CCI-004333

Update on an organization-defined frequency, an inventory of all systems, applications, and projects that process personally identifiable information.

Implementation Guidance

Determine if: - an inventory of all systems, applications, and projects that process personally identifiable information is established. - an inventory of all systems, applications, and projects that process personally identifiable information is maintained. - an inventory of all systems, applications, and projects that process personally identifiable information is updated [PM-05(01)_ODP; the frequency at which to update the inventory of systems, applications, and projects that process personally identifiable information is defined].

Validation Procedures

Examine: [SELECT FROM: Procedures addressing system inventory development, maintenance, and updates; OMB FISMA reporting guidance; privacy program plan; information security program plan; personally identifiable information processing policy; system inventory; personally identifiable information inventory; data mapping documentation; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with privacy program planning and plan implementation responsibilities; organizational personnel responsible for developing and maintaining the system inventory; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for system inventory development, maintenance, and updates; mechanisms supporting the system inventory].

The controls below (if any) were marked by NIST as being related to CCI-004333.