AC-22-727 Publicly Accessible Content

Publicly Accessible Content

AC-22-727
Publicly Accessible Content
Access Control
Identify
Privacy and Confidentiality
LOW, MOD, HIGH
P3
Yes
January 20, 2018

Publicly accessible information resources are categorized as one of the following: (1) Agency-business information resource, and (2) Sponsored research project information resource.

The owner of an Agency-business information resource is the division head of an Agency support business unit, such as Marketing & Communications, Network & Information Systems, Administration, or Events Management.

The owner of a sponsored research project information resource is the program manager/division head of a research unit responsible for the administration of a sponsored research project.

The information resource owner designates one employee as the information resource custodian, and one or more employees to post information on publicly accessible information resources under their control. The information resource custodian is responsible for ensuring publicly accessible information does not contain nonpublic information, and reviewing existing and proposed content to ensure nonpublic information is not present.

Laws and regulations are violated due to inappropriate disclosure of personal information.
The organization: a. Designates individuals authorized to post information onto a publicly accessible information system; b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered.
Only select state organization personnel have access to publicly post content.
State organizations shall develop policies governing the procedures to post information on publicly accessible information systems.
Obtain access control policy; procedures addressing publicly accessible content; list of users authorized to post publicly accessible content on organizational information systems; training materials and/or records; records of publicly accessible information reviews; records of response to nonpublic information on public Web sites; system audit logs; security awareness training records; other relevant documents or records and ascertain if : (I) the organization designates individuals authorized to post information onto an organizational information system that is publicly accessible; (ii) the organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; (iii) the organization reviews the proposed content of publicly accessible information for nonpublic information prior to posting onto the organizational information system; (iv) the organization defines the frequency of reviews of the content on the publicly accessible organizational information system for nonpublic information; (v) the organization reviews the content on the publicly accessible organizational information system for nonpublic information in accordance with the organization-defined frequency; and (vi) the organization removes nonpublic information from the publicly accessible organizational information system, if discovered.