GV.MT-P5: Policies, processes, and procedures are established and in place to receive, analyze, and respond to problematic data actions disclosed to the organization from internal and external sources (e.g., internal discovery, privacy researchers, professional events)
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
CM-4: Impact Analyses
Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.
PM-15: Security and Privacy Groups and Associations
Establish and institutionalize contact with selected groups and associations within the security and privacy communities: To facilitate ongoing security and privacy education and training for organizational personnel; To maintain currency with recommended security and privacy practices, techniques, and technologies; and To share current security and privacy information, including threats, vulnerabilities, and incidents.
RA-3: Risk Assessment
Conduct a risk assessment, including: Identifying threats to and vulnerabilities in the system; Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and Determining the likelihood and impact of adverse effects on individuals arising…
RA-8: Privacy Impact Assessments
Conduct privacy impact assessments for systems, programs, or other activities before: Developing or procuring information technology that processes personally identifiable information; and Initiating a new collection of personally identifiable information that: Will be processed using information technology; and Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical…
NIST Special Publication 800-53 Revision 4
CM-4: Security Impact Analysis
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
PM-15: Contacts With Security Groups And Associations
The organization establishes and institutionalizes contact with selected groups and associations within the security community: To facilitate ongoing security education and training for organizational personnel; To maintain currency with recommended security practices, techniques, and technologies; and To share current security-related information including threats, vulnerabilities, and incidents.
RA-3: Risk Assessment
The organization: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; Reviews risk assessment results [Assignment:…