myctrl.tools
Compare

PM-11Mission And Business Process Definition

PRIVACY

>Control Description

a

Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and

b

Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and

c

Review and revise the mission and business processes organization-defined frequency.

>Cross-Framework Mappings

NIST CSF 2.0

via NIST CSF 2.0 Concept Crosswalk
DE.AE-04
Compare
GV.OC-01
Compare
GV.OC-04
Compare
GV.OC-05
Compare
ID.RA-04
Compare
RC.RP-04
Compare

SOC 2 TSC

CC3.1
Compare

SCF

PRM-06
Compare

>Supplemental Guidance

Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by organizational stakeholders, the mission and business processes designed to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems.

Inherent to defining protection and personally identifiable information processing needs is an understanding of the adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of the processing of personally identifiable information at any stage of the information life cycle.

Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policies and procedures.

>Related Controls

CP-2
PL-2
PM-7
PM-8
RA-2
RA-3
RA-9
SA-2

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for establishing and maintaining mission and business process definitions?
  • How does the organization identify information systems that support critical mission and business processes?
  • Who is responsible for documenting and updating mission and business process information?
  • How are mission and business process dependencies incorporated into risk assessments?
  • What governance exists for aligning information systems with mission and business process needs?

Technical Implementation:

  • How are mission and business processes documented and maintained?
  • What tools map information systems to mission and business processes?
  • How are process dependencies and system relationships tracked?

Evidence & Documentation:

  • Provide mission and business process definitions.
  • Provide documentation mapping systems to mission/business processes.
  • Provide evidence of process dependency analysis.
  • Provide records of mission/business process updates when organizational changes occur.

Ask AI

Configure your API key to use AI features.