Navigate

SC-7(24)

SC-7(24): Personally Identifiable Information

For systems that process personally identifiable information:

(a): Apply the following processing rules to data elements of personally identifiable information: [processing rules for systems that process personally identifiable information are defined;];

(b): Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;

(c): Document each processing exception; and

(d): Review and remove exceptions that are no longer supported.

Supplemental

Managing the processing of personally identifiable information is an important aspect of protecting an individual’s privacy. Applying, monitoring for, and documenting exceptions to processing rules ensure that personally identifiable information is processed only in accordance with established privacy requirements.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Privacy (high), Privacy (low), Privacy (moderate)

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SC-7(24).

Control	Description
PT-2	a: Determine and document the [the authority to permit the processing (defined in PT-02_ODP[02]) of personally identifiable information is defined;] that permits the [the type of processing of personally identifiable information is defined;] of personally identifiable information; and b: Restrict the [the type of processing of personally identifiable information to be restricted is defined;] of personally identifiable information to only that which is authorized.
SI-15	Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: [software programs and/or applications whose information output requires validation are defined;].

Control

Description

PT-2

a: Determine and document the [the authority to permit the processing (defined in PT-02_ODP[02]) of personally identifiable information is defined;] that permits the [the type of processing of personally identifiable information is defined;] of personally identifiable information; and

b: Restrict the [the type of processing of personally identifiable information to be restricted is defined;] of personally identifiable information to only that which is authorized.

SI-15

Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: [software programs and/or applications whose information output requires validation are defined;].

Enhancements

The controls below (if any) add on to the requirements of SC-7(24).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SC-7(24).

CCI	Definition
CCI-004876	For systems that process personally identifiable information, apply organization-defined processing rules to data elements of personally identifiable information.
CCI-004877	Defines processing rules to be applied to data elements of personally identifiable information.
CCI-004878	For systems that process personally identifiable information, monitor for permitted processing at the external boundary of the system and at key internal boundaries within the system.
CCI-004879	For systems that process personally identifiable information, document each processing exception.
CCI-004880	For systems that process personally identifiable information, review and remove exceptions that are no longer supported.