CCI-005054

Implementation Guidance

Determine if under [SI-23_ODP[01]; circumstances that require information fragmentation are defined], the fragmented information is distributed across [SI-23_ODP[03]; systems or system components across which the fragmented information is to be distributed are defined].

Validation Procedures

Examine: [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; procedures addressing software and information integrity; system design documentation; system configuration settings and associated documentation; procedures to identify information for fragmentation and distribution across systems/system components; list of distributed and fragmented information; list of circumstances requiring information fragmentation; enterprise architecture; system security architecture; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security and privacy responsibilities; organizational personnel with systems security engineering responsibilities; system developers; security architects]. Test: [SELECT FROM: Organizational processes to identify information for fragmentation and distribution across systems/system components; automated mechanisms supporting and/or implementing information fragmentation and distribution across systems/system components].