SE-01-727 Inventory of Personally Identifiable Information

Inventory of Personally Identifiable Information

Control ID

SE-01-727

Control Name

Inventory of Personally Identifiable Information

Control Category

Security

Functional Areas

Identify

Sub-Areas

Privacy and Confidentiality

NIST Baseline Level(s)

NOT SELECTED

NIST Priority

State Implementation Required

Agency Last Implemented Date

Risk Statement

PII have not been clearly identified and inventoried.

Control Description

The organization: a. Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII); and b. Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII.

Control Example

The results of a data classification and risk assessment allow for the inventory of PII in information systems.

State Implementation

No statewide control

Testing Procedures

Obtain data privacy policy and procedures; other relevant documents or records and ascertain if: (I) the organization establishes, maintains, and updates on an organization-defined frequency an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII); and (ii) the organization provides each update of the PII inventory to the CIO or information security official on an organization-defined frequency to support the establishment of information security requirements for all new or modified information systems containing PII.