myctrl.tools
Compare

PM-20(1)Privacy Policies On Websites, Applications, And Digital Services

PRIVACY

>Control Description

Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that: a. Are written in plain language and organized in a way that is easy to understand and navigate; b. Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and c. Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes.

>Cross-Framework Mappings

SCF

PRI-02
Compare

>Supplemental Guidance

Organizations post privacy policies on all external-facing websites, mobile applications, and other digital services. Organizations post a link to the relevant privacy policy on any known, major entry points to the website, application, or digital service. In addition, organizations provide a link to the privacy policy on any webpage that collects personally identifiable information.

Organizations may be subject to applicable laws, executive orders, directives, regulations, or policies that require the provision of specific information to the public. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What program-level governance exists for privacy policies on websites, applications, and digital services?
  • Who has overall responsibility and accountability for privacy policies on websites, applications, and digital services across the organization?
  • How does the organization measure and report on privacy policies on websites, applications, and digital services effectiveness?
  • What resources are allocated to support privacy policies on websites, applications, and digital services activities?
  • How does privacy policies on websites, applications, and digital services integrate with other organizational programs and initiatives?

Technical Implementation:

  • What enterprise systems or platforms support privacy policies on websites, applications, and digital services?
  • How are privacy policies on websites, applications, and digital services activities tracked and reported organization-wide?
  • What integration exists between privacy policies on websites, applications, and digital services tools and other security/privacy systems?
  • What automation supports privacy policies on websites, applications, and digital services at the program level?
  • What metrics or analytics are used to measure privacy policies on websites, applications, and digital services effectiveness?

Evidence & Documentation:

  • Provide program-level documentation for privacy policies on websites, applications, and digital services.
  • Provide evidence of privacy policies on websites, applications, and digital services review and approval by senior leadership.
  • Provide metrics or reports demonstrating privacy policies on websites, applications, and digital services effectiveness.
  • Provide records of privacy policies on websites, applications, and digital services updates and improvements.
  • Provide documentation of privacy policies on websites, applications, and digital services integration with organizational governance.

Ask AI

Configure your API key to use AI features.