Skip to main content

PRI-05.1: Internal Use of Personal Data (PD) For Testing, Training and Research

PRI 8 — High Identify

Mechanisms exist to address the use of Personal Data (PD) for internal testing, training and research that: (1) Takes measures to limit or minimize the amount of PD used for internal testing, training and research purposes; and (2) Authorizes the use of PD when such information is required for internal testing, training and research.

Control Question: Does the organization address the use of Personal Data (PD) for internal testing, training and research that: (1) Takes measures to limit or minimize the amount of PD used for internal testing, training and research purposes; and (2) Authorizes the use of PD when such information is required for internal testing, training and research?

General (15)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC6.1-POF13 P4.1
CSA CCM 4 DSP-12 DSP-15
Generally Accepted Privacy Principles (GAPP) 7.2.2 9.2.1 9.2.2
ISO 27002 2022 5.33
ISO 27017 2015 18.1.4
NIST Privacy Framework 1.0 CT.PO-P1 CT.PO-P2
NIST 800-53 R4 DM-1 DM-3 DM-3(1)
NIST 800-53 R5 (source) PM-25 PT-2 PT-3 SI-12(1) SI-12(2)
NIST 800-53B R5 (privacy) (source) PM-25 PT-2 SI-12(1) SI-12(2)
NIST 800-161 R1 PM-25
NIST 800-161 R1 Level 2 PM-25
PCI DSS 4.0.1 (source) 6.5.5
PCI DSS 4.0.1 SAQ D Merchant (source) 6.5.5
PCI DSS 4.0.1 SAQ D Service Provider (source) 6.5.5
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) PRI-05.1
US (12)
Framework Mapping Values
US CERT RMM 1.2 COMP:SG2.SP1 COMP:SG3.SP1 KIM:SG2.SP1 KIM:SG2.SP2
US CJIS Security Policy 5.9.3 (source) 4.2.2 4.2.3.1 4.2.3.2 4.3
US CMS MARS-E 2.0 DM-1 DM-3 DM-3(1)
US COPPA 6502
US FERPA (source) 1232g
US HIPAA Administrative Simplification 2013 (source) 164.508(a)(2)(i)(B)
US IRS 1075 1.2 1.4 PT-2 SI-12(2)
US SSA EIESR 8.0 5.8
US - CO Colorado Privacy Act 6-1-1308(4)
US - NV SB220 2.3
US - OR CPA 7(1)(c)
US - TN TIPA 47-18-3204(a)(2) 47-18-3207(a)(1) 47-18-3207(a)(2) 47-18-3207(a)(3) 47-18-3207(b)(1) 47-18-3207(b)(2) 47-18-3207(b)(3) 47-18-3207(b)(3)(A) 47-18-3207(b)(3)(B) 47-18-3207(b)(3)(C)
EMEA (15)
Framework Mapping Values
EMEA Austria Sec 12
EMEA Belgium 4-7 21
EMEA Hungary 9
EMEA Israel 8
EMEA Italy 13 20
EMEA Kenya DPA 2019 25(a) 25(b) 25(c) 28(2)(a) 28(2)(b) 28(2)(c) 28(2)(d) 28(2)(e) 28(2)(f) 28(2)(f)(i) 28(2)(f)(ii) 28(2)(f)(iii) 28(3) 30(1)(a) 30(1)(b)(i) 30(1)(b)(ii) 30(1)(b)(iii) 30(1)(b)(iv) 30(1)(b)(v) 30(1)(b)(vi) 30(1)(b)(vii) 30(1)(b)(viii) 30(2) 30(3) 33(1)(a) 33(1)(b) 33(2) 33(3)(a) 33(3)(b) 33(3)(c) 33(3)(d) 33(3)(e) 33(4) 34(1)(a) 34(1)(b) 34(1)(c) 34(1)(d) 34(2)(a) 34(2)(b) 34(3) 36 37(1)(a) 37(1)(b) 37(2) 53(1) 53(2) 53(3)(a) 53(3)(b) 53(4)
EMEA Netherlands 11
EMEA Nigeria DPR 2019 2.1(1)(b) 3.1(12)
EMEA Norway 11 27
EMEA Poland 26
EMEA Qatar PDPPL 8.2 9.4
EMEA Serbia 87/2018 5.1 5.3 7 7.1 7.2 20
EMEA South Africa 10
EMEA Spain 1720/2007 8
EMEA UK DPA Chapter29-Schedule1-Part1-Principle 3
APAC (8)
Framework Mapping Values
APAC Australia Privacy Act APP Part 3
APAC Australian Privacy Principles APP 6
APAC China Privacy Law 13 13(1) 13(2) 13(3) 13(4) 13(5) 13(6) 13(7) 28 47
APAC Japan APPI 16-2
APAC Japan ISMAP 18.1.4
APAC New Zealand Privacy Act of 2020 Principle 10 P10-(1) P10-(1)(a) P10-(1)(b)(i) P10-(1)(b)(ii) P10-(1)(c) P10-(1)(d) P10-(1)(e)(i) P10-(1)(e)(ii) P10-(1)(e)(iii) P10-(1)(e)(iv) P10-(1)(f)(i) P10-(1)(f)(ii) P10-(2)
APAC Philippines 19
APAC South Korea 3
Americas (5)
Framework Mapping Values
Americas Argentina PPL 4
Americas Argentina Reg 132-2018 7.3 9.2
Americas Bahamas 6
Americas Colombia 4
Americas Uruguay 5 6 20 21 22

