SI-12(1)—Limit Personally Identifiable Information Elements
PRIVACY
>Control Description
Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: ⚙organization-defined elements of personally identifiable information.
>Cross-Framework Mappings
>Supplemental Guidance
Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for operational purposes helps to reduce the level of privacy risk created by a system. The information life cycle includes information creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining which elements of personally identifiable information may create risk.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies and procedures govern limit personally identifiable information elements?
- •Who is responsible for monitoring system and information integrity?
- •How frequently are integrity monitoring processes reviewed and updated?
Technical Implementation:
- •What technical controls detect and respond to limit personally identifiable information elements issues?
- •How are integrity violations identified and reported?
- •What automated tools support system and information integrity monitoring?
Evidence & Documentation:
- •Can you provide recent integrity monitoring reports or alerts?
- •What logs demonstrate that SI-12(1) is actively implemented?
- •Where is evidence of integrity monitoring maintained and for how long?
Ask AI
Configure your API key to use AI features.