3.1.22 has a weight of – 1 points

System Security Plan (SSP) for Control 3.1.22: Publicly Accessible Systems and CUI

1. Control Title: Control of CUI Posted or Processed on Publicly Accessible Systems.

2. Purpose: This SSP ensures that Controlled Unclassified Information (CUI) is protected from inadvertent exposure and is not posted, processed, or stored on publicly accessible information systems.

3. Policy & Implementation:

3.1. ITU Cyber Security Policy Directive: Per company’s directive and the ITU Cyber Security Policy, we prohibit the posting or processing of CUI on any system accessible to the general public.

3.2. Definition of Public Systems: A publicly accessible system is any platform or medium accessible without restriction to the general public, whether digitally via the internet or physically at a particular location.

3.3. Protective Measures: To prevent inadvertent CUI disclosure:

• We have stringent measures for interfaces like public-facing websites or forms to ensure they neither collect nor display CUI.
• Regular audits ensure our public platforms and their supporting backend systems remain CUI-free.
• An established PR review committee evaluates any necessary public communications containing CUI, subjecting them to thorough checks and approvals.

3.4. Training: Employees receive comprehensive training on the importance and methods of safeguarding CUI, including the risks associated with public systems. Periodic reminders bolster this training.

3.5. Incident Management: In case CUI is unintentionally disclosed on a public platform:

• Procedures are activated for immediate data removal.
• Affected parties are notified.
• A post-incident review identifies and rectifies the cause to prevent recurrence.

3.6. Exception Management: All exceptions to this policy must undergo senior management approval and be documented. Before any such exception, the PR review committee ensures the implementation of adequate protection measures.

Plan of Action & Milestones (POA&M) for Control 3.1.22: Publicly Accessible Systems and CUI

Issue/Weakness Identified: Potential inadvertent exposure of Controlled Unclassified Information (CUI) on publicly accessible information systems.

1. Objective: Strengthen the protection measures for CUI across all publicly accessible platforms and ensure strict compliance to the SSP.

2. Milestones & Actions:

2.1. Review and Strengthen Current Measures:

• Action: Conduct a comprehensive review of existing protective measures for public-facing interfaces.
• Completion Date: [Date 1]

2.2. Audit Public Platforms:

• Action: Carry out an exhaustive audit of all public platforms and their backend systems to identify any unintentional CUI presence.
• Completion Date: [Date 2]

2.3. Revamp Training Program:

• Action: Update training materials, focusing on recent incidents or near-misses and practical scenarios. Schedule periodic training sessions for all employees.
• Completion Date: [Date 3]

2.4. Strengthen Incident Management Protocols:

• Action: Review and refine incident response procedures to ensure swift action, effective communication, and comprehensive post-incident analysis.
• Completion Date: [Date 4]

2.5. Review and Strengthen Exception Management Process:

• Action: Reevaluate the exception approval process to ensure senior management is involved and every exception is documented.
• Completion Date: [Date 5]

2.6. Reinforce Monitoring and Alerts System:

• Action: Upgrade monitoring tools to improve real-time detection of CUI on public platforms and set up automated alerts for immediate action.
• Completion Date: [Date 6]

3. Responsible Parties:

• System Administrators: In charge of implementing security controls, performing regular checks, and ensuring compliance on public-facing systems.

• Training and Development Team: Update training modules, schedule training sessions, and ensure training effectiveness.

• Incident Response Team: Streamline the incident response process and lead post-incident reviews.

• PR Review Committee: Ensure that no CUI is inadvertently disclosed in public communications.

• Senior Management: Oversee and approve exceptions to the policy and ensure necessary resources are allocated to address the identified issues.

4. Resources Required:

• Updated cybersecurity tools and software for monitoring and detection.

• External consultant for a third-party review and recommendations (optional).

• Additional training materials and resources.

5. Review and Progress Tracking:

Regular reviews will be conducted every [specific time frame, e.g., quarter] to track the progress of each milestone. Adjustments to the action steps will be made based on the feedback from these reviews.

Company Policy: Control of CUI on Publicly Accessible Systems

1. Introduction:

This policy outlines the procedures and guidelines established by [Your Company Name] to prevent the inadvertent exposure of Controlled Unclassified Information (CUI) on publicly accessible information systems.

2. Purpose:

To ensure that Controlled Unclassified Information (CUI) is not inadvertently posted, processed, or stored on publicly accessible systems, and to maintain the security and integrity of company data while adhering to federal regulations and guidelines.

3. Scope:

This policy applies to all employees, contractors, consultants, and other workers at [Your Company Name], including all personnel affiliated with third parties.

4. Policy Statement:

4.1. General: Under no circumstances shall CUI be posted, processed, or stored on any publicly accessible systems.

4.2. Definition of Public Systems: For this policy, a publicly accessible system includes any platform or medium accessible without restriction to the general public. This could be digitally, via the internet, or physically at a specific location.

4.3. Protective Measures:

• Any public-facing websites, forms, or other interfaces owned or managed by [Your Company Name] should be designed to neither collect nor display CUI.

• A PR review committee is in place to evaluate any necessary public communications to ensure that no CUI is disclosed inadvertently.

4.4. Training: Comprehensive training will be provided to all employees on the importance of not disclosing CUI on public systems. Periodic refresher training will be scheduled.

4.5. Incident Management: In the event that CUI is accidentally disclosed on a public platform, the company will:

• Promptly remove the exposed data.

• Notify the affected parties.

• Conduct a thorough post-incident review to prevent a recurrence.

4.6. Exception Management: Exceptions to this policy will be rare and must be approved by senior management. Each exception will be documented, and protective measures will be implemented to safeguard CUI.

5. Roles and Responsibilities:

5.1. System Administrators: Responsible for maintaining and updating security controls on public-facing systems and ensuring the non-existence of CUI on such systems.

5.2. Training and Development Team: Ensure all employees are aware of this policy and receive periodic training on it.

5.3. Incident Response Team: Address and manage any incidents where CUI is inadvertently disclosed on public systems.

5.4. PR Review Committee: Evaluate public communications for inadvertent CUI disclosures.

6. Compliance:

Violation of this policy may result in disciplinary action, up to and including termination of employment or contract.

7. Review and Updates:

This policy will be reviewed at least annually or as required by changes in laws, regulations, or company needs.

8. Approvals:

This policy has been approved by:

• CEO: ____________________________ Date: ________