AC.L1-B.1.IV
Control Public Information

FCI Data

Security Requirement

Control information posted or processed on publicly accessible information systems.

USU Policy, Procedures, and Standards

University Policy 5200: Information Security and Appropriate Use

Prohibits unauthorized sharing or publishing of restricted data; users must follow privacy and usage standards, including those for public-facing communications.

NIST Cybersecurity Framework v2

  • Protect (PR): PR.PT-04 - Mechanisms (e.g., access control lists, web content filters) are used to prevent unauthorized content publication or access.

Implementation Details

Documentation should include details to meet the Security Requirement for this control. Complete this list for each system or systems that process or access FCI data:

  • List processes and controls used to ensure that systems which store or transmit FCI do not allow anonymous (unauthenticated) public access.
  • List methods used to prevent accidental or unauthorized disclosure of FCI via websites, file shares, or cloud tools.
  • List procedures for vetting and reviewing information before it is published on public-facing platforms.
  • List separation of duties or approval workflows to reduce the risk of publishing sensitive data in error.

Document How

  • individuals authorized to post or process information on publicly accessible systems
  • procedures to ensure FCI is not posted or processed on publicly accessible systems
  • a review process is in place prior to posting of any content to publicly accessible systems
  • content on publicly accessible systems is reviewed to ensure that it does not include FCI
  • mechanisms are in place to remove and address improper posting of FCI

Example

quote block

All USU-managed websites use campus CMS with role-based access control for publishing. Only trained and authorized users can publish to the live environment. FCI is never stored or referenced on public websites. Files intended for external sharing must be reviewed and approved through the data steward before posting. Box.usu.edu is configured with default access restrictions, and sharing permissions are logged and auditable.

quote block

Campus CMS (Web Content Management)

What it does:
  • Provides a centralized platform for managing and publishing content to public-facing websites with role-based access control, publishing workflows, and audit trails.
How it helps a researcher:
  • Prevents accidental publication of FCI or restricted data by limiting publishing rights to authorized personnel.
Example:
  • A research group collaborates with the campus web team to publish a project summary. Only designated staff with CMS rights can publish the content, ensuring compliance with privacy standards.

Entra ID (Azure AD) & Active Directory

What it does:
  • Provides centralized identity and access management for users and devices.
How it helps a researcher:
  • Ensures only specific users or groups can access research systems, files, and software using A#-based accounts and security groups.
Example:
  • Access to project files is restricted to members of the USU-FCI-ProjectAlpha group.

Box.com for Institutional Data Storage

What it does:
  • Provides a secure method of data storage and sharing with granular access control.
How it helps a researcher:
  • Prevents anonymous access and ensures only authenticated users can access specific files and folders.
Example:
  • A research team collaborates with another university using a write-only folder for external members. Internal data is accessible only to the six team members.

USU Group Management

What it does:
  • Allows creation and maintenance of security groups to manage access to systems and data.
How it helps a researcher:
  • Enables IT or project managers to automate access control based on group membership for drives, folders, VPN, or tools.
Example:
  • A PI creates a group named USU-FCI-DOE-2024, adds team members, and uses it to control access to a secure file share and email list.

USU Services that could be leveraged to meet control requirements include*:

*List of services may not be complete or applicable for a given configuration. The use of a given service does not necessarily satisfy control requirements or may require specific configuration to meet control requirements. Documentation should include how the service is implemented to meet the control requirements.
Back to content

How might an auditor assess this control?

Method

  • Examine:
    • Review public-facing websites, access control configurations, publishing workflows, and any public file shares for evidence of controlled publishing.
  • Interview:
    • Ask content owners or IT staff how public information is reviewed before publishing and what tools/processes are used to protect FCI.
  • Test:
    • Attempt to access content intended to be private from an external (unauthenticated) device or user account.

Objects (examples of items you could present to the auditor)

  • Public Website Review Logs: Records of routine reviews or approvals for published content.
  • Content Publishing Procedures: Documentation describing the workflow for making content publicly accessible.
  • User Access Listings: Lists of users who can publish or post content.
  • CMS Permissions Export: Showing roles and access levels within Modern Campus.
  • Security Training Materials: Content author training content highlighting FCI awareness.
  • Access Logs: Logging evidence for changes or access attempts to content repositories.