AR-01-727 Governance and Privacy Program

Governance and Privacy Program

AR-01-727
Governance and Privacy Program
Accountability, Audit and Risk Management
Identify
Enterprise Security Policy, Standards and Guidelines, Privacy and Confidentiality, Security Oversight and Governance
NOT SELECTED
NA
No
Lack of a privacy program may result in the compromise of sensitive information due to loss of integrity or confidentiality.
The organization: a. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems; b. Monitors federal privacy laws and policy for changes that affect the privacy program; c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program; d. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures; e. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially].
A privacy officer is assigned and/or designated for the organization.
No statewide control
Obtain data privacy strategy, organization structure, polices and procedures; and ascertain if: (I) the organization has appointed a Senior Agency Official for Privacy (SAOP) / Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program; (ii) the organization develops mechanisms to monitor changes in the federal privacy laws and policy and update the organization the privacy program accordingly; (iii) the organization allocates sufficient resources to implement and operate the organization-wide privacy program; (iv) the organization develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures; (v) the organization develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and (vi) the organization updates privacy plan, policies, and procedures at least biennially.