myctrl.tools
Compare

PM-5(1)Inventory Of Personally Identifiable Information

PRIVACY

>Control Description

Establish, maintain, and update organization-defined frequency an inventory of all systems, applications, and projects that process personally identifiable information.

>Cross-Framework Mappings

SCF

PRI-05.5
Compare
PRI-05.6
Compare

>Supplemental Guidance

An inventory of systems, applications, and projects that process personally identifiable information supports the mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein.

>Related Controls

AC-3
CM-8
CM-12
CM-13
PL-8
PM-22
PT-3
PT-5
SI-12
SI-18

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What program-level governance exists for inventory of personally identifiable information?
  • Who has overall responsibility and accountability for inventory of personally identifiable information across the organization?
  • How does the organization measure and report on inventory of personally identifiable information effectiveness?
  • What resources are allocated to support inventory of personally identifiable information activities?
  • How does inventory of personally identifiable information integrate with other organizational programs and initiatives?

Technical Implementation:

  • What enterprise systems or platforms support inventory of personally identifiable information?
  • How are inventory of personally identifiable information activities tracked and reported organization-wide?
  • What integration exists between inventory of personally identifiable information tools and other security/privacy systems?
  • What automation supports inventory of personally identifiable information at the program level?
  • What metrics or analytics are used to measure inventory of personally identifiable information effectiveness?

Evidence & Documentation:

  • Provide program-level documentation for inventory of personally identifiable information.
  • Provide evidence of inventory of personally identifiable information review and approval by senior leadership.
  • Provide metrics or reports demonstrating inventory of personally identifiable information effectiveness.
  • Provide records of inventory of personally identifiable information updates and improvements.
  • Provide documentation of inventory of personally identifiable information integration with organizational governance.

Ask AI

Configure your API key to use AI features.