Establish, implement, and maintain privacy procedures.

Back

CONTROL ID
14665

CONTROL TYPE
Establish/Maintain Documentation

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain a privacy policy., CC ID: 06281

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

Legal and contractual information security requirements regarding the procedures and processes in the processing of personally identifiable data are determined. (7.1.2 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls; (PT-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PT-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls; (PT-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PT-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls; (PT-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PT-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls; (PT-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PT-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls; (PT-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PT-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls; (PT-1a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PT-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls; (PT-1a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (PT-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)