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to address the use of Personal Data (PD) for internal testing, training and research that: (1) Takes measures to limit or minimize the amount of PD used for internal testing, training and research purposes; and (2) Authorizes the use of PD when such information is required for internal testing, training and research.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to address the use of Personal Data (PD) for internal testing, training and research that: (1) Takes measures to limit or minimize the amount of PD used for internal testing, training and research purposes; and (2) Authorizes the use of PD when such information is required for internal testing, training and research.

Level 2 — Planned & Tracked

Privacy (PRI) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Privacy management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • The data privacy program is developed to work with IT and cybersecurity staff to ensure that applicable statutory, regulatory and contractual data privacy obligations for Personal Data (PD) are properly identified and implemented across the enterprise.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for data privacy management.
  • A qualified individual is formally assigned as the Chief Privacy Officer (CPO), or similar role, to lead the organization's data privacy program. This individual may be assigned to multiple duties, including that as a Data Protection Officer (DPO).
  • The CPO, or similar role, identifies “data privacy principles” that systems, applications, services, processes and third-parties must adhere to, based on leading data privacy practices.
  • Administrative processes and technologies collect, store, processes, transmit share or use PD only for the purposes identified in the data privacy notice.
Level 3 — Well Defined

Privacy (PRI) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • A Chief Privacy Officer (CPO), or similar function with technical competence to address data privacy concerns, analyzes the organization's business strategy to develop and publish authoritative guidance on the organization's data privacy program.
  • A Privacy program, run by a CPO, or similar role, ensures that applicable statutory, regulatory and contractual data privacy obligations are properly identified and implemented to limit and secure Personal Data (PD) that the organization stores, transmits and processes.
  • As part of the organization's data privacy program, the CPO publishes a clear set of “data privacy principles”, based on leading data privacy practices, that systems, applications, services, processes and third-parties must adhere to.
  • A Project Management Office (PMO), or project management function, ensures both cybersecurity and data privacy principles are identified and implemented within ongoing or planned projects.
  • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for cybersecurity-related data privacy practices.
  • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for cybersecurity-related data privacy practices.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to data privacy.
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program.
  • Data/process owners operationalize data privacy controls into the processes they control.
  • Third-party contracts included data protection requirements, including flow-down requirements to subcontractors.
  • Data Protection Officers (DPOs) are assigned to work closely with business units and project teams to ensure data privacy principles are being implemented.
  • CPO and DPO determine and document the legal authority that permits the collection, use, maintenance and sharing of PD, either generally or in support of a specific program or system need.
Level 4 — Quantitatively Controlled

Privacy (PRI) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to address the use of Personal Data (PD) for internal testing, training and research that: (1) Takes measures to limit or minimize the amount of PD used for internal testing, training and research purposes; and (2) Authorizes the use of PD when such information is required for internal testing, training and research.

