CCI-004348

Define organizational mission and business processes with consideration for information privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.

Implementation Guidance

Determine if: - Organizational mission and business processes are defined with consideration for information security. - Organizational mission and business processes are defined with consideration for privacy. - Organizational mission and business processes are defined with consideration for the resulting risk to Organizational operations, Organizational assets, individuals, other organizations, and the Nation.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; privacy program plan; risk management strategy; procedures for determining mission and business protection needs; information security and privacy risk assessment results relevant to the determination of mission and business protection needs; personally identifiable information processing policy; personally identifiable information inventory; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for enterprise risk management; organizational personnel responsible for determining information protection needs for mission and business processes; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for defining mission and business processes and their information protection needs].

The controls below (if any) were marked by NIST as being related to CCI-004348.