Privacy in the Federal Government...Monitors federal privacy laws and policy for changes that affect...
Transcript of Privacy in the Federal Government...Monitors federal privacy laws and policy for changes that affect...
The Inspector
General’s Evolving
Role in Privacy
Agenda
What Exactly is Privacy?
Evolution of Federal Gov’t Privacy Programs
Privacy Legislation and Guidelines
Privacy Breaches
GAO and OIG Audits
What Exactly is Privacy?
Privacy Act of 1974 (5 U.S.C. 552a)
Established a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies
Prohibits the disclosure of an individual’s records without the written consent of the individual, unless the disclosure is pursuant to one of twelve statutory exceptions
Provides individuals with a means to seek access to and amendment of their records
Sets forth agency record-keeping requirements
Federal Privacy Guidance
National Institute of Standards and Technology (NIST) Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (April 2010)
Assists agencies with protecting the confidentiality of PII in information systems
Defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
Federal Privacy Guidance
NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (revised January 2015)
Provides a structured set of privacy controls to help organizations to comply with various privacy laws and regs.
Establishes a linkage and relationship between privacy and security controls, which may overlap in concept and in implementation within federal information systems, programs, and organizations.
Appendix J: Privacy Control Catalog and Assessment Procedures
Federal Privacy Guidance
OMB Circular A-130, Managing Information as a Strategic Resource (Rev. July 2016)
Outlines responsibilities for protecting Federal information
resources and managing personally identifiable information (PII)
Views security and privacy requirements as:
crucial elements of a comprehensive, strategic, and continuous risk-based program
Rather than as simply a compliance exercise
Federal Privacy Guidance
OMB Circular A-130, Managing Information as a Strategic Resource (Rev. July 2016)
Requires agencies to maintain an inventory of the agency’s information systems that:
create,
collect,
use,
process,
store,
maintain,
disseminate,
disclose,
or dispose of PII
Federal Privacy Guidance
OMB Circular A-130, Managing Information as a Strategic
Resource (Rev. July 2016)
Requires IT capital investment plans and budgetary requests to be reviewed to ensure that requirements and associated costs are explicitly identified and included with respect to IT resources used to create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII
Federal Privacy Guidance
OMB M-03-22, OMB Guidance for Implementing the Privacy
Provisions of the E-Government Act of 2002 (Sept 2003)
OMB M 03-22 provides guidance on privacy program
activities including:
• Privacy Impact Assessments
• Privacy Policies on Agency Websites
• Privacy Policies in Machine-Readable Formats
• Reporting requirements (Agencies required to submit
annual report on compliance with this guidance to OMB as
part of their E-Government Act status report)
Federal Privacy Council
Established through an Executive Order issued February 12, 2016
Purpose is to help Senior Agency Officials for Privacy better:
• Coordinate and collaborate
• Educate the Federal workforce
• Exchange best practices
The activities of the Privacy Council are intended to reinforce the essential work that agency privacy officials undertake every day to protect privacy.
Privacy Breaches in the Federal Government
Office of Personnel Management
Two separate but related breaches discovered in April and June 2015
4.2 million government employee personnel files breached
21.5 million security clearance background information files breached
Congressional Hearings
• June 16, 2015 – House Government Oversight and Reform Committee
• June 24, 2015 – House Government Oversight and Reform Committee
• June 25, 2015 – Senate Committee on Homeland Security and Governmental Affairs
Privacy Breaches in the Federal Government
Internal Revenue Service
April 2017
Up to 100,000 Taxpayers compromised in FAFSA tool breach
Feb 2016
Used stolen SSN’s to generate e-File PINS (101,000 successes / 464,000 attempts)
August 2015
“Get Transcript” Service breached exposing 334,000 taxpayer records
Privacy Breaches in the Federal Government
United States Postal Service
Hackers broke into more than two-dozen servers at the US Postal Service in 2014, including one server containing names, Social Security numbers, birth dates, and other PII on about 800K workers and 2.9 million customers
Privacy Breaches in the Federal Government
Legislative Branch – Library of Congress (LOC)
Breach reported January 2009
Human Resources employee conspired fraud in which he stole
information on employees from LOC databases
Information was provided to a relative that open fraudulent account
used to purchase $38,000 worth of goods
Auditing Privacy in the Federal Government
Early privacy audits of Federal agencies largely found Agencies had not established or implemented privacy programs:
Lack of policies or agency directives establishing privacy oversight function and program
Senior Agency Official for Privacy / Chief Privacy Officer had not been appointed
Differing thoughts on where privacy program should reside and who should be the SAOP (Chief Information Officer, Senior Legal Counsel)
PII inventory challenges (IT and manual)
Lack of Privacy Impact Assessments
Auditing Privacy in the Federal Government
More recent privacy audits of some Federal agencies have found agencies made progress, but still lacking comprehensive privacy programs and significant key activities not performed
Senior Agency Official for Privacy named
• Resource challenges for staffing privacy offices
PII inventory challenges (IT and manual)
• Lack of a comprehensive list of PII being collected, processed, and stored throughout the agency
Privacy training across the agency either not performed or not job specific (role-based)
Auditing Privacy in the Federal Government
More recent privacy audits of some Federal agencies have found agencies made progress, but still lacking comprehensive privacy programs and significant key activities not performed
Privacy Threshold Analysis (PTA) challenges
• PTAs are an initial, self-assessment tool that can be used by agencies to determine whether they properly maintain PII. The PTA includes a description of the system and what PII, if any, is collected or used, and from whom.
