Privacy in the Federal Government...Monitors federal privacy laws and policy for changes that affect...

The Inspector

General’s Evolving

Role in Privacy

Agenda

What Exactly is Privacy?

Evolution of Federal Gov’t Privacy Programs

Privacy Legislation and Guidelines

Privacy Breaches

GAO and OIG Audits

What Exactly is Privacy?

Privacy Act of 1974 (5 U.S.C. 552a)

Established a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies

Prohibits the disclosure of an individual’s records without the written consent of the individual, unless the disclosure is pursuant to one of twelve statutory exceptions

Provides individuals with a means to seek access to and amendment of their records

Sets forth agency record-keeping requirements

Federal Privacy Guidance

National Institute of Standards and Technology (NIST) Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (April 2010)

Assists agencies with protecting the confidentiality of PII in information systems

Defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”


NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (revised January 2015)

Provides a structured set of privacy controls to help organizations to comply with various privacy laws and regs.

Establishes a linkage and relationship between privacy and security controls, which may overlap in concept and in implementation within federal information systems, programs, and organizations.

Appendix J: Privacy Control Catalog and Assessment Procedures


OMB Circular A-130, Managing Information as a Strategic Resource (Rev. July 2016)

Outlines responsibilities for protecting Federal information

resources and managing personally identifiable information (PII)

Views security and privacy requirements as:

crucial elements of a comprehensive, strategic, and continuous risk-based program

Rather than as simply a compliance exercise


OMB Circular A-130, Managing Information as a Strategic Resource (Rev. July 2016)

Requires agencies to maintain an inventory of the agency’s information systems that:

create,

collect,

use,

process,

store,

maintain,

disseminate,

disclose,

or dispose of PII


OMB Circular A-130, Managing Information as a Strategic

Resource (Rev. July 2016)

Requires IT capital investment plans and budgetary requests to be reviewed to ensure that requirements and associated costs are explicitly identified and included with respect to IT resources used to create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII


OMB M-03-22, OMB Guidance for Implementing the Privacy

Provisions of the E-Government Act of 2002 (Sept 2003)

OMB M 03-22 provides guidance on privacy program

activities including:

• Privacy Impact Assessments

• Privacy Policies on Agency Websites

• Privacy Policies in Machine-Readable Formats

• Reporting requirements (Agencies required to submit

annual report on compliance with this guidance to OMB as

part of their E-Government Act status report)

Federal Privacy Council

Established through an Executive Order issued February 12, 2016

Purpose is to help Senior Agency Officials for Privacy better:

• Coordinate and collaborate

• Educate the Federal workforce

• Exchange best practices

The activities of the Privacy Council are intended to reinforce the essential work that agency privacy officials undertake every day to protect privacy.

Privacy Breaches in the Federal Government

Office of Personnel Management

Two separate but related breaches discovered in April and June 2015

4.2 million government employee personnel files breached

21.5 million security clearance background information files breached

Congressional Hearings

• June 16, 2015 – House Government Oversight and Reform Committee

• June 24, 2015 – House Government Oversight and Reform Committee

• June 25, 2015 – Senate Committee on Homeland Security and Governmental Affairs


Internal Revenue Service

April 2017

Up to 100,000 Taxpayers compromised in FAFSA tool breach

Feb 2016

Used stolen SSN’s to generate e-File PINS (101,000 successes / 464,000 attempts)

August 2015

“Get Transcript” Service breached exposing 334,000 taxpayer records


United States Postal Service

Hackers broke into more than two-dozen servers at the US Postal Service in 2014, including one server containing names, Social Security numbers, birth dates, and other PII on about 800K workers and 2.9 million customers


Legislative Branch – Library of Congress (LOC)

Breach reported January 2009

Human Resources employee conspired fraud in which he stole

information on employees from LOC databases

Information was provided to a relative that open fraudulent account

used to purchase $38,000 worth of goods

Auditing Privacy in the Federal Government

Early privacy audits of Federal agencies largely found Agencies had not established or implemented privacy programs:

Lack of policies or agency directives establishing privacy oversight function and program

Senior Agency Official for Privacy / Chief Privacy Officer had not been appointed

Differing thoughts on where privacy program should reside and who should be the SAOP (Chief Information Officer, Senior Legal Counsel)

PII inventory challenges (IT and manual)

Lack of Privacy Impact Assessments


More recent privacy audits of some Federal agencies have found agencies made progress, but still lacking comprehensive privacy programs and significant key activities not performed

Senior Agency Official for Privacy named

• Resource challenges for staffing privacy offices

PII inventory challenges (IT and manual)

• Lack of a comprehensive list of PII being collected, processed, and stored throughout the agency

Privacy training across the agency either not performed or not job specific (role-based)


More recent privacy audits of some Federal agencies have found agencies made progress, but still lacking comprehensive privacy programs and significant key activities not performed

Privacy Threshold Analysis (PTA) challenges

• PTAs are an initial, self-assessment tool that can be used by agencies to determine whether they properly maintain PII. The PTA includes a description of the system and what PII, if any, is collected or used, and from whom.

