SC-7.24: Personally Identifiable Information

processing rules are applied to data elements of personally identifiable information on systems that process personally identifiable information;

each processing exception is documented for systems that process personally identifiable information;

System and communications protection policy

procedures addressing boundary protection

personally identifiable information processing policies

list of key internal boundaries of the system

system design documentation

system configuration settings and associated documentation

enterprise security and privacy architecture documentation

system audit records

system security plan

privacy plan

personally identifiable information inventory documentation

data mapping documentation

other relevant documents or records

System/network administrators

organizational personnel with information security and privacy responsibilities

system developer

organizational personnel with boundary protection responsibilities

Mechanisms implementing boundary protection capabilities