The Data Practices Act requires a government entity to perform a yearly, comprehensive security assessment of any personal information it maintains. (See Minnesota Statutes, section 13.055, subdivision 6)
Personal information is an individual's first name or first initial and last name in combination with one or more of these elements when unencrypted:
An entity's security assessment will vary depending on the amount of personal information the entity maintains. Developing the security assessment will require collaboration with an entity's legal counsel and internal auditor.
The Department of Administration uses the Control Environment Self-Assessment Tool (Excel), developed by Minnesota Management and Budget (MMB). Lines 45, 48, 49, and 51 target the requirements in section 13.055. You can learn more about control environments at MMB's website.