CCI-004160

Include a process to determine if notice to individuals or other organizations, including oversight organizations, is needed, in the Incident Response Plan for breaches involving Personally Identifiable Information.

Implementation Guidance

Determine if the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed.

Validation Procedures

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response planning; incident response plan; system security plan; privacy plan; records of incident response plan reviews and approvals; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with incident response planning responsibilities; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational incident response plan and related organizational processes].

The controls below (if any) were marked by NIST as being related to CCI-004160.