Assessment Objectives

  1. PRI-05.1_A01 elements of Personal Data (PD) being processed in the information life cycle are defined.
  2. PRI-05.1_A02 techniques used to minimize the use of Personal Data (PD) for research, testing and training are defined.
  3. PRI-05.1_A03 organization-defined techniques are used to minimize the use of Personal Data (PD) for research, testing and training.
  4. PRI-05.1_A04 Personal Data (PD) being processed in the information life cycle is limited to organization-defined elements of Personal Data (PD).
  5. PRI-05.1_A05 the frequency for reviewing policies that address the use of Personal Data (PD) for internal testing, training and research is defined.
  6. PRI-05.1_A06 the frequency for updating policies that address the use of Personal Data (PD) for internal testing, training and research is defined.
  7. PRI-05.1_A07 the frequency for reviewing procedures that address the use of Personal Data (PD) for internal testing, training and research is defined.
  8. PRI-05.1_A08 the frequency for updating procedures that address the use of Personal Data (PD) for internal testing, training and research is defined.
  9. PRI-05.1_A09 policies that address the use of Personal Data (PD) for internal research, testing and training are developed and documented.
  10. PRI-05.1_A10 procedures that address the use of Personal Data (PD) for internal research, testing and training are developed and documented.
  11. PRI-05.1_A11 policies that address the use of Personal Data (PD) for internal research, testing and training are implemented.
  12. PRI-05.1_A12 procedures that address the use of Personal Data (PD) for internal research, testing and training are implemented.
  13. PRI-05.1_A13 the amount of Personal Data (PD) used for internal research, testing and training purposes is limited or minimized.
  14. PRI-05.1_A14 the required use of Personal Data (PD) for internal research, testing and training is authorized.
  15. PRI-05.1_A15 policies are reviewed frequently.
  16. PRI-05.1_A16 policies are updated frequently.
  17. PRI-05.1_A17 procedures are reviewed frequently.
  18. PRI-05.1_A18 procedures are updated frequently.
  19. PRI-05.1_A19 the authority to permit the processing of Personal Data (PD) is defined.
  20. PRI-05.1_A20 the type of processing of Personal Data (PD) is defined.
  21. PRI-05.1_A21 the type of processing of Personal Data (PD) to be restricted is defined.
  22. PRI-05.1_A22 the authority that permits the processing of Personal Data (PD) is determined and documented.
  23. PRI-05.1_A23 the processing of Personal Data (PD) is restricted to only that which is authorized.
  24. PRI-05.1_A24 the purpose(s) for processing Personal Data (PD) is/are defined.
  25. PRI-05.1_A25 the processing of Personal Data (PD) to be restricted is defined.
  26. PRI-05.1_A26 mechanisms to be implemented for ensuring any changes in the processing of Personal Data (PD) are made in accordance with requirements are defined.
  27. PRI-05.1_A27 requirements for changing the processing of Personal Data (PD) are defined.
  28. PRI-05.1_A28 the purpose(s) for processing Personal Data (PD) is/are identified and documented.
  29. PRI-05.1_A29 the purpose(s) is/are described in the public privacy notices of the organization.
  30. PRI-05.1_A30 the purpose(s) is/are described in the policies of the organization.
  31. PRI-05.1_A31 the processing of Personal Data (PD) is restricted to only that which is compatible with the identified purpose(s).
  32. PRI-05.1_A32 changes in the processing of Personal Data (PD) are monitored.
  33. PRI-05.1_A33 mechanisms are implemented to ensure that any changes are made in accordance with requirements.

Evidence Requirements

E-PRI-02 Authorized Use

Documented evidence of authorized use definitions for privacy-related data operations.

Privacy

Technology Recommendations

Micro/Small

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Small

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Medium

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Large

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Enterprise

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free