1. “Security and Privacy Training is inadequate and poorly aligned with the different roles and responsibilities of personnel.”

Proper security and privacy education is part of the administrative safeguards needed to properly protect data. Information handlers must understand the risks facing sensitive information and their responsibilities towards maintaining the Fair Information Practices Principles. The report instructed agencies to include privacy and security training upon employment, maintain awareness through weekly tips, annual “security days” and other creative reminders. Agencies should also target individuals with more security and privacy responsibilities and provide more extensive training.

2. “Contracts and data sharing agreements between agencies and entities operating on behalf of the agency do not describe the procedures for appropriately processing and adequately safeguarding information.”

The Privacy Act of 1974 allows the sharing of information between government agencies provided the information receives the same level of protection after disclosure and the two agencies sign and follow a data sharing agreement. Failing to comply with a  data sharing agreement may allow serious breaches of a individual’s privacy. Agencies are encouraged to offer incentives for successful compliance with a data sharing agreement or contract. Agencies are also required to create detailed agreements (using Federal Acquisition Regulation Language) describing the procedures for protecting the information and assigning an individual to oversee the data sharing process.

3. “Information inventories inaccurately describe the types and uses of government information, and the locations where it is stored, processed or transmitted, including personally identifiable information.”

Under the Freedom of Information Act and the Privacy Act of 1974, government agencies are required to maintain adequate records on the type or information systems they maintain and the types and uses of the information. With a few exceptions, such information must be available to the public. Improper record keeping poses a threat to the transparency of government activities and an individual’s right to access the information and agency maintains about them. Agencies should use enterprise architecture and inventories to review the type, location, and uses of information it has on record. Security controls should be developed in consideration of the inventory and all systems containing personally identifiable information should be regularly assessed to ensure the integrity and security of the data.

4. “Information is not appropriately scheduled, archived or destroyed.”

Information must be protected at all stages of its lifecycle including those when it is not in active use. The proper destruction of information is particularly important to safeguarding privacy. Information must be assessed to determine how long it needs to be maintained and whether it is permanent and needs to be archived by the NARA or temporary and needs to be destroyed. Agencies must obtain the National Archives and Records Administration approval to dispose of their records according to established record schedules.

5. “Suspicious activities and incidents are not identified and reported in a timely manner.”

Information security is an ongoing process which requires identifying and detecting potential threats. Instituting a system without following up with security checks and incident response is ignoring a fundamental part of the information security process. Agencies should develop and follow a set of procedures to identify and respond to security or privacy incidents. Response should be timely in order to be effective. Agencies should configure their computer systems to detect intrusions, monitor use, and log any incidents. Furthermore incidents should be reported to authorized personnel and agencies to reduce risk as quickly as possible.

6. “Audit Trails documenting how information is processed are not appropriately created or reviewed.”

It is not just the type of information that is collected but how it is used that is restricted to protect privacy and civil liberties. Accurate audit trails are necessary to record how information is being collected, used, maintained and disclosed by an agency. Agencies should use managed data repositories to develop and review the necessary audit trails. Those audit trails can then be used to identify anomalies, determine the status of data and destroy data when it is no longer necessary.

7. “Inadequate security controls where information is collected, created, processed or maintained.”

Security controls include technical, physical and administrative safeguards. They are the primary defense against unauthorized access and use of information. Agencies should maintain inventories of their physical property including real estate and mobile devices. Stronger controls should be applied to areas of high impact or high risk. Security procedures should be reviewed regularly (at least annually) to ensure physical access is granted only to authorized individuals.

8. “Information security controls are not adequate.”

The sole purpose of information security controls is to prevent unauthorized use and access. When such controls fail, the system must be improved or replaced to be provide adequate protection to information which is guaranteed under U.S. law. Security controls should be tested annually with higher risk systems tested more frequently. Personnel that test controls should be separate from the personnel that administer the controls regularly, to allow outside enforcement. Problems and improvements should be shared among agencies to promote awareness. All common security configurations should follow NIST guidelines. Agencies must also consider how the public availability of information affects how government information is protected.

9. “Inadequate protection of information accessed or processed remotely.”

