SE-01-727 Inventory of Personally Identifiable Information
Inventory of Personally Identifiable Information
SE-01-727
Inventory of Personally Identifiable Information
Security
Identify
Privacy and Confidentiality
NOT SELECTED
NA
No
PII have not been clearly identified and inventoried.
The organization:
a. Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII); and
b. Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII.
The results of a data classification and risk assessment allow for the inventory of PII in information systems.
No statewide control
Obtain data privacy policy and procedures; other relevant documents or records and ascertain if:
(I) the organization establishes, maintains, and updates on an organization-defined frequency an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII); and
(ii) the organization provides each update of the PII inventory to the CIO or information security official on an organization-defined frequency to support the establishment of information security requirements for all new or modified information systems containing PII.