SC-7(24): Personally Identifiable Information

Control Family:

System and Communications Protection

Parent Control:

SC-7: Boundary Protection

CSF v1.1 References:

PF v1.0 References:

CT.DM-P7

Threats Addressed:

Information Disclosure

Baselines:

Privacy

Control is new to this version of the control set.

Control Statement

For systems that process personally identifiable information:

Apply the following processing rules to data elements of personally identifiable information: [Assignment: organization-defined processing rules];
Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;
Document each processing exception; and
Review and remove exceptions that are no longer supported.

Supplemental Guidance

Managing the processing of personally identifiable information is an important aspect of protecting an individual's privacy. Applying, monitoring for, and documenting exceptions to processing rules ensure that personally identifiable information is processed only in accordance with established privacy requirements.

Control Statement

Supplemental Guidance

Related Controls

NIST Special Publication 800-53 Revision 5