Privacy Impact Assessment (PIA) challenges
• Objective of PIA is to systematically identify the risks and potential effects of collecting, maintaining, and disseminating PII and to examine and evaluate alternative processes for handling information to mitigate potential privacy risks.
Federal/Private Industry Privacy Audit Roundtable
Group formed in an effort to streamline audit procedures over privacy programs and identify best practices
Mix of experienced Federal/Private privacy auditors
Objective to further standardize assessment procedures for privacy controls to provide a more disciplined and structured approach to privacy audits
Reviewed NIST Appendix J, Privacy Control Catalog
• Shared assessment procedures for NIST privacy controls
NIST 800-53 Rev 4 Privacy Control CatalogID PRIVACY CONTROLS
AP Authority and Purpose
AP-1 Authority to Collect
AP-2 Purpose Specification
AR Accountability, Audit, and Risk Management
AR-1 Governance and Privacy Program
AR-2 Privacy Impact and Risk Assessment
AR-3 Privacy Requirements for Contractors and Service Providers
AR-4 Privacy Monitoring and Auditing
AR-5 Privacy Awareness and Training
AR-6 Privacy Reporting
AR-7 Privacy-Enhanced System Design and Development
AR-8 Accounting of Disclosures
DI Data Quality and Integrity
DI-1 Data Quality
DI-2 Data Integrity and Data Integrity Board
DM Data Minimization and Retention
DM-1 Minimization of Personally Identifiable Information
DM-2 Data Retention and Disposal
DM-3 Minimization of PII Used in Testing, Training, and Research
IP Individual Participation and Redress
IP-1 Consent
IP-2 Individual Access
IP-3 Redress
IP-4 Complaint Management
SE Security
SE-1 Inventory of Personally Identifiable Information
SE-2 Privacy Incident Response
TR Transparency
TR-1 Privacy Notice
TR-2 System of Records Notices and Privacy Act Statements
TR-3 Dissemination of Privacy Program Information
UL Use Limitation
UL-1 Internal Use
UL-2 Information Sharing with Third Parties
• Based on the Fair Information
Practice Principles embodied
in the Privacy Act of 1974,
Section 208 of the E-
Government Act of 2002, and OMB policies
• Provides a structured set of
privacy controls that helps agencies comply with
applicable federal laws,
Executive Orders, directives,
instructions, regulations,
policies, standards, guidance, and organization-
specific issuances
Selected NIST Privacy Controls
AR-1 GOVERNANCE AND PRIVACY PROGRAM
Control: The organization:
Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO)
Monitors federal privacy laws and policy for changes that affect the privacy program
Allocates sufficient resources to implement and operate the organization-wide privacy program
Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures
Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII
Updates privacy plan, policies, and procedures [at least biennially]
Selected NIST Privacy Controls
AR-5 PRIVACY AWARENESS AND TRAINING
Control: The organization:
Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;
Administers basic privacy training and targeted, role-based privacy training for personnel having responsibility for PII, and
Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements
Selected NIST Privacy Controls
DM-2 DATA RETENTION AND DISPOSAL
Control: The organization:
Retains each collection of PII for [organization-defined time period] to fulfill the purpose(s) identified in the notice or as required by law;
Disposes of, destroys, erases, and/or anonymizes the PII, regardless
of the method of storage, in accordance with a National Archives and Records Administration-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and
Uses [organization-defined techniques or methods] to ensure secure deletion or destruction of PII (including originals, copies, and archived records).
Selected NIST Privacy Controls
SE-1 INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION
Control: The organization:
Establishes, maintains, and updates [organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing PII; and
Provides each update of the PII inventory to the CIO or information security official [organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII.
Privacy Controls NIST Implementation Tips
Select and implement privacy controls based on the privacy requirements of organizations and the need to protect PII of individuals collected and maintained by systems and programs.
Coordinate privacy control selection and implementation with the:
organizational Risk Executive Function,
mission/business owners,
enterprise architects,
Chief Information Officer,
SAOP/CPO, and
Chief Information Security Officer.
Summary
There’s a struggle and a balance between convenience and privacy
Federal Government challenges in developing and implementing comprehensive privacy programs
Audits reveal progress is occurring, but significant work still needs to be done
Start with the Basics!
What PII do I have?
Why do I have it?
How long should I have it?
Who has access to it?
How/when do I dispose of it
Ask for help – Join a Privacy Council/Roundtable
Contact Information
Hon. Theresa Grafenstine CPA, CISSP, CISA, CRISC, CGEIT, CIA, CGAP, CGMA
Vice-Chairman, ISACA International Board of Directors
Email: [email protected]
Twitter: @tgrafenstine
LinkedIn: Theresa Grafenstine