Informative References

Informative references are a cross-reference to a control set that can be used to implement a security outcome described by the framework element.

    FunctionCategorySubcategory
    Identify-P
    (ID-P)
    ID.IM-P: Inventory And MappingID.IM-P1: Systems/products/services that process data are inventoried
    ID.IM-P2: Owners or operators (e.g., the organization or third parties such as service providers, partners, customers, and developers) and their roles with respect to the systems/products/services and components (e.g., internal or external) that process data are inventoried
    ID.IM-P3: Categories of individuals (e.g., customers, employees or prospective employees, consumers) whose data are being processed are inventoried
    ID.IM-P4: Data actions of the systems/products/services are inventoried
    ID.IM-P5: The purposes for the data actions are inventoried
    ID.IM-P6: Data elements within the data actions are inventoried
    ID.IM-P7: The data processing environment is identified (e.g., geographic location, internal, cloud, third parties)
    ID.IM-P8: Data processing is mapped, illustrating the data actions and associated data elements for systems/products/services, including components; roles of the component owners/operators; and interactions of individuals or third parties with the systems/products/services
    ID.BE-P: Business EnvironmentID.BE-P1: The organization's role(s) in the data processing ecosystem are identified and communicated.
    ID.BE-P2: Priorities for organizational mission, objectives, and activities are established and communicated
    ID.BE-P3: Systems/products/services that support organizational priorities are identified and key requirements communicated
    ID.RA-P: Risk AssessmentID.RA-P1: Contextual factors related to the systems/products/services and the data actions are identified (e.g., individuals' demographics and privacy interests or perceptions, data sensitivity and/or types, visibility of data processing to individuals and third parties).
    ID.RA-P2: Data analytic inputs and outputs are identified and evaluated for bias
    ID.RA-P3: Potential problematic data actions and associated problems are identified
    ID.RA-P4: Problematic data actions, likelihoods, and impacts are used to determine and prioritize risk
    ID.RA-P5: Risk responses are identified, prioritized, and implemented
    ID.DE-P: Data Processing Ecosystem Risk ManagementID.DE-P1: Data processing ecosystem risk management policies, processes, and procedures are identified, established, assessed, managed, and agreed to by organizational stakeholders
    ID.DE-P2: Data processing ecosystem parties (e.g., service providers, customers, partners, product manufacturers, application developers) are identified, prioritized, and assessed using a privacy risk assessment process
    ID.DE-P3: Contracts with data processing ecosystem parties are used to implement appropriate measures designed to meet the objectives of an organization's privacy program.
    ID.DE-P4: Interoperability frameworks or similar multi-party approaches are used to manage data processing ecosystem privacy risks
    ID.DE-P5: Data processing ecosystem parties are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual, interoperability framework, or other obligations
    Govern-P
    (GV-P)
    GV.PO-P: Governance Policies, Processes, And ProceduresGV.PO-P1: Organizational privacy values and policies (e.g., conditions on data processing such as data uses or retention periods, individuals' prerogatives with respect to data processing) are established and communicated.
    GV.PO-P2: Processes to instill organizational privacy values within system/product/service development and operations are established and in place
    GV.PO-P3: Roles and responsibilities for the workforce are established with respect to privacy
    GV.PO-P4: Privacy roles and responsibilities are coordinated and aligned with third-party stakeholders (e.g., service providers, customers, partners)
    GV.PO-P5: Legal, regulatory, and contractual requirements regarding privacy are understood and managed
    GV.PO-P6: Governance and risk management policies, processes, and procedures address privacy risks
    GV.RM-P: Risk Management StrategyGV.RM-P1: Risk management processes are established, managed, and agreed to by organizational stakeholders
    GV.RM-P2: Organizational risk tolerance is determined and clearly expressed
    GV.RM-P3: The organization's determination of risk tolerance is informed by its role(s) in the data processing ecosystem.
    GV.AT-P: Awareness And TrainingGV.AT-P1: The workforce is informed and trained on its roles and responsibilities
    GV.AT-P2: Senior executives understand their roles and responsibilities
    GV.AT-P3: Privacy personnel understand their roles and responsibilities
    GV.AT-P4: Third parties (e.g., service providers, customers, partners) understand their roles and responsibilities
    GV.MT-P: Monitoring And ReviewGV.MT-P1: Privacy risk is re-evaluated on an ongoing basis and as key factors, including the organization's business environment (e.g., introduction of new technologies), governance (e.g., legal obligations, risk tolerance), data processing, and systems/products/services change.
    GV.MT-P2: Privacy values, policies, and training are reviewed and any updates are communicated
    GV.MT-P3: Policies, processes, and procedures for assessing compliance with legal requirements and privacy policies are established and in place
    GV.MT-P4: Policies, processes, and procedures for communicating progress on managing privacy risks are established and in place
    GV.MT-P5: Policies, processes, and procedures are established and in place to receive, analyze, and respond to problematic data actions disclosed to the organization from internal and external sources (e.g., internal discovery, privacy researchers, professional events)
    GV.MT-P6: Policies, processes, and procedures incorporate lessons learned from problematic data actions
    GV.MT-P7: Policies, processes, and procedures for receiving, tracking, and responding to complaints, concerns, and questions from individuals about organizational privacy practices are established and in place
    Control-P
    (CT-P)
    CT.PO-P: Data Processing Policies, Processes, And ProceduresCT.PO-P1: Policies, processes, and procedures for authorizing data processing (e.g., organizational decisions, individual consent), revoking authorizations, and maintaining authorizations are established and in place
    CT.PO-P2: Policies, processes, and procedures for enabling data review, transfer, sharing or disclosure, alteration, and deletion are established and in place (e.g., to maintain data quality, manage data retention)
    CT.PO-P3: Policies, processes, and procedures for enabling individuals' data processing preferences and requests are established and in place.
    CT.PO-P4: A data life cycle to manage data is aligned and implemented with the system development life cycle to manage systems
    CT.DM-P: Data Processing ManagementCT.DM-P1: Data elements can be accessed for review
    CT.DM-P2: Data elements can be accessed for transmission or disclosure
    CT.DM-P3: Data elements can be accessed for alteration
    CT.DM-P4: Data elements can be accessed for deletion
    CT.DM-P5: Data are destroyed according to policy