myctrl.tools
Compare

PM-26Complaint Management

PRIVACY

>Control Description

Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: a. Mechanisms that are easy to use and readily accessible by the public; b. All information necessary for successfully filing complaints; c. Tracking mechanisms to ensure all complaints received are reviewed and addressed within organization-defined time period; d. Acknowledgement of receipt of complaints, concerns, or questions from individuals within organization-defined time period; and e. Response to complaints, concerns, or questions from individuals within organization-defined time period.

>Cross-Framework Mappings

SCF

PRI-06.3
Compare
PRI-06.4
Compare

>Supplemental Guidance

Complaints, concerns, and questions from individuals can serve as valuable sources of input to organizations and ultimately improve operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints.

Privacy complaints may also include personally identifiable information which is handled in accordance with relevant policies and processes.

>Related Controls

IR-7
IR-9
PM-22
SI-18

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for developing and maintaining agreements with external parties that access organizational PII?
  • How does the organization ensure compliance monitoring of external parties?
  • Who reviews and approves agreements with external parties handling PII?
  • What remedies exist for non-compliance by external parties?
  • What governance exists for periodically reviewing and updating external agreements?

Technical Implementation:

  • What systems track external party agreements and compliance?
  • How is third-party PII access monitored and controlled?
  • What audit or verification mechanisms exist for external parties?
  • How are external party security controls validated?

Evidence & Documentation:

  • Provide agreements with external parties that access organizational PII.
  • Provide evidence of compliance monitoring activities for external parties.
  • Provide records of external party security assessments or audits.
  • Provide documentation of non-compliance remediation or contract enforcement.

Ask AI

Configure your API key to use AI features.