AC-22-727 Publicly Accessible Content

Publicly Accessible Content

Control ID

AC-22-727

Control Name

Publicly Accessible Content

Control Category

Access Control

Functional Areas

Identify

Sub-Areas

Privacy and Confidentiality

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

January 20, 2018

Agency Implementation

Publicly accessible information resources are categorized as one of the following: (1) Agency-business information resource, and (2) Sponsored research project information resource.

The owner of an Agency-business information resource is the division head of an Agency support business unit, such as Marketing & Communications, Network & Information Systems, Administration, or Events Management.

The owner of a sponsored research project information resource is the program manager/division head of a research unit responsible for the administration of a sponsored research project.

The information resource owner designates one employee as the information resource custodian, and one or more employees to post information on publicly accessible information resources under their control. The information resource custodian is responsible for ensuring publicly accessible information does not contain nonpublic information, and reviewing existing and proposed content to ensure nonpublic information is not present.

Risk Statement

Laws and regulations are violated due to inappropriate disclosure of personal information.

Control Description

The organization: a. Designates individuals authorized to post information onto a publicly accessible information system; b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered.

Control Example

Only select state organization personnel have access to publicly post content.

State Implementation

State organizations shall develop policies governing the procedures to post information on publicly accessible information systems.

Testing Procedures

Obtain access control policy; procedures addressing publicly accessible content; list of users authorized to post publicly accessible content on organizational information systems; training materials and/or records; records of publicly accessible information reviews; records of response to nonpublic information on public Web sites; system audit logs; security awareness training records; other relevant documents or records and ascertain if : (I) the organization designates individuals authorized to post information onto an organizational information system that is publicly accessible; (ii) the organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (iii) the organization reviews the proposed content of publicly accessible information for nonpublic information prior to posting onto the organizational information system; (iv) the organization defines the frequency of reviews of the content on the publicly accessible organizational information system for nonpublic information; (v) the organization reviews the content on the publicly accessible organizational information system for nonpublic information in accordance with the organization-defined frequency; and (vi) the organization removes nonpublic information from the publicly accessible organizational information system, if discovered.