Navigate

CCI-004645

CCI-004645 Definition

Conduct privacy impact assessments for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if privacy impact assessments are conducted for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information.

Validation Procedures

Examine: [SELECT FROM: Risk assessment policy; security and privacy risk assessment reports; acquisitions documents; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with assessment and auditing responsibilities; system/network administrators; system developers; program managers; legal counsel; organizational personnel with security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for assessments and audits; mechanisms/tools supporting and/or implementing assessments and auditing].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-004645.

Control	Description
RA-8	Conduct privacy impact assessments for systems, programs, or other activities before: a: Developing or procuring information technology that processes personally identifiable information; and b: Initiating a new collection of personally identifiable information that: 1: Will be processed using information technology; and 2: Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.

Control

Description

RA-8

Conduct privacy impact assessments for systems, programs, or other activities before:

a: Developing or procuring information technology that processes personally identifiable information; and

b: Initiating a new collection of personally identifiable information that:
- 1: Will be processed using information technology; and
- 2: Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.