Mobile devices and the increasing use of cloud computing technologies all government employees to access government information when working away from the office. Data must be protected equally when accessed from a computer at the agency and when accessed from a mobile device. Agencies should maintain an audit log of any information accessed or processed remotely. NIST encryption methods, two factor authentication, and automatic log outs after a certain period of inactivity should be employed. Agencies should ensure personnel understand the security risks involved with remotely accessing such information and have them sign a document denoting their privacy and security responsibilities.

10. Agencies acquire information technology and information security products without incorporating appropriate security and privacy standards and guidelines.

The E-Government Act of 2002 requires that all new information security systems conduct Privacy Impact Assessments prior to use, and periodically thereafter in order to evaluate the effectiveness of the system in protecting the information it maintains. Failing to assess new technologies for their privacy protections leaves large holes in the security of the system. Agencies should include information system planning, development and maintenance in their procedures and budgets. Systems should be purchased and implemented only when found to be cost effective in adequately protecting information. Software and hardware encryption products should be used according to the NIST certified cryptographic modules.

Summary

While there are a number of regulations such as the Privacy Act of 1974, the E-Government Act of 2002, as well as the Fair Information Practice Principles which guide the use of information by the Federal Government, such regulations are not always implemented properly. Reports such as the Common Risks Impeding the Adequate Protection of Government Information are necessary to maintain an ongoing discussion regarding information privacy and security and continue to increase security protections as technologies and threats evolve.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Common Risks Impeding the Adequate Protection of Government Information
• Information Privacy Laws for U.S. Government Practice (I.C.)

The E-Government Acts of 2002 involved a large number of new regulations to implement and control the use of electronic technologies by the U.S. Government. Title III of this Act, called the Federal Information Security Management Act required all Government agencies to develop extensive information security programs.

What is the Importance of FISMA?

The Federal Information Security and Management Act deals with Information Security, which is one of the Fair Information Practice Principles. Proper protection of data does not only include the acceptable use and disclosure of the data by the agency, but also the measures taken to prevent abuse of information by other parties and to protect the status and availability of the data.

FISMA incorporates the three main components of information security:

• Confidentiality– involves implementing the necessary restrictions and authorizations to limit access to sensitive data.
• Integrity– involves ensuring information is authentic and preventing improper modification or destruction
• Availability– involves the ability to readily access information and the timeliness of the information

What Does a FISMA Compliant Information Security Program Entail?

• Periodic risk assessments must be conducted evaluating any potential harm caused by unauthorized access, use, disclosure or destruction of the data including an assessment of the magnitude of harm
• Risk assessments are used to develop policies which are cost effective and reduce any security threats. These policies must also protect data at all stages of the life cycle
• The efficacy of policies, procedures and security controls must be tested at least annually, with higher risk systems requiring more frequent evaluations.
• An agency must implement a way to detect, report and respond to security violations
• An agency must develop a continuity of operations plan to return function as quickly as possible in the event of a security incident of disruption.

What is Security Certification and Accreditation?

Security Certification and Accreditation is the official process taken to authorize the operation of an information system by an agency of the U.S. Government. By accrediting an information system, the agency accepts full responsibility for the system and will be held accountable for any negative impacts or problems that may arise.

The four phases of the Security Certification and Accreditation process:

1. Initiation Phase– ensures all parties are on the same page regarding the information system, its contents and controls before the system is evaluated. In this phase, the information security system is prepared and the security plan is analyzed and updated for review.
2. Security Certification Phase– evaluates security controls to make sure they are functioning correctly, that the system is operating as it should and that the information is adequately protected. In this phase, all security controls are tested documentation is created with the results.
3. Security Accreditation Phase– the information gathered during the previous phase is used to determine if the operation of the information system presents an acceptable security risk. In this stage, the authorizing official determines whether or not an information system may become operational, and proper documentation is filed if the system is ready to become accredited.
4. Continuous Monitoring Phase – ensures ongoing enforcement by requiring ongoing configuration and management control, monitoring of security controls and the filing of status reports and documents.

Reaccreditation occurs periodically and after significant changes in the system or environment. The Security Certification and Accreditation process is used to evaluate an individual information system and its security. It is similar to but distinct from Privacy Impact Assessments which are used to evaluate privacy protections with regard to changes in a records system. PIA and C&A evaluations for particular information systems may overlap in coverage. However, PIA are also used to evaluate privacy concerns involved with using matching programs, sharing information between agencies or when transferring data to electronic form. C&A evaluations are less frequent and more extensive and evaluate individual security systems and their related policies.

