Navigate

CCI-004550

CCI-004550 Definition

Defines the purpose(s) of identifying and documenting personally identifiable information.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if the [PT-03_ODP[01]; the purpose(s) for processing personally identifiable information is/are defined] for processing personally identifiable information is/are identified and documented.

Validation Procedures

Examine: [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; configuration management plan; organizational privacy notices; organizational policies; Privacy Act statements; computer matching notices; applicable Federal Register notices; documented requirements for enforcing and monitoring the processing of personally identifiable information; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for authorizing the processing of personally identifiable information; mechanisms supporting and/or implementing the management of authorized personally identifiable information processing; organizational processes for monitoring changes in processing personally identifiable information].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-004550.

Control	Description
PT-3	a: Identify and document the [the purpose(s) for processing personally identifiable information is/are defined;] for processing personally identifiable information; b: Describe the purpose(s) in the public privacy notices and policies of the organization; c: Restrict the [the processing of personally identifiable information to be restricted is defined;] of personally identifiable information to only that which is compatible with the identified purpose(s); and d: Monitor changes in processing personally identifiable information and implement [mechanisms to be implemented for ensuring any changes in the processing of personally identifiable information are made in accordance with requirements are defined;] to ensure that any changes are made in accordance with [requirements for changing the processing of personally identifiable information are defined;].

Control

Description

PT-3

a: Identify and document the [the purpose(s) for processing personally identifiable information is/are defined;] for processing personally identifiable information;

b: Describe the purpose(s) in the public privacy notices and policies of the organization;

c: Restrict the [the processing of personally identifiable information to be restricted is defined;] of personally identifiable information to only that which is compatible with the identified purpose(s); and

d: Monitor changes in processing personally identifiable information and implement [mechanisms to be implemented for ensuring any changes in the processing of personally identifiable information are made in accordance with requirements are defined;] to ensure that any changes are made in accordance with [requirements for changing the processing of personally identifiable information are defined;].