GV.MT-P: Monitoring And Review
Description
The policies, processes, and procedures for ongoing review of the organization’s privacy posture are understood and inform the management of privacy risk.
Framework Subcategories
GV.MT-P1: Privacy risk is re-evaluated on an ongoing basis and as key factors, including the organization’s business environment (e.g., introduction of new technologies), governance (e.g., legal obligations, risk tolerance), data processing, and systems/products/services change.
[csf.tools Note: Subcategories do not have detailed descriptions.]
GV.MT-P2: Privacy values, policies, and training are reviewed and any updates are communicated
[csf.tools Note: Subcategories do not have detailed descriptions.]
GV.MT-P3: Policies, processes, and procedures for assessing compliance with legal requirements and privacy policies are established and in place
[csf.tools Note: Subcategories do not have detailed descriptions.]
GV.MT-P4: Policies, processes, and procedures for communicating progress on managing privacy risks are established and in place
[csf.tools Note: Subcategories do not have detailed descriptions.]
GV.MT-P5: Policies, processes, and procedures are established and in place to receive, analyze, and respond to problematic data actions disclosed to the organization from internal and external sources (e.g., internal discovery, privacy researchers, professional events)
[csf.tools Note: Subcategories do not have detailed descriptions.]
GV.MT-P6: Policies, processes, and procedures incorporate lessons learned from problematic data actions
[csf.tools Note: Subcategories do not have detailed descriptions.]
GV.MT-P7: Policies, processes, and procedures for receiving, tracking, and responding to complaints, concerns, and questions from individuals about organizational privacy practices are established and in place
[csf.tools Note: Subcategories do not have detailed descriptions.]