CCI-004780

Implementation Guidance

Determine if the privacy principle of minimization is implemented using [SA-08(33)_ODP; processes that implement the privacy principle of minimization are defined].

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; personally identifiable information processing policy; procedures addressing the minimization of personally identifiable information in system design; system design documentation; system configuration settings and associated documentation; change control records; information security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security and privacy responsibilities; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers]. Test: [SELECT FROM: Organizational processes for applying the privacy design principle of minimization in system specification, design, development, implementation, and modification; mechanisms supporting the application of the security design principle of sufficient documentation in system specification, design, development, implementation, and modification; mechanisms that enforce security and privacy policy; organizational processes for managing change configuration; mechanisms supporting configuration control].