Perform initial and periodic privacy risk assessment, mitigation and remediation

Performs or oversees initial and periodic information privacy risk assessment/analysis, mitigation and remediation. Periodically assess the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of information. Conducts the security categorization process as an organization-wide activity with the involvement of Senior Information Security Officers, Information System Owners, Mission/Business Owners, and Information owners/stewards. Document the security categorization results in the security plan for the system & ensure that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. Authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, Mission/Business Owners, and information owners.

Source :
http://ecfirst.com/myecfirst/wp-content/uploads/NIST_SP800-53_QRC_2015.pdf