Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Personally identifiable information processing and transparency

From LIMSWiki
Jump to navigationJump to search

Appendix 1.15 Personally identifiable information processing and transparency

PT-1 Policy and procedures

This control recommends the organization develop, document, disseminate, review, and update personally identifiable information processing and transparency policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of personally identifiable information processing and transparency action but also to address how those policies and procedures will be implemented, reviewed, and updated.

Additional resources:

PT-2 Authority to process personally identifiable information

This control recommends the organization develop, document, and enact policy on who has access to what personally identifiable information, while ensuring restrictions in the system limit that access to only those authorized to do so. The NIST adds that "[o]rganizations consider applicable requirements and organizational policies to determine how to document this authority."

Additional resources:

PT-2 (2) Authority to process personally identifiable information: Automation

This control enhancement recommends the system have automated mechanisms to enforce verification mechanisms that prevent personally identifiable information in the system from being compromised.

Additional resources:

PT-4 Consent

This control recommends the organization—or the system—have tools or mechanisms able to record the consent of individuals who wish to allow their personally identifiable information to be processed, stored, and otherwise managed. PT-4 adds that "organizations consider the appropriate mechanism for obtaining consent, including the type of consent (e.g., opt-in, opt-out), how to properly authenticate and identity proof individuals and how to obtain consent through electronic means."

Additional resources:

PT-4 (3) Consent: Revocation

This control enhancement recommends that the organization or system also have tools or mechanisms able to revoke the consent of individuals who no longer wish to allow their personally identifiable information to be processed, stored, and otherwise managed.

Additional resources:

References

Retrieved from "https://www.limswiki.org/index.php?title=Book:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan/A_simplified_description_of_NIST_Special_Publication_800-53_controls,_with_ties_to_LIMSpec/Personally_identifiable_information_processing_and_transparency&oldid=51695"