PRI-01.6: Security of Personal Data (PD)
Mechanisms exist to ensure Personal Data (PD) is protected by logical and physical security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD.
Control Question: Does the organization ensure Personal Data (PD) is protected by logical and physical security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD?
General (11)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC6.1-POF13 P4.2-POF2 |
| APEC Privacy Framework 2015 | 7 |
| ISO 27002 2022 | 5.34 |
| ISO 29100 2024 | 6.11 |
| NIST AI 600-1 | MP-4.1-001 |
| OECD Privacy Principles | 5 |
| PCI DSS 4.0.1 (source) | 12.9.1 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 12.9.1 |
| TISAX ISA 6 | 7.1.2 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | PRI-01.6 |
| SCF CORE AI Model Deployment | PRI-01.6 |
US (12)
| Framework | Mapping Values |
|---|---|
| US Data Privacy Framework (DPF) | II.4.a |
| US FIPPS | 8 |
| US HHS 45 CFR 155.260 | 155.260(a)(3)(vii) |
| US - CA CCPA 2025 | 7023(d)(4) 7024(f) |
| US - CO Colorado Privacy Act | 6-1-1305(2)(a) 6-1-1305(4) 6-1-1308(5) |
| US - IL BIPA | 15(e)(1) 15(e)(2) |
| US - IL PIPA | 45(a) 45(b) 45(c) 45(d) |
| US - NV NOGE Reg 5 | 5.260.1 |
| US - NY SHIELD Act S5575B | 4(2)(a) 4(2)(b)(i) 4(2)(b)(ii) 4(2)(b)(ii)(A) 4(2)(b)(ii)(A)(1) 4(2)(b)(ii)(A)(2) 4(2)(b)(ii)(A)(3) 4(2)(b)(ii)(A)(4) 4(2)(b)(ii)(A)(5) 4(2)(b)(ii)(A)(6) 4(2)(b)(ii)(B)(1) 4(2)(b)(ii)(B)(2) 4(2)(b)(ii)(B)(3) 4(2)(b)(ii)(B)(4) 4(2)(b)(ii)(C)(1) 4(2)(b)(ii)(C)(2) 4(2)(b)(ii)(C)(3) 4(2)(b)(ii)(C)(4) 4(2)(c) |
| US - OR CPA | 5(1)(c) 6(1)(b) |
| US - TN TIPA | 47-18-3204(a)(3) |
| US - VA CDPA 2025 | 59.1-578.A.3 59.1-579.A.1 59.1-579.B.1 |
EMEA (7)
| Framework | Mapping Values |
|---|---|
| EMEA EU AI Act | 10.5(b) 10.5(c) |
| EMEA EU GDPR (source) | 24.1 25.1 25.2 32.1 32.1(a) 32.1(b) 5.1(f) |
| EMEA Kenya DPA 2019 | 29(f) 41(1) 41(1)(a) 41(1)(b) 41(2) 41(3)(a) 41(3)(b) 41(3)(c) 41(3)(d) 41(3)(e) 41(4)(a) 41(4)(b) 41(4)(c) 41(4)(d) 41(4)(e) 41(4)(f) 42(1)(a) 42(1)(b) 42(1)(c) 42(1)(d) 42(2)(a) 42(2)(b) 42(3) 42(4) |
| EMEA Nigeria DPR 2019 | 2.1(1)(d) 2.6 |
| EMEA Qatar PDPPL | 8.3 13 |
| EMEA Saudi Arabia PDPL | 19 |
| EMEA Serbia 87/2018 | 5.6 41 42 42.1 42.2 50 50.1 50.2 50.3 50.4 51 51.1 51.2 51.3 51.4 51.5 51.6 51.7 51.8 51.9 51.10 |
APAC (6)
| Framework | Mapping Values |
|---|---|
| APAC China Cybersecurity Law | 42 |
| APAC China Privacy Law | 9 25 28 59 |
| APAC India DPDPA 2023 | 8(4) 8(5) |
| APAC Japan APPI | 20 21 |
| APAC New Zealand Privacy Act of 2020 | Principle 5 P5-(a) P5-(a)(i) P5-(a)(ii) P5-(a)(iii) P5-(b) |
| APAC Singapore MAS TRM 2021 | 14.1.1 14.1.2 14.1.3 14.1.4 14.1.5 14.1.6 14.1.7 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to ensure Personal Data (PD) is protected by security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to ensure Personal Data (PD) is protected by security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to ensure Personal Data (PD) is protected by security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD.
Level 3 — Well Defined
Privacy (PRI) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- A Chief Privacy Officer (CPO), or similar function with technical competence to address data privacy concerns, analyzes the organization's business strategy to develop and publish authoritative guidance on the organization's data privacy program.
- A Privacy program, run by a CPO, or similar role, ensures that applicable statutory, regulatory and contractual data privacy obligations are properly identified and implemented to limit and secure Personal Data (PD) that the organization stores, transmits and processes.
- As part of the organization's data privacy program, the CPO publishes a clear set of “data privacy principles”, based on leading data privacy practices, that systems, applications, services, processes and third-parties must adhere to.
- A Project Management Office (PMO), or project management function, ensures both cybersecurity and data privacy principles are identified and implemented within ongoing or planned projects.
- The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for cybersecurity-related data privacy practices.
- The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for cybersecurity-related data privacy practices.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to data privacy.
- A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program.
- Data/process owners operationalize data privacy controls into the processes they control.
- Third-party contracts included data protection requirements, including flow-down requirements to subcontractors.
- Data Protection Officers (DPOs) are assigned to work closely with business units and project teams to ensure data privacy principles are being implemented.
- CPO and DPO determine and document the legal authority that permits the collection, use, maintenance and sharing of PD, either generally or in support of a specific program or system need.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to ensure Personal Data (PD) is protected by security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to ensure Personal Data (PD) is protected by security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD.
Assessment Objectives
- PRI-01.6_A01 Personal Data (PD) is protected by security safeguards that are sufficient and appropriately scoped to protect the confidentiality and integrity of the PD.
Technology Recommendations
Micro/Small
- Data classification program
- Data privacy program
- Data Protection Impact Assessment (DPIA)
- Product / project management
Small
- Data classification program
- Data privacy program
- Data Protection Impact Assessment (DPIA)
- Product / project management
Medium
- Data classification program
- Data privacy program
- Data Protection Impact Assessment (DPIA)
- Product / project management
Large
- Data classification program
- Data privacy program
- Data Protection Impact Assessment (DPIA)
- Product / project management
Enterprise
- Data classification program
- Data privacy program
- Data Protection Impact Assessment (DPIA)
- Product / project management