Common Risks Impeding the Adequate Protection of Government Information

In 2007, the Department of Homeland Security adn Office of Management and Budget, along with the Presidential Identity Theft Task Force, investigated information privacy and security practices in the United States Government. They developed a report called the Common Risks Impeding the Adequate Protection of Government Information (pdf)which included a list of ten common mistakes made by U.S. departments and agencies and provided recommendations for new practices to be implement to eliminate and reduce security risks.

1. “Security and Privacy Training is inadequate and poorly aligned with the different roles and responsibilities of personnel.”

Proper security and privacy education is part of the administrative safeguards needed to properly protect data. Information handlers must understand the risks facing sensitive information and their responsibilities towards maintaining the Fair Information Practices Principles. The report instructed agencies to include privacy and security training upon employment, maintain awareness through weekly tips, annual “security days” and other creative reminders. Agencies should also target individuals with more security and privacy responsibilities and provide more extensive training.

2. “Contracts and data sharing agreements between agencies and entities operating on behalf of the agency do not describe the procedures for appropriately processing and adequately safeguarding information.”

The Privacy Act of 1974 allows the sharing of information between government agencies provided the information receives the same level of protection after disclosure and the two agencies sign and follow a data sharing agreement. Failing to comply with a  data sharing agreement may allow serious breaches of a individual’s privacy. Agencies are encouraged to offer incentives for successful compliance with a data sharing agreement or contract. Agencies are also required to create detailed agreements (using Federal Acquisition Regulation Language) describing the procedures for protecting the information and assigning an individual to oversee the data sharing process.

3. “Information inventories inaccurately describe the types and uses of government information, and the locations where it is stored, processed or transmitted, including personally identifiable information.”

Under the Freedom of Information Act and the Privacy Act of 1974, government agencies are required to maintain adequate records on the type or information systems they maintain and the types and uses of the information. With a few exceptions, such information must be available to the public. Improper record keeping poses a threat to the transparency of government activities and an individual’s right to access the information and agency maintains about them. Agencies should use enterprise architecture and inventories to review the type, location, and uses of information it has on record. Security controls should be developed in consideration of the inventory and all systems containing personally identifiable information should be regularly assessed to ensure the integrity and security of the data.

4. “Information is not appropriately scheduled, archived or destroyed.”

Information must be protected at all stages of its lifecycle including those when it is not in active use. The proper destruction of information is particularly important to safeguarding privacy. Information must be assessed to determine how long it needs to be maintained and whether it is permanent and needs to be archived by the NARA or temporary and needs to be destroyed. Agencies must obtain the National Archives and Records Administration approval to dispose of their records according to established record schedules.

5. “Suspicious activities and incidents are not identified and reported in a timely manner.”

Information security is an ongoing process which requires identifying and detecting potential threats. Instituting a system without following up with security checks and incident response is ignoring a fundamental part of the information security process. Agencies should develop and follow a set of procedures to identify and respond to security or privacy incidents. Response should be timely in order to be effective. Agencies should configure their computer systems to detect intrusions, monitor use, and log any incidents. Furthermore incidents should be reported to authorized personnel and agencies to reduce risk as quickly as possible.

6. “Audit Trails documenting how information is processed are not appropriately created or reviewed.”

It is not just the type of information that is collected but how it is used that is restricted to protect privacy and civil liberties. Accurate audit trails are necessary to record how information is being collected, used, maintained and disclosed by an agency. Agencies should use managed data repositories to develop and review the necessary audit trails. Those audit trails can then be used to identify anomalies, determine the status of data and destroy data when it is no longer necessary.

7. “Inadequate security controls where information is collected, created, processed or maintained.”

Security controls include technical, physical and administrative safeguards. They are the primary defense against unauthorized access and use of information. Agencies should maintain inventories of their physical property including real estate and mobile devices. Stronger controls should be applied to areas of high impact or high risk. Security procedures should be reviewed regularly (at least annually) to ensure physical access is granted only to authorized individuals.

8. “Information security controls are not adequate.”

The sole purpose of information security controls is to prevent unauthorized use and access. When such controls fail, the system must be improved or replaced to be provide adequate protection to information which is guaranteed under U.S. law. Security controls should be tested annually with higher risk systems tested more frequently. Personnel that test controls should be separate from the personnel that administer the controls regularly, to allow outside enforcement. Problems and improvements should be shared among agencies to promote awareness. All common security configurations should follow NIST guidelines. Agencies must also consider how the public availability of information affects how government information is protected.

9. “Inadequate protection of information accessed or processed remotely.”

Mobile devices and the increasing use of cloud computing technologies all government employees to access government information when working away from the office. Data must be protected equally when accessed from a computer at the agency and when accessed from a mobile device. Agencies should maintain an audit log of any information accessed or processed remotely. NIST encryption methods, two factor authentication, and automatic log outs after a certain period of inactivity should be employed. Agencies should ensure personnel understand the security risks involved with remotely accessing such information and have them sign a document denoting their privacy and security responsibilities.

10. Agencies acquire information technology and information security products without incorporating appropriate security and privacy standards and guidelines.

The E-Government Act of 2002 requires that all new information security systems conduct Privacy Impact Assessments prior to use, and periodically thereafter in order to evaluate the effectiveness of the system in protecting the information it maintains. Failing to assess new technologies for their privacy protections leaves large holes in the security of the system. Agencies should include information system planning, development and maintenance in their procedures and budgets. Systems should be purchased and implemented only when found to be cost effective in adequately protecting information. Software and hardware encryption products should be used according to the NIST certified cryptographic modules.


While there are a number of regulations such as the Privacy Act of 1974, the E-Government Act of 2002, as well as the Fair Information Practice Principles which guide the use of information by the Federal Government, such regulations are not always implemented properly. Reports such as the Common Risks Impeding the Adequate Protection of Government Information are necessary to maintain an ongoing discussion regarding information privacy and security and continue to increase security protections as technologies and threats evolve.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

  • Common Risks Impeding the Adequate Protection of Government Information
  • Information Privacy Laws for U.S. Government Practice (I.C.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>