CCI-004351

Implementation Guidance

Determine if the mission and business processes are reviewed and revised [PM-11_ODP; the frequency at which to review and revise the mission and business processes is defined].

Validation Procedures

Examine: [SELECT FROM: Information security program plan; privacy program plan; risk management strategy; procedures for determining mission and business protection needs; information security and privacy risk assessment results relevant to the determination of mission and business protection needs; personally identifiable information processing policy; personally identifiable information inventory; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for enterprise risk management; organizational personnel responsible for determining information protection needs for mission and business processes; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for defining mission and business processes and their information protection needs].