Navigate

CCI-004525

CCI-004525 Definition

Develop and document organization-level; mission/business process-level; and/or system level personally identifiable information processing and transparency policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - the [PT-01_ODP[03]; one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}] personally identifiable information processing and transparency policy addresses purpose. - the [PT-01_ODP[03]; one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}] personally identifiable information processing and transparency policy addresses scope. - the [PT-01_ODP[03]; one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}] personally identifiable information processing and transparency policy addresses roles. - the [PT-01_ODP[03]; one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}] personally identifiable information processing and transparency policy addresses responsibilities. - the [PT-01_ODP[03]; one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}] personally identifiable information processing and transparency policy addresses management commitment. - the [PT-01_ODP[03]; one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}] personally identifiable information processing and transparency policy addresses coordination among organizational entities. - the [PT-01_ODP[03]; one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}] personally identifiable information processing and transparency policy addresses compliance.

Validation Procedures

Examine: [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; privacy plan; privacy program plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-004525.

Control	Description
PT-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] personally identifiable information processing and transparency policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls; b: Designate an [an official to manage the personally identifiable information processing and transparency policy and procedures is defined;] to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and c: Review and update the current personally identifiable information processing and transparency: 1: Policy [the frequency at which the current personally identifiable information processing and transparency policy is reviewed and updated is defined;] and following [events that would require the current personally identifiable information processing and transparency policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current personally identifiable information processing and transparency procedures are reviewed and updated is defined;] and following [events that would require the personally identifiable information processing and transparency procedures to be reviewed and updated are defined;].

Control

Description

PT-1

a: Develop, document, and disseminate to [one of ]:
- 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] personally identifiable information processing and transparency policy that:
  - (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
  - (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- 2: Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls;

b: Designate an [an official to manage the personally identifiable information processing and transparency policy and procedures is defined;] to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and

c: Review and update the current personally identifiable information processing and transparency:
- 1: Policy [the frequency at which the current personally identifiable information processing and transparency policy is reviewed and updated is defined;] and following [events that would require the current personally identifiable information processing and transparency policy to be reviewed and updated are defined;] ; and
- 2: Procedures [the frequency at which the current personally identifiable information processing and transparency procedures are reviewed and updated is defined;] and following [events that would require the personally identifiable information processing and transparency procedures to be reviewed and updated are defined;].