Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ac-22

publicly accessible content

assessment objective:

Determine if the organization: 

ac-22(a)

designates individuals authorized to post information onto a  publicly accessible information system;

ac-22(b)

trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

ac-22(c)

reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included;

ac-22(d)

ac-22(d)[1]

defines the frequency to review the content on the publicly accessible information system for nonpublic information;

ac-22(d)[2]

reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency; and

ac-22(d)[3]

removes nonpublic information from the publicly accessible information system, if discovered.

potential assessment methods and objects:

Examine: [select from: Access control policy; procedures addressing publicly accessible content; list of users authorized to post publicly accessible content on organizational information systems; training materials and/or records; records of publicly accessible information reviews; records of response to nonpublic information on public websites; system audit logs; security awareness training records; other relevant documents or records].

Interview: [select from: Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems; organizational personnel with information security responsibilities].

Test: [select from: Automated mechanisms implementing management of publicly accessible content].