Privacy Impact Assessment (PIA) challenges

• Objective of PIA is to systematically identify the risks and potential effects of collecting, maintaining, and disseminating PII and to examine and evaluate alternative processes for handling information to mitigate potential privacy risks.

Federal/Private Industry Privacy Audit Roundtable

Group formed in an effort to streamline audit procedures over privacy programs and identify best practices

Mix of experienced Federal/Private privacy auditors

Objective to further standardize assessment procedures for privacy controls to provide a more disciplined and structured approach to privacy audits

Reviewed NIST Appendix J, Privacy Control Catalog

• Shared assessment procedures for NIST privacy controls

NIST 800-53 Rev 4 Privacy Control CatalogID PRIVACY CONTROLS

AP Authority and Purpose

AP-1 Authority to Collect

AP-2 Purpose Specification

AR Accountability, Audit, and Risk Management

AR-1 Governance and Privacy Program

AR-2 Privacy Impact and Risk Assessment

AR-3 Privacy Requirements for Contractors and Service Providers

AR-4 Privacy Monitoring and Auditing

AR-5 Privacy Awareness and Training

AR-6 Privacy Reporting

AR-7 Privacy-Enhanced System Design and Development

AR-8 Accounting of Disclosures

DI Data Quality and Integrity

DI-1 Data Quality

DI-2 Data Integrity and Data Integrity Board

DM Data Minimization and Retention

DM-1 Minimization of Personally Identifiable Information

DM-2 Data Retention and Disposal

DM-3 Minimization of PII Used in Testing, Training, and Research

IP Individual Participation and Redress

IP-1 Consent

IP-2 Individual Access

IP-3 Redress

IP-4 Complaint Management

SE Security

SE-1 Inventory of Personally Identifiable Information

SE-2 Privacy Incident Response

TR Transparency

TR-1 Privacy Notice

TR-2 System of Records Notices and Privacy Act Statements

TR-3 Dissemination of Privacy Program Information

UL Use Limitation

UL-1 Internal Use

UL-2 Information Sharing with Third Parties

• Based on the Fair Information

Practice Principles embodied

in the Privacy Act of 1974,

Section 208 of the E-

Government Act of 2002, and OMB policies

• Provides a structured set of

privacy controls that helps agencies comply with

applicable federal laws,

Executive Orders, directives,

instructions, regulations,

policies, standards, guidance, and organization-

specific issuances

Selected NIST Privacy Controls

AR-1 GOVERNANCE AND PRIVACY PROGRAM

Control: The organization:

Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO)

Monitors federal privacy laws and policy for changes that affect the privacy program

Allocates sufficient resources to implement and operate the organization-wide privacy program

Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures

Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII

Updates privacy plan, policies, and procedures [at least biennially]


AR-5 PRIVACY AWARENESS AND TRAINING


Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;

Administers basic privacy training and targeted, role-based privacy training for personnel having responsibility for PII, and

Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements


DM-2 DATA RETENTION AND DISPOSAL


Retains each collection of PII for [organization-defined time period] to fulfill the purpose(s) identified in the notice or as required by law;

Disposes of, destroys, erases, and/or anonymizes the PII, regardless

of the method of storage, in accordance with a National Archives and Records Administration-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and

Uses [organization-defined techniques or methods] to ensure secure deletion or destruction of PII (including originals, copies, and archived records).


SE-1 INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION


Establishes, maintains, and updates [organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing PII; and

Provides each update of the PII inventory to the CIO or information security official [organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII.

Privacy Controls NIST Implementation Tips

Select and implement privacy controls based on the privacy requirements of organizations and the need to protect PII of individuals collected and maintained by systems and programs.

Coordinate privacy control selection and implementation with the:

organizational Risk Executive Function,

mission/business owners,

enterprise architects,

Chief Information Officer,

SAOP/CPO, and

Chief Information Security Officer.

Summary

There’s a struggle and a balance between convenience and privacy

Federal Government challenges in developing and implementing comprehensive privacy programs

Audits reveal progress is occurring, but significant work still needs to be done

Start with the Basics!

What PII do I have?

Why do I have it?

How long should I have it?

Who has access to it?

How/when do I dispose of it

Ask for help – Join a Privacy Council/Roundtable

Contact Information

Hon. Theresa Grafenstine CPA, CISSP, CISA, CRISC, CGEIT, CIA, CGAP, CGMA

Vice-Chairman, ISACA International Board of Directors

Email: [email protected]

Twitter: @tgrafenstine

LinkedIn: Theresa Grafenstine

mailto:[email protected]

Privacy in the Federal Government...Monitors federal privacy laws and policy for changes that affect...

Documents

Transcript of Privacy in the Federal Government...Monitors federal privacy laws and policy for changes that affect...