Privacy Awareness: Safeguarding PII

Slides:



Advertisements
Similar presentations
Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Advertisements

Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
Overview of the Privacy Act
U.S. Army Records Management & Declassification Agency Privacy Act/System of Records Policies.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
HIPAA Regulations What do you need to know?.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
PII Breach Management and Risk Assessment
The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
ROLES & RESPONSIBILITIES PRIVACY ACT (PA) SYSTEMS OF RECORDS MANAGERS.
Data Classification & Privacy Inventory Workshop
Information Security Policies and Standards
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
DEED WorkForce Center Reception and Resource Area Certification Program Module 2 Unit 1b: WorkForce Center System II Learning Objectives III.
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Safeguarding Personally Identifiable Information (PII) Samuel P. Jenkins Director for Privacy Defense Privacy.
New Data Regulation Law 201 CMR TJX Video.
Welcome to electronic Official Personnel Folder (eOPF) for Employees
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next Office of Management Privacy, Information and Records Management Services Privacy Safeguards Division.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
FISMA Privacy Reporting Requirements United States Pacific Command (USPACOM) FOIA & Privacy Act Conference Presented by Samuel P. Jenkins, Director for.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
1 DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY WARFIGHTER SUPPORT.
Section Five: Security Inspections and Reviews Note: All classified markings contained within this presentation are for training purposes only.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
(Compliance Training)
Update on Privacy Issues at USU October 10, 2013.
Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.
Privacy Act United States Army (Managerial Training)
FOIA Processing and Privacy Awareness at NOAA Prepared by Mark H. Graff NOAA FOIA Officer OCIO/GPD (301)
For Official Use Only (FOUO) and Similar Designations NPS Security Office
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
Payment Card Industry (PCI) Rules and Standards
Information Security and Privacy Office
Safeguarding CDI - compliance with DFARS
Protecting PHI & PII 12/30/2017 6:45 AM
Privacy and Security Basics for CDSME Data Collection
HIPAA Privacy & Security
Records Retention NYS Magistrates’ Association
Providing Access to Your Data: Handling sensitive data
Dining with Diabetes IRB Training 2017.
Introduction to the Federal Defense Acquisition Regulation
FOIA, Privacy & Records Management Conference 2009
FOIA, Privacy & Records Management Conference 2009
Move this to online module slides 11-56
Red Flags Rule An Introduction County College of Morris
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
A+ A+ CORPORATION PRESENTS: INFORMATION TECHNOLOGY DEPARTMENT
County HIPAA Review All Rights Reserved 2002.
DoD-Internal Collections
HIPAA Privacy & Security
Lesson 1: Introduction to HIPAA
Privacy Impact Assessment (PIA) Process
General Data Protection Regulation Q & A Session
Move this to online module slides 11-56
HQ Expectations of DOE Site IRBs
HIPAA Do’s and Don'ts: What is Really Behind Protected Health Information (PHI) and Health Care Privacy Rules Paul Sisler, Director, Information Services;
PERSONALLY IDENTIFIABLE INFORMATION: AUDIT CONSIDERATIONS
Information Technology Directorate (ITD) Office of the CIO
Protecting Student Data
Presentation transcript:

Privacy Awareness: Safeguarding PII CAPT Robert Higgins, USN Director of Operations National Defense University Student Orientation Class of 2020 1

Purpose & Objectives To provide an overview of NDU’s Privacy Program and the safeguards in place for the collection, use, maintenance and dissemination of personally identifiable information (PII) on NDU Systems of Records. NDU students will be made aware of and understand: What PII is collected in NDU Systems of Records (SOR) What PII is prohibited in NDU’s on-prem and cloud IT environments What safeguards are in place to protect PII How NDU reports on PII How to request copies of your PII What to do if you suspect a PII breach 2

The Privacy Act The Privacy Act of 1974 (5 U.S.C. 552a) is the key legislation governing federal records maintained on individuals. Its four objectives are: To restrict disclosure of PII to those who need it to perform their federal duties; To grant people access to their own federal records; To provide a process to correct federal records that are inaccurate, irrelevant, or incomplete; and, To establish “fair” regulations and practices for the federal government’s collection, maintenance, use, and dissemination of PII. 3

