Navigate

CCI-004556

CCI-004556 Definition

Defines the mechanisms for ensuring any changes are made in accordance with organization-defined requirements.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - changes in the processing of personally identifiable information are monitored. - [PT-03_ODP[03]; mechanisms to be implemented for ensuring any changes in the processing of personally identifiable information are made in accordance with requirements are defined] are implemented to ensure that any changes are made in accordance with [PT-03_ODP[04]; requirements for changing the processing of personally identifiable information are defined].

Validation Procedures

Examine: [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; configuration management plan; organizational privacy notices; organizational policies; Privacy Act statements; computer matching notices; applicable Federal Register notices; documented requirements for enforcing and monitoring the processing of personally identifiable information; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for authorizing the processing of personally identifiable information; mechanisms supporting and/or implementing the management of authorized personally identifiable information processing; organizational processes for monitoring changes in processing personally identifiable information].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-004556.

Control	Description
PT-3	a: Identify and document the [the purpose(s) for processing personally identifiable information is/are defined;] for processing personally identifiable information; b: Describe the purpose(s) in the public privacy notices and policies of the organization; c: Restrict the [the processing of personally identifiable information to be restricted is defined;] of personally identifiable information to only that which is compatible with the identified purpose(s); and d: Monitor changes in processing personally identifiable information and implement [mechanisms to be implemented for ensuring any changes in the processing of personally identifiable information are made in accordance with requirements are defined;] to ensure that any changes are made in accordance with [requirements for changing the processing of personally identifiable information are defined;].

Control

Description

PT-3

a: Identify and document the [the purpose(s) for processing personally identifiable information is/are defined;] for processing personally identifiable information;

b: Describe the purpose(s) in the public privacy notices and policies of the organization;

c: Restrict the [the processing of personally identifiable information to be restricted is defined;] of personally identifiable information to only that which is compatible with the identified purpose(s); and

d: Monitor changes in processing personally identifiable information and implement [mechanisms to be implemented for ensuring any changes in the processing of personally identifiable information are made in accordance with requirements are defined;] to ensure that any changes are made in accordance with [requirements for changing the processing of personally identifiable information are defined;].