myctrl.tools
Compare

PM-20Dissemination Of Privacy Program Information

PRIVACY

>Control Description

Maintain a central resource webpage on the organization's principal public website that serves as a central source of information about the organization's privacy program and that: a. Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy; b. Ensures that organizational privacy practices and reports are publicly available; and c. Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.

>Control Enhancements(1)

PM-20(1)

>Cross-Framework Mappings

SOC 2 TSC

P8.1
Compare

SCF

PRI-01.3
Compare

>Supplemental Guidance

For federal agencies, the webpage is located at www.[agency].gov/privacy. Federal agencies include public privacy impact assessments, system of records notices, computer matching notices and agreements, PRIVACT exemption and implementation rules, privacy reports, privacy policies, instructions for individuals making an access or amendment request, email addresses for questions/complaints, blogs, and periodic publications.

>Related Controls

AC-3
PM-19
PT-5
PT-6
PT-7
RA-8

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for developing and maintaining privacy impact assessments for organizational systems?
  • How does the organization determine when privacy impact assessments are required?
  • Who reviews and approves privacy impact assessments?
  • How frequently are privacy impact assessments updated?
  • What governance exists for addressing risks identified in privacy impact assessments?

Technical Implementation:

  • What tools or templates are used to develop privacy impact assessments?
  • How are PIAs integrated with system development and authorization processes?
  • What workflows enforce PIA review and approval?
  • How are PIA findings tracked for remediation?

Evidence & Documentation:

  • Provide privacy impact assessments for systems processing PII.
  • Provide evidence of PIA review and approval.
  • Provide records of PIA updates when system changes occur.
  • Provide documentation of risk mitigation for issues identified in PIAs.

Ask AI

Configure your API key to use AI features.