CCI-003517

The organization, where feasible, uses techniques to minimize the risk to privacy of using personally identifiable information (PII) for testing.

Implementation Guidance

The organization being inspected/assessed documents and implements techniques (such as de-identification or anonymization) to minimize the risk to privacy of using PII for testing. Where such techniques aren't feasible due to the parameters of the testing, the organization will document the justification for not implementing such techniques.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented techniques to minimize the risk to privacy of using PII for testing and verifies that these techniques are being used or that the justifications for not using them are documented.

Compelling Evidence

1.) Site must produce a signed document that documents implementation techniques used by the site to minimize the risk to privacy when using PII for testing. 2.) Reviewer will verify that the documentation exists. 3.) Reviewer will verify and examine that the techniques are implemented, used and follow. 4.) Reviewer will verify that the document also addresses the justification for not implementing such techniques due to techniques not being feasible due to parameters of the testing.

The controls below (if any) were marked by NIST as being related to CCI-003517.