Enforcement of FISMA

Monitoring of FISMA compliance is built into the regulation through mandatory reports due to the Director of the Office of Management and Budget, and several House of Representative and Senate Committees. The report must include:

• The information resources used by the agency
• The information technologies used by the agency
• The program performance
• Financial management information including annual budgets, and accounting to determine cost effectiveness
• Record of any significant vulnerabilities in the policies, procedures or security systems.

In 2008, OMB Memorandum 08-09, added new reporting guidelines that required each agency to report:

• The number of each type of privacy review used by the agency during the previous fiscal year
• Any new policies, guidance or advice provided by the agency official in charge of privacy in the past fiscal year
• The number of written privacy complaints received in the past fiscal year
• The number of privacy issues referred to another agency with the relevant jurisdiction in the past fiscal year

Each agency must also create a performance plan in consultation with the Director of the Office of Management and Budget regarding the time period and resources needed including budget, staffing and training to implement or continue to implement, secure FISMA compliant information security systems.

FISMA also requires annual independent evaluations of the information security programs and procedures. The evaluation is conducted by the Inspector General of the agency, if one is appointed. It one is not appointed, the head of the agency must hire an external party to evaluate the system. A report the evaluation must be submitted to the Director of the Office of Management and Budget who then summarizes the findings in the Director’s Report to Congress.

Summary:

The Federal Information Security Management Act protects privacy by requiring extensive evaluations and monitoring of Government information systems to ensure data is adequately protected and operating at an acceptable level of risk.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Federal Information Security Management Act (I.C.f.i-iii.)
• The E-Government Act of 2002 including Privacy Impact Assessments (I.C.c.i.-ii.)

“To enhance the management and promotion of electronic Government services and processes by establishing a Federal Chief Information Officer within the Office of Management and Budget, and by establishing a broad framework of measures that require using Internet-based information technology to enhance citizen access to Government information and services, and for other purposes.”

Section 208 of the E-Government Act is devoted specifically to privacy concerns. It  placed four specific requirements on Government agencies:

• Conduct Privacy Impact Assessments for electronic information systems and records and make them available to the public
• Post privacy policies to all agency websites
• Implement P3P (machine-readable) privacy policies on agency websites
• Submit annual reports to the Office of Management and Budget regarding compliance with the Act

Website Privacy

All government agencies are required to post privacy policies on their general websites as of December 15, 2003. The privacy policy rule does not apply to: information not considered “government information”; intranet websites only used by authorized government users; national security systems.

All Privacy Policies:

• Require consent from the individual for information collection and sharing. Website visitors must be told whether the information requested is voluntary or mandatory as well as how to grant consent for the collection of both voluntarily and mandatorily provided information.
• Must notify individuals of their rights under the Privacy Act and other privacy laws such as HIPAA, the IRS Restructuring and Reform Act of the Family Educational Rights and Privacy Act. Notification must be placed in the body of the website’s privacy policy, linking to the official text of the legislation or the official summary of statutory rights.
• Must implement machine readable (P3P) privacy policies into their websites.
• Must comply with the relevant Office and Management and Budget Memorandums which concern the content and use of privacy policies:
  • Memorandum-99-18 Requires the inclusion of two content areas: Consent to collection and sharing; Rights under the Privacy Act or other privacy laws (as outlined above) OMB M-99-18 also requires the posting of privacy polices on the main web site, any major entry points to the site and on every page that collects personally identifiable information. Further it requires privacy policies to be clear, conspicuous, accessible and easy to understand.
  • Memorandum-99-05 Deals with the administrative side of privacy protection.  M-99-05 requires all employees and contractors to be educated in their responsibility towards privacy protection. All individuals that may have day to day responsibility for implementing section 208 must be identified. A senior official or officials must be appointed to oversee privacy matters in the agency, serve as the principle information technology contact and review the agency’s Privacy Impact Assessments.
  • Memorandum-00-13 Prohibits the use of persistent cookies or web beacons to track visitor traffic at their website unless authorized by a senior official due to compelling need. If tracking cookies are used, the privacy policy on the agency’s website must include the type of information collected, how and why it is collected and used, whether the information is disclosed to third parties and how the information will be protected by privacy safeguards. All agencies must submit reports for the use of persistent tracking cookies. OMB M-00-13 does allow the use of session cookies to track activity during a single session
• Must continue to implement the privacy protections enforced by other regulations. Privacy policies should assure visitors that the information technologies used protect data during all phases of its life cycle. They should assure compliance with the Privacy Act of 1974 regarding how information is handled and complete regular evaluations to ensure compliance. Furthermore, the agency must fully adhere to their stated privacy policies.

