myctrl.tools
Compare

PM-25Minimization Of Personally Identifiable Information Used In Testing, Training, And Research

PRIVACY

>Control Description

a

Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;

b

Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;

c

Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and

d

Review and update policies and procedures organization-defined frequency.

>Cross-Framework Mappings

SCF

DCH-18.2
Compare
END-13.3
Compare
PES-06.5
Compare
PRI-05.1
Compare
PRI-05.4
Compare

>Supplemental Guidance

The use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and/or legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research.

>Related Controls

PM-23
PT-3
SA-3
SA-8
SI-12

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for minimizing PII used in testing, training, and research?
  • How does the organization de-identify or anonymize PII for non-operational purposes?
  • Who approves the use of PII in testing, training, and research environments?
  • What safeguards are in place to protect PII used in non-production environments?
  • What governance exists for ensuring PII minimization in non-operational activities?

Technical Implementation:

  • What de-identification or anonymization technologies are used?
  • How is real PII prevented from entering test and development environments?
  • What data masking or synthetic data generation capabilities exist?
  • How are non-production environments monitored for PII exposure?

Evidence & Documentation:

  • Provide PII minimization procedures for testing, training, and research.
  • Provide evidence of de-identification or anonymization techniques used.
  • Provide records of approvals for PII use in non-production environments.
  • Provide documentation of PII safeguards in test/training environments.

Ask AI

Configure your API key to use AI features.