Meridian State UniversityPrivacy & Information Security Offices
ConfidentialPrivacy & Security Review · Risk Evidence
Admissions CRM AI — Review & Risk Register
| Document type | Review + Risk-register entry | Ref. | RR-AI-0117 |
| Prepared by | Privacy + ISO | Reviewed by | AI Governance Committee |
| Scope | CRM AI over applicant PII | Visibility | Confidential |
| Assessed | 2026-04-08 | Re-assess by | 2026-07-08 |
1. Review scope
Assessment of AI features in the admissions CRM against privacy (FERPA), security, and the Student Engagement RMF profile, focused on the processing of prospective-student PII.
2. Findings summary
| Critical | 0 | High | 1 (remediated) |
| Medium | 2 (remediated) | Low | 1 (accepted) |
3. Risk-register entry
Primary risk
Exposure or misuse of applicant PII via AI features.
Inherent rating
High (likelihood: medium · impact: severe).
Mitigations
Field-level restrictions, least privilege, in-CRM processing, audit logging, human review.
Residual rating
Low — accepted by the data owner and Privacy Office.
4. High finding & remediation
An over-broad role could view restricted fields. Remediated 2026-04-09 by tightening role scopes; re-tested by the ISO. No evidence of exposure.
5. Conditions of approval
- No automated decisions about applicants
- Quarterly access recertification
- Re-review on any new data field or integration
6. Decision
Outcome: Approved to operate over Confidential applicant data, subject to the conditions above and re-assessment by the date shown.
Review & approval
Chief Privacy Officer
Chief Information Security Officer
Data owner — Enrollment Management
Date approved