Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Safeguarding Personally Identifiable
Information (PII)
Samuel P. Jenkins
Director for Privacy
Defense Privacy and Civil Liberties Office
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Purpose
The purpose of this presentation is to provide a
summary of the administrative, physical, and
technical safeguards that are applicable to
systems that collect, use, maintain, or
disseminate personally identifiable information
(PII).
2
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Objectives
Upon completion of this presentation, you
should be able to:
Understand the role of safeguards that should be
applied to systems of records (SORs).
Explore the physical, technical, and administrative
safeguards for protecting PII.
Define the role of Privacy Impact Assessments and
SORNs in safeguarding PII.
3
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
The Privacy Act of 1974 requires agencies to:
Establish Rules of Conduct.
Establish Safeguards.
Maintain accurate, relevant, timely, and complete
information.
Privacy Act and Safeguards
4
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Privacy Act and Safeguards
Safeguards are used to protect agencies from
“reasonably anticipated threats.”
Threats may cause harm, embarrassment,
inconvenience, or unfairness.
Threats to personal information include:
Unauthorized access.
Unauthorized alteration.
Unauthorized disclosure.
5
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Privacy Act and Safeguards
Safeguards should be tailored to the:
Size and sensitivity of each system.
System-specific vulnerabilities.
Types of Safeguards:
Administrative.
Physical.
Technical.
6
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Physical Safeguards
Paper records should be stored in locked
cabinets.
Records being faxed or mailed should have a
coversheet.
Facilities handling PII should be access
controlled and hardware should be locked up.
Never leave files, storage media, or computers
unattended or in vehicles.
8
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Physical Safeguards
Records Disposal – Retirement or deletion of a
record does not obviate need for safeguards.
Must render discarded info unrecognizable and
beyond reconstruction.
Destruction should be tailored to the time of media
involved.
○ Paper – burn, shred.
○ Electronic – overwrite, degauss incinerate.
9
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Security Requirements include:
Encryption.
Control Remote Access.
Time-Out Function.
Log and Verify.
Ensure Understanding of Responsibilities.
Technical Safeguards
11
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Technical Safeguards
Ensure all emails with PII are encrypted and
that all recipients have a ‘need to know.’
Ensure records are access controlled.
PII on shared drives should only be accessible to
people with a ‘need to know’
Ensure Social Security numbers (including the
last 4) are not posted on public facing websites.
12
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Admin Safeguards - Policies
Agencies must have policies in place for PII
handling, specifically defining:
Affected Individuals.
Affected Actions.
Consequences.
14
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Agencies are responsible to ensure staff
handling PII are adequately trained:
Training must be commensurate with an individual’s
responsibilities.
Training will be a prerequisite before permitted
access to DoD systems.
Such training is mandatory for affected DoD
personnel and contractors.
Admin Safeguards - Training
15
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Admin Safeguards - Training
Components shall ensure receipt of Privacy Act
training, such as:
Orientation Training.
Specialized Training.
Management Training.
Privacy Act Systems of Records Training.
16
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Admin Safeguards - Training
Annual Refresher Training.
Provided to ensure continued understand of their
responsibilities.
All personnel with authorized access to PII shall
annually acknowledging their understanding.
17
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
DoD Components shall expand their training
materials and program to include specific
privacy and security awareness segments to
their training program(s).
Admin Safeguards - Training
18
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Admin Safeguards – Breach Handling
Existing Requirements:
FISMA Requirements.
Incident Handling and Response Mechanism.
OMB M-07-16 modified breach reporting rules.
Modified Agency Reporting Requirements:
US-CERT Modification.
Develop and Publish a Routine Use.
○ Effective Response.
○ Disclosure of Information.
19
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Admin Safeguards – Breach Handling
Breach Notification: Criteria to Consider:
Whether Breach Notification is Required.
Timeliness of the Notification.
Source of the Notification.
Contents of the Notification.
Means of Providing Notification.
Who Receives Notification: Public Outreach in
Response to a Breach.
20
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Admin Safeguards – Review & Report
Under the Federal Information Security
Management Act (FISMA) agencies must:
Review PII holdings & report to Congress Annually.
Review and reduce the volume of PII.
Specifically, Agencies Must Reduce the Use of Social
Security Numbers.
○ Eliminate Unnecessary Use.
○ Explore Alternatives.
21
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
As part of FISMA privacy reporting, DoD
Components are required to:
Confirm that they have established, or are in the
process of establishing, PII review plans; or
Provide a schedule for periodically updating their
review of their holdings.
It is DoD policy that:
All automated systems containing PII are registered
in the Defense Information Technology Portfolio
Repository (DITPR).
