CCI-004921

Employ organization-defined sensors that are configured to minimize the collection of information about individuals that is not needed.

Implementation Guidance

Determine if the [SC-42(05)_ODP; the sensors that are configured to minimize the collection of unneeded information about individuals are defined] configured to minimize the collection of information about individuals that is not needed are employed.

Validation Procedures

Examine: [SELECT FROM: System and communications protection policy; access control policy and procedures; personally identifiable information processing policy; sensor capability and data collection policy and procedures; system design documentation; system configuration settings and associated documentation; privacy risk assessment documentation; privacy impact assessments; system architecture; list of information being collected by sensors; list of sensor configurations that minimize the collection of personally identifiable information (e.g., obscure human features); system audit records; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for sensor capabilities]. Test: [SELECT FROM: Mechanisms supporting and/or implementing measures to facilitate the review of information that is being collected by sensors; sensor information collection capabilities for the system].

The controls below (if any) were marked by NIST as being related to CCI-004921.