Student PII in the NDU Environment SSNs, DOBs, Fingerprints: Used in JPAS (Clearance passing), Datamart (Transcripts), RAPIDS (CAC) Biographical, Geo-location and Non-NDU Information and Data: Turns up in profiles and posts on web and social media sites; in documents uploaded to Blackboard and O365 Passport #, GTC #, Itineraries, Student Rosters, Geo-location: Used in travel planning, execution and reimbursement activities (DTS); in documents uploaded to Blackboard and O365; in on-premises network Shared Drives; in on-premises SharePoint libraries (not processes) “What about my CAC number?” PII, but “approved for official DoD business” Source: OSD/JS Privacy Office white paper, “DoD Identification Number,” Jul 2019 EDIPI = Electronic Data Interchange-Personal Identifier (EDIPI) Use of EDIPI changed from machine-read only (not PII) to (now) access to systems, on forms, in digital signatures … typical of ID processes Threats to Student PII = Unauthorized access, aggregation, alteration, disclosure 4

Physical Safeguards for Student PII Facilities Must be locked Access controlled via physical token, door key or door code Monitored by Security personnel, paper logs, cameras Hardware Kept in locked facilities Access controlled via facility doors, physical token, and/or password Never left unattended Gov devices under hand-receipt; turned in for destruction Electronic Files Stored on secured devices; always under your control No CDs or thumb drives on gov devices Printed on secured devices while user is present; printed with PII coversheet Destroyed beyond reconstruction: overwritten, Degaussed, permanently deleted Paper Files Stored in marked folders and locked cabinets Never left unattended; faxed with PII coversheet Can be sent by secure courier Destroyed beyond reconstruction: Burned or shredded “Dumpster diving” by Security Officer 5

Technological Safeguards for Student PII Facilities Monitored by electronic access logs Access controlled via permission settings, security groups, CAC certificates Hardware Accessed via PKI certificates & authentication Devices set to “time out” (sleep, log off) Gov device use monitored; security patches kept up to date Passcode, fingerprint or facial scan used to open locked personal devices Electronic Files Stored at rest as encrypted and/or with password Emailed/transferred digitally signed and encrypted with a PII e-coversheet Access on “need to know” basis, controlled by security groups Monitored/scanned for PII by ITD Paper Files Watermarks and clearance levels printed on documents Faxing and emailing scanned hard copies requires CAC on network multi-use printers 6

Administrative Safeguards for Student PII Fed, DoD, JS & NDU Governance Baseline & Expanded Training Privacy Act of 1974 OMB Circular A-108, "Fed Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act," 2016 DoDI 5400.11 & DoD 5400.11-R, "DoD Privacy & Civil Liberties Programs," 2019 and 2007 DoDI 1000.30, "Reduction of Social Security Number (SSN) Use Within DoD," 2012 DoD Admin Instruction 81, “OSD/JS Privacy Program,” 2017 CJCSM 6510.01B, “Cyber Incident Handling Program,” 2012 NDU RMF AR-1, “NDU Governance and Privacy Program,” 2017 NDUM, “Data Usage Guidance,” 2018 NDU SAAR 2875, 2018 NDU Privacy Program Guidance Cyber Awareness Challenge course required for access to NDU IS JS annual training includes: 1. Privacy Act Awareness, 2. OPSEC, 3. Info/Records Management, 4. Derivative Classification and 5. Insider Threat SOR-specific training, by role and responsibility, for PII handlers Links to DoD’s “Safeguarding PII” and other courses on NDU Privacy Program website Transparency via DoD/JS oversight and reporting requirements 7

