IR-8(1)
-
Requirement
Include the following in the Incident Response Plan for breaches involving personally identifiable information:
- A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;
- An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and
- Identification of applicable privacy requirements.
-
Discussion
Organizations may be required by law, regulation, or policy to follow specific procedures relating to breaches, including notice to individuals, affected organizations, and oversight bodies; standards of harm; and mitigation or other specific requirements.
NIST 800-53A Assessment Guidance
CMMC Training
Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!