Skip to main content

PRI-10: Data Quality Management

PRI 5 — Medium Identify

Mechanisms exist to manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle.

Control Question: Does the organization manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle?

General (11)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) P7.0 P7.1 P7.1-POF1 P7.1-POF2
Generally Accepted Privacy Principles (GAPP) 9.2.1
NIST Privacy Framework 1.0 CT.PO-P4 CT.DM-P8
NIST 800-53 R5 (source) PM-22 PM-23 PM-24
NIST 800-53B R5 (privacy) (source) PM-24
NIST 800-53 R5 (NOC) (source) PM-22 PM-23
NIST 800-161 R1 PM-22 PM-23
NIST 800-161 R1 Level 1 PM-22 PM-23
NIST 800-161 R1 Level 2 PM-22
OECD Privacy Principles 2
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) PRI-10
US (4)
Framework Mapping Values
US DHS ZTCF DIN-03
US FIPPS 5
US HIPAA Administrative Simplification 2013 (source) 164.512(i)(1)(i)(B) 164.512(i)(1)(i)(B)(1) 164.512(i)(1)(i)(B)(2) 164.512(i)(1)(i)(B)(3)
US - CA CCPA 2025 7023(c)
EMEA (2)
Framework Mapping Values
EMEA Serbia 87/2018 5.4 11
EMEA South Africa 4
APAC (1)
Framework Mapping Values
APAC China Privacy Law 8
Americas (2)
Framework Mapping Values
Americas Brazil LGPD 6.5
Americas Uruguay 7

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle.

Level 3 — Well Defined

Privacy (PRI) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • A Chief Privacy Officer (CPO), or similar function with technical competence to address data privacy concerns, analyzes the organization's business strategy to develop and publish authoritative guidance on the organization's data privacy program.
  • A Privacy program, run by a CPO, or similar role, ensures that applicable statutory, regulatory and contractual data privacy obligations are properly identified and implemented to limit and secure Personal Data (PD) that the organization stores, transmits and processes.
  • As part of the organization's data privacy program, the CPO publishes a clear set of “data privacy principles”, based on leading data privacy practices, that systems, applications, services, processes and third-parties must adhere to.
  • A Project Management Office (PMO), or project management function, ensures both cybersecurity and data privacy principles are identified and implemented within ongoing or planned projects.
  • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for cybersecurity-related data privacy practices.
  • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for cybersecurity-related data privacy practices.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to data privacy.
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program.
  • Data/process owners operationalize data privacy controls into the processes they control.
  • Third-party contracts included data protection requirements, including flow-down requirements to subcontractors.
  • Data Protection Officers (DPOs) are assigned to work closely with business units and project teams to ensure data privacy principles are being implemented.
  • CPO and DPO determine and document the legal authority that permits the collection, use, maintenance and sharing of PD, either generally or in support of a specific program or system need.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to manage the quality, utility, objectivity, integrity and impact determination and de-identification of sensitive/regulated data across the information lifecycle.

Assessment Objectives

  1. PRI-10_A01 the responsibilities of the organization's data governance body are defined.
  2. PRI-10_A02 a data governance body is established.
  3. PRI-10_A03 the organization's data governance body consisting of roles with responsibilities is established.
  4. PRI-10_A04 the data integrity board/function reviews proposals to conduct or participate in a matching program.
  5. PRI-10_A05 the data integrity board/function conducts an annual review of all matching programs in which the agency has participated.
  6. PRI-10_A06 organization-wide policies for Personal Data (PD) quality management are developed and documented.
  7. PRI-10_A07 organization-wide procedures for Personal Data (PD) quality management are developed and documented.
  8. PRI-10_A08 the policies address reviewing the accuracy of Personal Data (PD) across the information life cycle.
  9. PRI-10_A09 the policies address reviewing the relevance of Personal Data (PD) across the information life cycle.
  10. PRI-10_A10 the policies address reviewing the timeliness of Personal Data (PD) across the information life cycle.
  11. PRI-10_A11 the policies address reviewing the completeness of Personal Data (PD) across the information life cycle.
  12. PRI-10_A12 the procedures address reviewing the accuracy of Personal Data (PD) across the information life cycle.
  13. PRI-10_A13 the procedures address reviewing the relevance of Personal Data (PD) across the information life cycle.
  14. PRI-10_A14 the procedures address reviewing the timeliness of Personal Data (PD) across the information life cycle.
  15. PRI-10_A15 the procedures address reviewing the completeness of Personal Data (PD) across the information life cycle.
  16. PRI-10_A16 the policies address correcting or deleting inaccurate or outdated Personal Data (PD).
  17. PRI-10_A17 the procedures address correcting or deleting inaccurate or outdated Personal Data (PD).
  18. PRI-10_A18 the policies address disseminating notice of corrected or deleted Personal Data (PD) to individuals or other appropriate entities.
  19. PRI-10_A19 the procedures address disseminating notice of corrected or deleted Personal Data (PD) to individuals or other appropriate entities.
  20. PRI-10_A20 the policies address appeals of adverse decisions on correction or deletion requests.
  21. PRI-10_A21 the procedures address appeals of adverse decisions on correction or deletion requests.
  22. PRI-10_A22 the roles of the organization's data governance body are defined.

Technology Recommendations

Micro/Small

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Small

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Medium

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Large

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Enterprise

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free