myctrl.tools
Compare

PM-23Data Governance Body

>Control Description

Establish a Data Governance Body consisting of organization-defined roles with organization-defined responsibilities.

>Cross-Framework Mappings

NIST CSF 2.0

via NIST CSF 2.0 Concept Crosswalk
GV.RR-01
Compare
GV.RR-02
Compare
ID.AM-08
Compare

SCF

GOV-10
Compare
PRI-10
Compare
PRI-13
Compare

>Supplemental Guidance

A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines that support data modeling, quality, integrity, and the de-identification needs of personally identifiable information across the information life cycle as well as reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid.

Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the EVIDACT and policies set forth under OMB M-19-23.

>Related Controls

AT-2
AT-3
PM-19
PM-22
PM-24
PT-7
SI-4
SI-19

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the processing of PII in organizational systems and by third parties?
  • How does the organization assess and document the legal authority for PII processing?
  • Who is responsible for overseeing PII processing activities?
  • What process exists for reviewing and approving new PII processing activities?
  • What governance exists for ensuring PII processing aligns with privacy policies and legal requirements?

Technical Implementation:

  • What systems track and document PII processing activities?
  • How are PII processing purposes and legal authorities recorded?
  • What controls enforce PII processing restrictions?
  • How is third-party PII processing monitored and managed?

Evidence & Documentation:

  • Provide documentation of legal authority for PII processing activities.
  • Provide PII processing purpose and use documentation.
  • Provide records of PII processing approvals.
  • Provide evidence of third-party PII processing agreements and oversight.

Ask AI

Configure your API key to use AI features.