myctrl.tools
Compare

PT-7(1)Social Security Numbers

PRIVACY

>Control Description

When a system processes Social Security numbers: a. Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier; b. Do not deny any individual any right, benefit, or privilege provided by law because of such individual's refusal to disclose his or her Social Security number; and c. Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.

>Cross-Framework Mappings

SCF

PRI-05.7
Compare

>Supplemental Guidance

Federal law and policy establish specific requirements for organizations' processing of Social Security numbers. Organizations take steps to eliminate unnecessary uses of Social Security numbers and other sensitive information and observe any particular requirements that apply.

>Related Controls

IA-4

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern social security numbers in organizational systems?
  • Who is responsible for implementing and overseeing social security numbers controls?
  • How does the organization ensure social security numbers complies with privacy laws and regulations?
  • What process exists for documenting and maintaining social security numbers?
  • What governance exists for monitoring and enforcing social security numbers requirements?

Technical Implementation:

  • What systems or tools technically implement social security numbers?
  • How are social security numbers requirements enforced in PII processing systems?
  • What privacy-enhancing technologies support social security numbers?
  • How is social security numbers integrated with data governance and privacy tools?
  • What technical controls prevent violations of social security numbers requirements?

Evidence & Documentation:

  • Provide documented policies and procedures for social security numbers.
  • Provide evidence of social security numbers implementation in PII systems.
  • Provide documentation demonstrating compliance with social security numbers requirements.
  • Provide records of social security numbers reviews and updates.
  • Provide privacy impact assessments or other documentation addressing social security numbers.

Ask AI

Configure your API key to use AI features.