Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
2. Assessment & Security Planning<br />
These Assessment and Planning Mandatory Procedures support the Enterprise Security<br />
<strong>Policy</strong> (ITEC 7230 Rev 1).<br />
Mandatory<br />
Non-Mandatory<br />
Procedures Baselines Procedures Baselines<br />
2. Assessment & Security Planning <br />
2.1. Risk and Privacy Assessment<br />
2.1.1. Perform Risk Assessment (7 sets) (3 sets)<br />
2.1.2. Perform Privacy Assessment (7 sets) (3 sets)<br />
2.2. Security Planning<br />
2.2.1. Create a Security Plan (5 sets) (3 sets)<br />
2.3. Maintain Records <br />
2.1. Risk and Privacy Assessment<br />
The following are the Mandatory Procedures that support the Risk and Privacy<br />
Assessment section <strong>of</strong> the Default Security Requirements:<br />
2.1.1. Perform Risk Assessment<br />
No applicable Mandatory Procedures.<br />
2.1.2. Perform Privacy Assessment<br />
Agencies should define specific and enhanced protection requirements for<br />
Personally Identifying Information (PII):<br />
2.1.2.1 Identify the Information to Be Collected.<br />
A Privacy Impact Assessment (PIA) is required if the information<br />
processed or stored by the system is related to an individual citizen:<br />
• Review system function and determine if any aspect is citizen<br />
related.<br />
• For systems that have a citizen-related function, review the<br />
information the system stores or uses and determine if it is<br />
personally identifying information (PII).<br />
2.1.2.2 Indicate the Reason for Information Collection.<br />
Define why this particular set <strong>of</strong> information must be collected and<br />
what generic purpose it will serve:<br />
• Provide rationalization for the collection <strong>of</strong> the data to ensure<br />
that data is not being collected for which a clear and definitive<br />
purpose does not exist.<br />
2