Admin Safeguards – Review & Report
22
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
It is DoD policy that (continued):
Updates to OMB be designed so that:
○ IT systems with PII reviewed on same cycle as Defense
Information Assurance Certification and Accreditation
Process (DIACAP).
○ PIA/SORNs reviewed at least once every two years.
Components shall report results to DPCLO on
FISMA schedule.
Admin Safeguard – Review & Report
23
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Privacy Impact Assessments (PIA)
& System of Records Notices
(SORN)
24
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
A Privacy Impact Assessment (PIA) is an
analysis of how information is handled to:
Ensure handling conforms to applicable legal,
regulatory, and policy requirements.
Determine the risks and effects of collecting, using,
maintaining, and disseminating PII in an electronic
information system, and
Mitigate potential privacy risks.
OMB 03-22 (9/26/2003), EGOV 208(b)
Admin Safeguards – PIAs & SORNs
25
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
When is a PIA Required when PII is collected
from:
Existing information systems and electronic collections
where a PIA has not previously been completed and
that collects PII about Federal personnel and
contractors.
New information systems or electronic collections:
○ Prior to developing or purchasing; and
○ When converting paper records to electronic systems.
Admin Safeguards – PIAs & SORNs
26
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
A PIA is not required when the information
system or electronic collection:
Does not collect, maintain or disseminate personal
identifying information.
Is a National Security System (including systems that
process classified information).
Admin Safeguard – PIAs & SORNs
27
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Admin Safeguards – PIAs & SORNs
What is a SORN?
A SORN is a public notice of an agency’s intent to
collect & retrieve PII in a SOR.
SORNs include:
○ The safeguards that will be applied to the system.
○ The who, what, why, and where of the system.
○ Processes for access and correction of records.
A SORN must be published in the Federal Register
before a system can begin to collect PII.
28
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
PIA/SORN Crosswalk
Privacy Impact Assessment (PIA)/
System of Record Notice (SORN) Essential Elements Crosswalk
PIA SORN
What privacy information is collected Categories of Records in the System
Why the information is collected Authority/Purpose(s)
What the intended uses are for the
information
Purposes(s)
With whom the information is shared Routine Uses
What opportunities individuals have to
decline to provide PII
Privacy Act Statement/Notification
procedure
How information is secured Safeguards
What privacy risks need to be addressed Narrative Statement/Probable or potential
effects on the privacy of individuals.
Whether a System of Records Notice (SORN) exists
(Not applicable)
30
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
PRIVACY IMPACT ASSESSMENT (PIA) DoD Information System/Electronic Collection Name:
DoD Component Name: SECTION 4: REVIEW AND APPROVAL SIGNATURES
Prior to the submission of the PIA for review and approval, the PIA must be coordinated by the Program Manager
or designee through the Information Assurance Manager and Privacy Representative at the local level.
Program Manager or Other Official Signature
(to be used at Component discretion)
Component Senior Information Assurance Officer Signature
or Designee
Component Privacy Officer Signature
Component CIO Signature
(Reviewing Official)
Source: DD Form 2930
PIA/SORN Crosswalk
31
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Focused on meeting the
information
requirements of the
Agency while ensuring
the protection of the
rights of the individual
in the collection, use and
dissemination of PII.
Focused on
protecting the
information and
information systems
supporting the
operations and
assets of an
organization.
Privacy’s
success is
dependent on
establishment of
basic
foundation for
information
security.
PRIVACY SECURITY
NIST Draft Guide to Protecting the Confidentiality of (PII) (1/09)
Critical Privacy – Security Interface
32
PIA/SORN Crosswalk
32
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Summary
You should now be able to:
Understand the role of safeguards that should be
applied to systems of records (SORs).
Explore the physical, technical, and administrative
safeguards for protecting PII.
Define the role of Privacy Impact Assessments and
SORNs in safeguarding PII.
33
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Resources
DoD 5400.11-R, Department of Defense Privacy Program,
May 14, 2007.
OMB M-07-16, Safeguarding Against and Responding to
the Breach of Personally Identifiable Information, May 22,
2007.
DoD Implementation: Safeguarding Against and
Responding to the Breach of Personally Identifiable
Information (PII), June 5, 2009.
DD Form 2930, “Privacy Impact Assessment (PIA),” 2008.
OSD Memorandum 13798-10, “Social Security Numbers
Exposed on Public Facing & Open Government Websites.”
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Congratulations!
35
PRINT GIVEN NAME SIGNATURE
COMPLETION DATE NAF EMPLOYEE ID NUMBER
Fill in the required information above and get this certificate to your Department Training Liaison
By signing and submitting this certificate, I certify that I have read and
understand the content in the training presentation.
No Nicknames
You have completed your
Personally Identifiable Information (PII) Training