Information owners which permit sharing of information under their control are responsible for ensuring all authorized users understand the information owner's sharing policy, and for reviewing levels of access, to include sharing to external partners, at least every 6 months.
Processes which do not restrict access to information, information processing systems or applications and sensitive business processes based on a need to know basis, may result in accidental or deliberate misuse of access privileges.
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.
User login credentials are provided based on job responsibilities and periodically reviewed for appropriateness.
No statewide control
Obtain documentation relating to access authorizations and information sharing mechanisms and ascertain if
(i) information sharing is enabled after ensuring that access authorization matches the information's access restrictions
(ii) the information sharing mechanisms are enabled to assist personnel in making sharing / collaboration decisions.