AR-07-727 Privacy-Enhanced System Design and Development

Privacy-Enhanced System Design and Development

Control ID

AR-07-727

Control Name

Privacy-Enhanced System Design and Development

Control Category

Accountability, Audit and Risk Management

Functional Areas

Identify, Protect

Sub-Areas

Privacy and Confidentiality, Secure System Services, Acquisition and Development

NIST Baseline Level(s)

NOT SELECTED

NIST Priority

State Implementation Required

Agency Last Implemented Date

Risk Statement

Laws and regulations are violated as a result of poor integration of privacy controls into system design and development.

Control Description

The organization designs information systems to support privacy by automating privacy controls.

Control Example

Privacy controls are made automated, where possible.

State Implementation

No statewide control

Testing Procedures

Obtain privacy system development and design documentation and ascertain if: (I) the organization employ technologies that automate privacy controls on the collection, use, and disclosure of personally identifiable information (PII) to reduce the likelihood of information system breaches and other privacy-related incidents. (ii) the organizations conducts periodic reviews of systems’ collection, use, and disclosure of PII to assess compliance with the Privacy Act and the organization’s privacy policy. (iii) the organization regularly monitor information system use and sharing of PII to ensure that the use / sharing is consistent with the authorized purposes identified in the Privacy Act and / or in the public notice of organizations, or in a manner compatible with those purposes.