CCI-004161

Include an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms in the Incident Response Plan for breaches involving Personally Identifiable Information.

Implementation Guidance

Determine if the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms.

Validation Procedures

Examine: [SELECT FROM: Incident response policy; procedures addressing incident response planning; incident response plan; system security plan; privacy plan; records of incident response plan reviews and approvals; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with incident response planning responsibilities; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational incident response plan and related organizational processes].

The controls below (if any) were marked by NIST as being related to CCI-004161.