CCI-004878

For systems that process personally identifiable information, monitor for permitted processing at the external boundary of the system and at key internal boundaries within the system.

Implementation Guidance

Determine if: - permitted processing is monitored at the external interfaces to the systems that process personally identifiable information. - permitted processing is monitored at key internal boundaries within the systems that process personally identifiable information.

Validation Procedures

Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; personally identifiable information processing policies; list of key internal boundaries of the system; system design documentation; system configuration settings and associated documentation; enterprise security and privacy architecture documentation; system audit records; system security plan; privacy plan; personally identifiable information inventory documentation; data mapping documentation; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developer; organizational personnel with boundary protection responsibilities]. Test: [SELECT FROM: Mechanisms implementing boundary protection capabilities].

The controls below (if any) were marked by NIST as being related to CCI-004878.