NIST System and Information Integrity Risk Controls (si)

Policy and Procedures (si-1)

Develop, document, and disseminate to organization-defined personnel or roles:

one or more,Organization-level,Mission/business process-level,System-level system and information integrity policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;

Designate an organization-defined official to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and

Review and update the current system and information integrity:

Policy organization-defined frequency and following organization-defined events; and

Procedures organization-defined frequency and following organization-defined events.

System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

Information Management and Retention (si-12)

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), #at-4(#at-4), #au-12(#au-12), #ca-2(#ca-2), #ca-3(#ca-3), #ca-5(#ca-5), #ca-6(#ca-6), #ca-7(#ca-7), #ca-8(#ca-8), #ca-9(#ca-9), #cm-2(#cm-2), #cm-3(#cm-3), #cm-4(#cm-4), #cm-6(#cm-6), #cm-8(#cm-8), #cm-9(#cm-9), #cm-12(#cm-12), #cm-13(#cm-13), #cp-2(#cp-2), #ir-6(#ir-6), #ir-8(#ir-8), #ma-2(#ma-2), #ma-4(#ma-4), #pe-2(#pe-2), #pe-8(#pe-8), #pe-16(#pe-16), #pe-17(#pe-17), #pl-2(#pl-2), #pl-4(#pl-4), #pl-7(#pl-7), #pl-8(#pl-8), #pm-5(#pm-5), #pm-8(#pm-8), #pm-9(#pm-9), #pm-18(#pm-18), #pm-21(#pm-21), #pm-27(#pm-27), #pm-28(#pm-28), #pm-30(#pm-30), #pm-31(#pm-31), #ps-2(#ps-2), #ps-6(#ps-6), #ps-7(#ps-7), #pt-2(#pt-2), #pt-3(#pt-3), #pt-7(#pt-7), #ra-2(#ra-2), #ra-3(#ra-3), #ra-5(#ra-5), #ra-8(#ra-8), #sa-4(#sa-4), #sa-5(#sa-5), #sa-8(#sa-8), #sa-10(#sa-10), #si-4(#si-4), #sr-2(#sr-2), #sr-4(#sr-4), #sr-8(#sr-8).

Limit Personally Identifiable Information Elements (si-12.1)

Minimize Personally Identifiable Information in Testing, Training, and Research (si-12.2)

Information Disposal (si-12.3)

Personally Identifiable Information Quality Operations (si-18)

Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle organization-defined frequency; and

Correct or delete inaccurate or outdated personally identifiable information.

Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and the potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes.

Individual Requests (si-18.4)

De-identification (si-19)

Remove the following elements of personally identifiable information from datasets: organization-defined elements of personally identifiable information; and

Evaluate organization-defined frequency for effectiveness of de-identification.

De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual?s identity, such as name, social security number, date and place of birth, mother?s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk.

Free security assessment Application