CCI-004879

For systems that process personally identifiable information, document each processing exception.

Implementation Guidance

Determine if each processing exception is documented for systems that process personally identifiable information.

Validation Procedures

Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; personally identifiable information processing policies; list of key internal boundaries of the system; system design documentation; system configuration settings and associated documentation; enterprise security and privacy architecture documentation; system audit records; system security plan; privacy plan; personally identifiable information inventory documentation; data mapping documentation; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developer; organizational personnel with boundary protection responsibilities]. Test: [SELECT FROM: Mechanisms implementing boundary protection capabilities].

The controls below (if any) were marked by NIST as being related to CCI-004879.