Navigate

CCI-004427

CCI-004427 Definition

Implement policies that address the use of personally identifiable information for internal testing, training, and research.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - policies that address the use of personally identifiable information for internal testing are developed and documented. - policies that address the use of personally identifiable information for internal training are developed and documented. - policies that address the use of personally identifiable information for internal research are developed and documented. - procedures that address the use of personally identifiable information for internal testing are developed and documented. - procedures that address the use of personally identifiable information for internal training are developed and documented. - procedures that address the use of personally identifiable information for internal research are developed and documented. - policies that address the use of personally identifiable information for internal testing are implemented. - policies that address the use of personally identifiable information for training are implemented. - policies that address the use of personally identifiable information for research are implemented. - procedures that address the use of personally identifiable information for internal testing are implemented. - procedures that address the use of personally identifiable information for training are implemented. - procedures that address the use of personally identifiable information for research are implemented.

Validation Procedures

Examine: [SELECT FROM: Privacy program plan; policies and procedures for the minimization of personally identifiable information used in testing, training, and research; documentation supporting policy implementation (e.g., templates for testing, training, and research; privacy threshold analysis; privacy risk assessment); data sets used for testing, training, and research]. Interview: [SELECT FROM: Organizational personnel with privacy program responsibilities; organizational personnel with privacy responsibilities; system developers; personnel with IRB responsibilities]. Test: [SELECT FROM: Organizational processes for data quality and personally identifiable information management; mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-004427.

Control	Description
PM-25	a: Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research; b: Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes; c: Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and d: Review and update policies and procedures [one of ].

Control

Description

PM-25

a: Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;

b: Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;

c: Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and

d: Review and update policies and procedures [one of ].