SC-7(24)—Personally Identifiable Information
PRIVACY
>Control Description
For systems that process personally identifiable information:
a. Apply the following processing rules to data elements of personally identifiable information: ⚙organization-defined processing rules;
b. Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;
c. Document each processing exception; and
d. Review and remove exceptions that are no longer supported.
>Cross-Framework Mappings
>Supplemental Guidance
Managing the processing of personally identifiable information is an important aspect of protecting an individual's privacy. Applying, monitoring for, and documenting exceptions to processing rules ensure that personally identifiable information is processed only in accordance with established privacy requirements.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the implementation of personally identifiable information?
- •How are system and communications protection requirements defined and maintained?
- •Who is responsible for configuring and maintaining the security controls specified in SC-7(24)?
Technical Implementation:
- •How is personally identifiable information technically implemented in your environment?
- •What systems, tools, or configurations enforce this protection requirement?
- •How do you ensure that personally identifiable information remains effective as the system evolves?
Evidence & Documentation:
- •What documentation demonstrates the implementation of SC-7(24)?
- •Can you provide configuration evidence or system diagrams showing this protection control?
- •What logs or monitoring data verify that this control is functioning correctly?
Ask AI
Configure your API key to use AI features.