Navigate

DI-2

DI-2: DATA INTEGRITY AND DATA INTEGRITY BOARD

The organization: a. Documents processes to ensure the integrity of personally identifiable information (PII) through existing security controls; and b. Establishes a Data Integrity Board when appropriate to oversee organizational Computer Matching Agreements123 and to ensure that those agreements comply with the computer matching provisions of the Privacy Act.

Supplemental

Organizations conducting or participating in Computer Matching Agreements with other organizations regarding applicants for and recipients of financial assistance or payments under federal benefit programs or regarding certain computerized comparisons involving federal personnel or payroll records establish a Data Integrity Board to oversee and coordinate their implementation of such matching agreements. In many organizations, the Data Integrity Board is led by the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO). The Data Integrity Board ensures that controls are in place to maintain both the quality and the integrity of data shared under Computer Matching Agreements.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to DI-2.

Control	Description
AC-1	The organization: a: Develops, documents, and disseminates to [organization-defined personnel or roles]: 1: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2: Procedures to facilitate the implementation of the access control policy and associated access controls; and b: Reviews and updates the current: 1: Access control policy [organization-defined frequency]; and 2: Access control procedures [organization-defined frequency].
AC-3	The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-4	The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [organization-defined information flow control policies].
AC-6	The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
AC-17	The organization: a: Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b: Authorizes remote access to the information system prior to allowing such connections.
AC-22	The organization: a: Designates individuals authorized to post information onto a publicly accessible information system; b: Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c: Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and d: Reviews the content on the publicly accessible information system for nonpublic information [organization-defined frequency] and removes such information, if discovered.
AU-2	The organization: a: Determines that the information system is capable of auditing the following events: [organization-defined auditable events]; b: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and d: Determines that the following events are to be audited within the information system: [organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
AU-3	The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
AU-6	The organization: a: Reviews and analyzes information system audit records [organization-defined frequency] for indications of [organization-defined inappropriate or unusual activity]; and b: Reports findings to [organization-defined personnel or roles].
AU-10	The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [organization-defined actions to be covered by non-repudiation].
AU-11	The organization retains audit records for [organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
DI-1	The organization: a. Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that information; b. Collects PII directly from the individual to the greatest extent practicable; c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information.
SC-8	The information system protects the [one or more of confidentiality/integrity] of transmitted information.
SC-28	The information system protects the [one or more of confidentiality/integrity] of [organization-defined information at rest].
UL-2	The organization: a. Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes; b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used; c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and d. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required.

Enhancements

The controls below (if any) add on to the requirements of DI-2.

Control	Description
DI-2(1)	The organization publishes Computer Matching Agreements on its public website.

Related CCIs

The CCIs below are tied to DI-2.

CCI	Definition
CCI-003481	The organization documents processes to ensure the integrity of personally identifiable information (PII) through existing security controls.
CCI-003482	The organization, when appropriate, establishes a Data Integrity Board.
CCI-003483	The organization's Data Integrity Board oversees the organizational Computer Matching Agreements.
CCI-003484	The organization's Data Integrity Board ensures the Computer Matching Agreements comply with the computer matching provisions of the Privacy Act.