Navigate

SE-2

SE-2: Privacy Incident Response

The organization:

SE-2a.: Develops and implements a Privacy Incident Response Plan; and

SE-2b.: Provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan.

Supplemental

In contrast to the Incident Response (IR) family in Appendix F, which concerns a broader range of incidents affecting information security, this control uses the term Privacy Incident to describe only those incidents that relate to personally identifiable information (PII). The organization Privacy Incident Response Plan is developed under the leadership of the SAOP/CPO. The plan includes: (i) the establishment of a cross-functional Privacy Incident Response Team that reviews, approves, and participates in the execution of the Privacy Incident Response Plan; (ii) a process to determine whether notice to oversight organizations or affected individuals is appropriate and to provide that notice accordingly; (iii) a privacy risk assessment process to determine the extent of harm, embarrassment, inconvenience, or unfairness to affected individuals and, where appropriate, to take steps to mitigate any such risks; (iv) internal procedures to ensure prompt reporting by employees and contractors of any privacy incident to information security officials and the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO), consistent with organizational incident management structures; and (v) internal procedures for reporting noncompliance with organizational privacy policy by employees or contractors to appropriate management or oversight officials. Some organizations may be required by law or policy to provide notice to oversight organizations in the event of a breach. Organizations may also choose to integrate Privacy Incident Response Plans with Security Incident Response Plans, or keep the plans separate.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

Related Controls

The controls below (if any) were marked by NIST as being related to SE-2.

Control	Description
AR-1	The organization: AR-1a.: Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems; AR-1b.: Monitors federal privacy laws and policy for changes that affect the privacy program; AR-1c.: Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program; AR-1d.: Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures; AR-1e.: Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and AR-1f.: Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially].
AR-4	The organization monitors and audits privacy controls and internal privacy policy [Assignment: organization-defined frequency] to ensure effective implementation.
AR-5	The organization: AR-5a.: Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures; AR-5b.: Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and AR-5c.: Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually].
AR-6	The organization develops, disseminates, and updates reports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates, and to senior management and other personnel with responsibility for monitoring privacy program progress and compliance.
AU-1	The organization: AU-1a.: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: AU-1a.1.: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and AU-1a.2.: Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and AU-1b.: Reviews and updates the current: AU-1b.1.: Audit and accountability policy [Assignment: organization-defined frequency]; and AU-1b.2.: Audit and accountability procedures [Assignment: organization-defined frequency].
AU-2	The organization: AU-2a.: Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; AU-2b.: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; AU-2c.: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and AU-2d.: Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
AU-3	The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
AU-4	The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements].
AU-5	The information system: AU-5a.: Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and AU-5b.: Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
AU-6	The organization: AU-6a.: Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and AU-6b.: Reports findings to [Assignment: organization-defined personnel or roles].
AU-7	The information system provides an audit reduction and report generation capability that: AU-7a.: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and AU-7b.: Does not alter the original content or time ordering of audit records.
AU-8	The information system: AU-8a.: Uses internal system clocks to generate time stamps for audit records; and AU-8b.: Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement].
AU-9	The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
AU-10	The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation].
AU-11	The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
AU-12	The information system: AU-12a.: Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components]; AU-12b.: Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and AU-12c.: Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
AU-13	The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information.
AU-14	The information system provides the capability for authorized users to select a user session to capture/record or view/hear.
IR-1	The organization: IR-1a.: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: IR-1a.1.: An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and IR-1a.2.: Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and IR-1b.: Reviews and updates the current: IR-1b.1.: Incident response policy [Assignment: organization-defined frequency]; and IR-1b.2.: Incident response procedures [Assignment: organization-defined frequency].
IR-2	The organization provides incident response training to information system users consistent with assigned roles and responsibilities: IR-2a.: Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility; IR-2b.: When required by information system changes; and IR-2c.: [Assignment: organization-defined frequency] thereafter.
IR-3	The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.
IR-4	The organization: IR-4a.: Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; IR-4b.: Coordinates incident handling activities with contingency planning activities; and IR-4c.: Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.
IR-5	The organization tracks and documents information system security incidents.
IR-6	The organization: IR-6a.: Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and IR-6b.: Reports security incident information to [Assignment: organization-defined authorities].
IR-7	The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.
IR-8	The organization: IR-8a.: Develops an incident response plan that: IR-8a.1.: Provides the organization with a roadmap for implementing its incident response capability; IR-8a.2.: Describes the structure and organization of the incident response capability; IR-8a.3.: Provides a high-level approach for how the incident response capability fits into the overall organization; IR-8a.4.: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; IR-8a.5.: Defines reportable incidents; IR-8a.6.: Provides metrics for measuring the incident response capability within the organization; IR-8a.7.: Defines the resources and management support needed to effectively maintain and mature an incident response capability; and IR-8a.8.: Is reviewed and approved by [Assignment: organization-defined personnel or roles]; IR-8b.: Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; IR-8c.: Reviews the incident response plan [Assignment: organization-defined frequency]; IR-8d.: Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; IR-8e.: Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and IR-8f.: Protects the incident response plan from unauthorized disclosure and modification.
RA-1	The organization: RA-1a.: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: RA-1a.1.: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.2.: Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and RA-1b.: Reviews and updates the current: RA-1b.1.: Risk assessment policy [Assignment: organization-defined frequency]; and RA-1b.2.: Risk assessment procedures [Assignment: organization-defined frequency].

Enhancements

The controls below (if any) add on to the requirements of SE-2.

Control	Description
No controls

Related CCIs

The CCIs below are tied to SE-2.

CCI	Definition
CCI-003553	The organization develops a Privacy Incident Response Plan.
CCI-003554	The organization implements a Privacy Incident Response Plan.
CCI-003555	The organization provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan.