CCI-005050

Implementation Guidance

Determine if under [SI-23_ODP[01]; circumstances that require information fragmentation are defined], [SI-23_ODP[02]; the information to be fragmented is defined] is fragmented.

Validation Procedures

Examine: [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; procedures addressing software and information integrity; system design documentation; system configuration settings and associated documentation; procedures to identify information for fragmentation and distribution across systems/system components; list of distributed and fragmented information; list of circumstances requiring information fragmentation; enterprise architecture; system security architecture; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security and privacy responsibilities; organizational personnel with systems security engineering responsibilities; system developers; security architects]. Test: [SELECT FROM: Organizational processes to identify information for fragmentation and distribution across systems/system components; automated mechanisms supporting and/or implementing information fragmentation and distribution across systems/system components].