Navigate

CCI-003489

CCI-003489 Definition

The organization defines the frequency, minimally annually, for conducting reviews of its personally identifiable information (PII) holdings.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

DoD has defines the frequency as annually as part of the agency's report under FISMA.

Validation Procedures

DoD has defines the frequency as annually as part of the agency's report under FISMA.

Compelling Evidence

1.) Site must produce signed document which describes site's frequency for conducting reviews of its PII holding. 2.) Reviewer will validate the existence of the documentation. 3.) Reviewer will validate that the documentation describes how frequently the site conducts reviews of its PII holding. 4.) Reviewer will validate that the site conducts reviews of its PII holdings at least annually. 5.) Reviewer will validate that the document's information about the frequency of reviews is matched with the answer of site's personal.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003489.

Control	Description
DM-1	The organization: DM-1a.: Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection; DM-1b.: Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and DM-1c.: Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose.

Control

Description

DM-1

The organization:

DM-1a.: Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection;

DM-1b.: Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and

DM-1c.: Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose.