Navigate

CCI-003515

CCI-003515 Definition

The organization implements controls to protect personally identifiable information (PII) used for research.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed will complete a Privacy Impact Assessment (PIA) for any information system that uses PII for research and implement the identified controls.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the PIA for all information systems using PII for research to ensure the PIA is completed and approved. The organization conducting the inspection/assessment inspects the information system to ensure the organization being inspected/assessed has properly implemented the controls identified in the PIA to protect PII.

Compelling Evidence

1.) Site must produce a signed PIA document for any site's information system(s) that uses PII for research 2.) Reviewer will verify that the documentation exists. 3.) Reviewer will verify and examine that the PIA for all information systems using PII for research is created, completed, maintained and approved. 4.) Reviewer will verify that the PIA describes and identifies controls and how they are implemented. 5.) Reviewer must validate that the site properly implements controls identified in the PIA to insure PII is protected when used for research.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003515.

Control	Description
DM-3	The organization: a. Develops policies and procedures that minimize the use of personally identifiable information (PII) for testing, training, and research; and b. Implements controls to protect PII used for testing, training, and research.