Reporting & Accountability Social Security Number Fraud Prevention Act Report – Documents sent via postal mail that use SSN, and justification *Annually to Congress Executive Orders 13636 and 13691 Privacy and Civil Liberties Assessments Report – Efforts to mature tech-neutral cybersecurity framework and maximize sharing of threat info with private sector *Annually to DHS Computer Matching Reports – Activities re: sharing of PII by the SORs of two or more fed agencies *Annually to DOJ and OMB Privacy and Civil Liberties Section 803 Report – SORNs, PIAs, breaches, SSN use, issuances, rule exemptions, achievements and complaints *Semi-annually to Congress via OMB Federal Information Security Modernization Act (FISMA) Report – Information security incident and data breaches *Per incident and quarterly (new) to Congress via DHS SecDef DoD Privacy & Civil Liberties Officer Chief Management Officer Senior Agency Official for Privacy (SAOP) Director of Oversight & Compliance Defense Privacy Civil Liberties & Transparency Division (DPCLTD) for OSD/JS @ Washington HQ Service (WHS) NDU Privacy Office Senior Component Officer for Privacy (SCOP) Congress or Designated Agency WHS is the designated Privacy and Civil Liberties office for OSD and the Joint Staff 8

NDU Transparency: SORNs & PIAs A System of Records (SOR): Any DoD -controlled repository of records using unique IDs SOR Notices (SORN): Descriptions of government approved SORs published in the Federal Register, as required by the Privacy Act of 1974 (5 U.S.C. 552a). NDU currently has one SORN for its USMS/DataMart system NDU SORNs are published by DPCLD at https://dpcld.defense.gov/Privacy/SORNsIndex/DOD-Component-Notices/OSDJS-Article-List/ Privacy Impact Assessments (PIA): A tool required by the E-Government Act of 2002 to identify privacy risks in programs and SORs across their lifecycle. NDU's baseline PIA is currently under review by WHS/ESD NDU PIAs are published by DPCLD at https://dpcld.defense.gov/Privacy/Privacy-Impact-Assessment/ Social Security Reduction Plan: DOD Instruction 1000.30, “Reduction of Social Security Number (SSN) Use Within DOD” requires components to evaluate how SSNs are used and to eliminate them if possible. NDU’s SSN Justification Memo for USMS/DataMart approved on 28 Jun 2019 (3 years) A new PII program/system would submit both a SORN and a PIA. Thereafter, a PIA would be submitted with any change or update. A new SORN would be submitted only if the scope of the information collection changes. 9

NDU Transparency: Privacy Act Requests Requests for Information About Your PII in NDU SORs Must be submitted IN WRITING to the OSD/JS FOIA Center Must be signed by requestor/owner of PII Must include the name and number of the applicable NDU SORN (DNDU01, September 21, 2010, 75 FR 57458) Can be faxed to (571) 372-0454 Office of the Secretary of Defense/Joint Staff FOIA Requester Service Center 1155 Defense Pentagon Washington, DC 20301-1155 Alexandria, VA 22350 Facsimile: 571-372-0454 10

Breach Reporting Who is required to report? All NDU Faculty, Staff and Students who become aware of a suspected breach What should be reported? PII posted on public-facing websites, social media sites, O365 PII sent via e-mail unencrypted or to unauthorized recipients PII hardcopies provided to individuals without a need to know or “found” without a handler Loss of electronic devices or media on which PII is stored PII used by any NDU Faculty or Staff member for unofficial business What actions are required? STOP THE LEAK as soon as possible (if you are able) REPORT IT IMMEDIATELY to your Dean of Admin/Dean of Students AND the IT Help Desk at Help-IT@ndu.edu or (202) 685-3824 What are the repercussions for NDU Students who breach PII security? At minimum, to complete a Privacy/PII refresher course and submit a certificate to their Deans Deans must report disciplinary actions to the NDU SCOP within 15 days of breach How are those affected notified? If notification is required, by mail from NDU within 10 days of the decision 11

Resources NDU’s Privacy Program: https://www.ndu.edu/About/Privacy Robert Kane Chief Operating Officer & Senior Component Official for Privacy (SCOP) Email: Robert.Kane@ndu.edu DoD Defense Privacy and Civil Liberties Division (DPCLTD) (703) 571-0070 https://dpcld.defense.gov/ DoD Inspector General FOIA/Privacy Office (703) 699-5680 http://www.dodig.mil/Programs/Privacy-Program/ 12