Navigate

SE-1

SE-1: Inventory of Personally Identifiable Information

The organization:

SE-1a.: Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII); and

SE-1b.: Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII.

Supplemental

The PII inventory enables organizations to implement effective administrative, technical, and physical security policies and procedures to protect PII consistent with Appendix F, and to mitigate risks of PII exposure. As one method of gathering information for their PII inventories, organizations may extract the following information elements from Privacy Impact Assessments (PIA) for information systems containing PII: (i) the name and acronym for each system identified; (ii) the types of PII contained in that system; (iii) classification of level of sensitivity of all types of PII, as combined in that information system; and (iv) classification of level of potential risk of substantial harm, embarrassment, inconvenience, or unfairness to affected individuals, as well as the financial or reputational risks to organizations, if PII is exposed. Organizations take due care in updating the inventories by identifying linkable data that could create PII.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

Related Controls

The controls below (if any) were marked by NIST as being related to SE-1.

Control	Description
AR-1	The organization: AR-1a.: Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems; AR-1b.: Monitors federal privacy laws and policy for changes that affect the privacy program; AR-1c.: Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program; AR-1d.: Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures; AR-1e.: Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and AR-1f.: Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially].
AR-4	The organization monitors and audits privacy controls and internal privacy policy [Assignment: organization-defined frequency] to ensure effective implementation.
AR-5	The organization: AR-5a.: Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures; AR-5b.: Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and AR-5c.: Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually].
AT-1	The organization: AT-1a.: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: AT-1a.1.: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AT-1a.2.: Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and AT-1b.: Reviews and updates the current: AT-1b.1.: Security awareness and training policy [Assignment: organization-defined frequency]; and AT-1b.2.: Security awareness and training procedures [Assignment: organization-defined frequency].
DM-1	The organization: DM-1a.: Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection; DM-1b.: Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and DM-1c.: Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose.
PM-5	The organization develops and maintains an inventory of its information systems.

Enhancements

The controls below (if any) add on to the requirements of SE-1.

Control	Description
No controls

Related CCIs

The CCIs below are tied to SE-1.

CCI	Definition
CCI-003544	The organization defines the frequency on which it will update the inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).
CCI-003545	The organization establishes an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing personally identifiable information (PII).
CCI-003546	The organization establishes an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).
CCI-003547	The organization maintains an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing personally identifiable information (PII).
CCI-003548	The organization maintains an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).
CCI-003549	The organization updates, per organization-defined frequency, an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing personally identifiable information (PII).
CCI-003550	The organization updates, per organization-defined frequency, an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).
CCI-003551	The organization defines the frequency for providing each update of the personally identifiable information (PII) inventory to the CIO or information security official.
CCI-003552	The organization provides each update of the personally identifiable information (PII) inventory to the CIO or information security official, per organization-defined frequency, to support the establishment of information security requirements for all new or modified information systems containing PII.