GRCWatch
Sign inStart free trial

AC.L1-3.1.22: Control Public Information

Public-facing systems require strict information governance to prevent unintended disclosure. AC.L1-3.1.22 ensures your organization controls what data is posted or processed on publicly accessible platforms. This foundational control protects your business from accidental exposure of sensitive material.

What this means

This control requires you to establish and enforce policies for managing information that appears on or is processed through publicly accessible information systems. This includes websites, cloud storage with public links, public repositories, and any internet-facing application. The goal is to prevent accidental or unauthorized disclosure of sensitive data where external users can access it.

How to comply

  1. 1.Identify all publicly accessible information systems your organization operates or uses
  2. 2.Document what types of information are permitted on each public system
  3. 3.Establish data classification rules that prohibit sensitive data from public platforms
  4. 4.Implement technical controls (access restrictions, encryption, data masking) to prevent restricted information from being posted
  5. 5.Train employees on what constitutes public vs. confidential information
  6. 6.Conduct regular audits of public systems to identify and remove prohibited content
  7. 7.Create a change management process for vetting content before public posting
  8. 8.Maintain logs of who accesses and modifies public system information

Evidence auditors look for

  • Data classification policy specifying what information can appear on public-facing websites
  • Public information system inventory with designated data types for each platform
  • Content review procedures and approval workflows for public postings
  • Audit reports showing regular scanning of public systems for restricted data
  • Employee training records on public vs. confidential information handling
  • Configuration documentation showing technical controls on public platforms
  • Incident logs demonstrating detection and remediation of unauthorized public disclosures

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates discovery and monitoring of your public-facing systems, flags unapproved content in real-time, and maintains audit trails of all public data changes—eliminating manual reviews and reducing disclosure risk.

See how GRCWatch handles this control automatically

Start free trial

Related controls

AC.L1-3.1.1 (Authorized Access)SI.L1-3.14.1 (Information System Monitoring)CA.L1-3.13.1 (Security Assessment)