SA-8(33): Minimization

Control Family:

System and Services Acquisition

Parent Control:

SA-8: Security and Privacy Engineering Principles

CSF v1.1 References:

ID.BE-5
PR.IP-2

PF v1.0 References:

CT.DP-P1
CT.DP-P2
CT.DP-P3
CT.DP-P4
CT.DP-P5

Baselines:

Privacy

Control is new to this version of the control set.

Control Statement

Implement the privacy principle of minimization using [Assignment: organization-defined processes].

Supplemental Guidance

The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization.

Control Statement

Supplemental Guidance

Related Controls

NIST Special Publication 800-53 Revision 5