Navigate

CCI-003448

CCI-003448 Definition

The organization ensures personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements per organization-defined frequency.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed must ensure that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements at least annually. This can be achieved either through inclusion of these requirements within and annually recertifying their existing AUP, or via a separate acceptance method.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented results of the review conducted IAW AR-5, CCI 3440. If the review indicates that IASE provided PII training meets the needs of the organization then the organization is automatically compliant. Otherwise, the organization conducting the inspection/assessment obtains and examines the documented certification process as well as a representative sample of employee certification records to ensure that the organization being inspected/assessed ensures personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements per organization-defined frequency.

Compelling Evidence

Reference section of documentation that pertains to the process on how personnel certify (manually or electronically) their acceptance of responsibilities for privacy requirements per organization-defined frequency.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003448.

Control	Description
AR-5	The organization: a. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures; b. Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually].

Control

Description

AR-5

The organization: a. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures; b. Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually].