Informative References

Informative references are a cross-reference to a control set that can be used to implement a security outcome described by the framework element.

    FunctionCategorySubcategory
    Control-P
    (CT-P)
    CT.DM-P: Data Processing ManagementCT.DM-P6: Data are transmitted using standardized formats
    CT.DM-P7: Mechanisms for transmitting processing permissions and related data values with data elements are established and in place
    CT.DM-P8: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy and incorporating the principle of data minimization
    CT.DM-P9: Technical measures implemented to manage data processing are tested and assessed
    CT.DM-P10: Stakeholder privacy preferences are included in algorithmic design objectives and outputs are evaluated against these preferences
    CT.DP-P: Disassociated ProcessingCT.DP-P1: Data are processed to limit observability and linkability (e.g., data actions take place on local devices, privacy-preserving cryptography)
    CT.DP-P2: Data are processed to limit the identification of individuals (e.g., de-identification privacy techniques, tokenization)
    CT.DP-P3: Data are processed to limit the formulation of inferences about individuals' behavior or activities (e.g., data processing is decentralized, distributed architectures).
    CT.DP-P4: System or device configurations permit selective collection or disclosure of data elements
    CT.DP-P5: Attribute references are substituted for attribute values
    Communicate-P
    (CM-P)
    CM.PO-P: Communication Policies, Processes, And ProceduresCM.PO-P1: Transparency policies, processes, and procedures for communicating data processing purposes, practices, and associated privacy risks are established and in place
    CM.PO-P2: Roles and responsibilities (e.g., public relations) for communicating data processing purposes, practices, and associated privacy risks are established
    CM.AW-P: Data Processing AwarenessCM.AW-P1: Mechanisms (e.g., notices, internal or public reports) for communicating data processing purposes, practices, associated privacy risks, and options for enabling individuals' data processing preferences and requests are established and in place.
    CM.AW-P2: Mechanisms for obtaining feedback from individuals (e.g., surveys or focus groups) about data processing and associated privacy risks are established and in place
    CM.AW-P3: System/product/service design enables data processing visibility
    CM.AW-P4: Records of data disclosures and sharing are maintained and can be accessed for review or transmission/disclosure
    CM.AW-P5: Data corrections or deletions can be communicated to individuals or organizations (e.g., data sources) in the data processing ecosystem
    CM.AW-P6: Data provenance and lineage are maintained and can be accessed for review or transmission/disclosure
    CM.AW-P7: Impacted individuals and organizations are notified about a privacy breach or event
    CM.AW-P8: Individuals are provided with mitigation mechanisms (e.g., credit monitoring, consent withdrawal, data alteration or deletion) to address impacts of problematic data actions
    Protect-P
    (PR-P)
    PR.PO-P: Data Protection Policies, Processes, And ProceduresPR.PO-P1: A baseline configuration of information technology is created and maintained incorporating security principles (e.g., concept of least functionality)
    PR.PO-P2: Configuration change control processes are established and in place
    PR.PO-P3: Backups of information are conducted, maintained, and tested
    PR.PO-P4: Policy and regulations regarding the physical operating environment for organizational assets are met
    PR.PO-P5: Protection processes are improved
    PR.PO-P6: Effectiveness of protection technologies is shared
    PR.PO-P7: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are established, in place, and managed
    PR.PO-P8: Response and recovery plans are tested
    PR.PO-P9: Privacy procedures are included in human resources practices (e.g., deprovisioning, personnel screening)
    PR.PO-P10: A vulnerability management plan is developed and implemented
    PR.AC-P: Identity Management, Authentication, And Access ControlPR.AC-P1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices
    PR.AC-P2: Physical access to data and devices is managed
    PR.AC-P3: Remote access is managed
    PR.AC-P4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
    PR.AC-P5: Network integrity is protected (e.g., network segregation, network segmentation)
    PR.AC-P6: Individuals and devices are proofed and bound to credentials, and authenticated commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks).
    PR.DS-P: Data SecurityPR.DS-P1: Data-at-rest are protected
    PR.DS-P2: Data-in-transit are protected
    PR.DS-P3: Systems/products/services and associated data are formally managed throughout removal, transfers, and disposition
    PR.DS-P4: Adequate capacity to ensure availability is maintained
    PR.DS-P5: Protections against data leaks are implemented
    PR.DS-P6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
    PR.DS-P7: The development and testing environment(s) are separate from the production environment
    PR.DS-P8: Integrity checking mechanisms are used to verify hardware integrity
    PR.MA-P: MaintenancePR.MA-P1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools
    PR.MA-P2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
    PR.PT-P: Protective TechnologyPR.PT-P1: Removable media is protected and its use restricted according to policy
    PR.PT-P2: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
    PR.PT-P3: Communications and control networks are protected
    PR.PT-P4: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations