SC-42(5)—Collection Minimization
>Control Description
Employ ⚙organization-defined sensors that are configured to minimize the collection of information about individuals that is not needed.
>Cross-Framework Mappings
>Supplemental Guidance
Although policies to control for authorized use can be applied to information once it is collected, minimizing the collection of information that is not needed mitigates privacy risk at the system entry point and mitigates the risk of policy control failures. Sensor configurations include the obscuring of human features, such as blurring or pixelating flesh tones.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the implementation of collection minimization?
- •How are system and communications protection requirements defined and maintained?
- •Who is responsible for configuring and maintaining the security controls specified in SC-42(5)?
Technical Implementation:
- •How is collection minimization technically implemented in your environment?
- •What systems, tools, or configurations enforce this protection requirement?
- •How do you ensure that collection minimization remains effective as the system evolves?
Evidence & Documentation:
- •What documentation demonstrates the implementation of SC-42(5)?
- •Can you provide configuration evidence or system diagrams showing this protection control?
- •What logs or monitoring data verify that this control is functioning correctly?
Ask AI
Configure your API key to use AI features.