 199 categorization; and documentation from Chief Information Officer and/or Chief Privacy Officer requiring implementation of privacy risk management process as part of agency risk management process.

The controls below (if any) were marked by NIST as being related to CCI-003417.