Privacy Impact Assessments

The E-Government Act requires agencies to conduct Privacy Impact Assessments to achieve three main goals:

• Ensure that information handling complies with all applicable laws, regulations and policies regarding privacy.
• Assess the risks and effects to the individual of collection, maintaining, using and disclosing personally identifiable information
• Evaluate current protections, their effectiveness and consider possible alternatives better protect data from privacy violations.

When must a PIA be conducted?

All PIA should be conducted to the collection, use or disclosure of information in identifiable form. A PIA is required:

• Prior to developing or obtaining and IT system or process which collects, stores or discloses personally identifiable information
• Prior to instituting a new electronic means of collecting identifiable information from 10 or more individuals
• When converting paper records to electronic records
• When anonymized data in an information system is changed into identifiable form
• Prior to significant changes of an existing IT system when such changes effect how identifiable information is managed in the system
• Prior to the merging of information (most often completed through matching programs with other agencies)
• When a new user authentication technology is used to allow public access to government information
• Before information purchased from commercial or public sources is merged into existing information systems maintaining personally identifiable information
• When two or more agencies work together to share function or uses of personally identifiable information, the lead agency should prepare the PIA
• When internal business process result in significant changes of the use, disclosure or collection of identifiable information.
• When additional data elements containing information in identifiable form are added to an information system and increase the risk to personal privacy.

There are a few exceptions to the Privacy Impact Assessment rule. A PIA is not required:

• When the information relates to internal government operations
• A previous evaluation has been conducted in an assessment  similar to a PIA
• When privacy issues remain unchanged. Examples of such situations include:
  • Government information systems that do not maintain information in identifiable form or about members of the general public
  • When the government-run public website is only used to collect limited information from individuals for the purpose of providing feedback to their inquiries or requesting additional information
  • National security systems
  • When privacy protection is addressed in a matching agreement as pursuant to the Privacy Act
  • When privacy protection is addressed in an interagency agreement allowing the merging of data only for statistical purposes and PII remains private pursuant to Title V of the E-Government Act
  • If the IT systems collects information in non identifiable form for purposes other than the matching or merging of that data with other databases

What does a Privacy Impact Assessment contain?

Each PIA must contain the following information:

• The nature, source of collected information
• The reasons behind the collection of information
• The intended uses and disclosures of collected information and how the individual can provide their consent
• The technical and administrative safeguards used to protect the information
• Whether the information system falls under the definition of system of records under the Privacy Act
• An analysis of the PIA and the steps taken by the agency to remedy and problems or weaknesses

What is the Significance of Privacy Impact Assessments?

Privacy Impact Assessments are public documents that allow ongoing monitoring and assessment of privacy protection implementation and effectiveness. All PIAs must be evaluated by the Chief Information Officer in the Office of Management and Budget. The CIO’s job is to evaluate all PIAs for compliance and ensure implementation of the necessary procedures.

Further more, they provide the public with insight into how the Federal Government collects, uses, maintains and protects personally identifiable information. Under Section 208B, Privacy Impact Assessments should be made available to the public through publication on the agency’s website or publication in the Federal Register, though this requirement may be waived for security purposes.

PIAs are similar to the Systems of Records Notice (SORN) required under the Privacy Act of 1974 which created a Federal Register documenting all information systems which use personally identifiable information to retrieve records. Privacy Impact Assessments allow for stronger privacy protections by requiring greater detail and by applying to some records systems which are exempt from filing SORNs.

Summary:

With the integration of new technology into record keeping systems, the U.S. Government recognized the need for new legislation regulating the use of such technologies by the Federal Government. Section 208 is particularly important in privacy legislation because it increases the protections granted under other privacy legislations such as the Freedom of Information Act and the Privacy Act of 1974. Furthermore, it regulates the collection, use and disclosure of personally identifiable information over the Internet, requires regular enforcement through the use of Privacy Impact Assessments and provides public access to government activities through regular reporting and publication of those assessments.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• The E-Government Act of 2002 including website privacy policy and Privacy Impact Assessments (I.C.c.i.-ii.)