Information Security Risk Management, Security Assessment and Authorization / Technology Risk Assessments
NOT SELECTED
NA
No
Laws and regulations are violated as a result of customers' data being modified.
The organization:
a. Documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifiable information (PII); and
b. Conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures.
Privacy impact assessment methodology and programs are defined for the organization.
No statewide control
Obtain data privacy policy and procedures; other relevant documents or records and ascertain if:
(I) the organization has documented and implemented a privacy risk assessment and management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifiable information (PII);
(ii) the organization communicates the risks identified to various stakeholders;
(iii) the organization plans and implements controls to mitigate the risks identified during privacy risk assessment phase;
(iv) the organization conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures.