Download presentation
Presentation is loading. Please wait.
Published byLeona Bradford Modified over 8 years ago
1
Panel Discussion on Identity Theft and PII Facilitated by Barry West, CIO Department of Commerce –Panelists: Kenneth Mortensen, DOJ Marc Groman, FTC Hillary Fielden, OPM David Jarrell, Department of Commerce October 9, 2007 If graphics are not accessible, please go to notes page for further explanation.
2
2007 Federal IT Summit October 9, 2007 Hillary Fielden hfielden@omb.eop.gov Policy Analyst, Privacy lead Office of Management and Budget
3
Privacy FAQ M-07-16 requires agencies to report all incidents involving PII to US-CERT within one hour of discovery / detection. This reporting requirement does not distinguish between potential and confirmed breaches. –Is OMB going to revise this reporting requirement? –Why is the reporting requirement a one hour timeframe? –Why is does the requirement encompass suspected breaches as well as confirmed ones?
4
Privacy FAQ M-07-16 defines PII as “information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” –Is this the only definition of PII? –Is this definition limited to the context of breach notification? –Should my agency develop its own definition of PII? –Will other definitions for PII be developed in the future?
5
Privacy FAQ M-07-16 includes several security and privacy requirements. –Are agencies required to implement all of them? –Have agencies implemented all of them?
6
Privacy FAQ Will Federal agencies be prohibited from collecting or using SSN? Or, is the Federal government phasing out use of the SSN? How do we determine whether the collection or use of SSN is necessary or unnecessary?
7
Marc Groman, Chief Privacy Officer Federal Trade Commission October 9, 2007 Federal IT Summit
8
Inventory Inventory of Systems Checklist for Employees PII Questionnaire for Systems Managers Inventory of Critical Data
9
Education and Training
11
Compliance
12
Incident Response I. Introduction and Overview II. Definitions and Purposes of the Breach Notification Plan III. Breach Notification Response Team Membership IV. Taking Steps to Control the Breach V. Reporting of Incidents VI. Initial Response to Breaches VII. Identity Theft Risk Analysis VIII. Analysis of Other Likely Harms IX. Identity Theft Response X. Notification of Individuals XI. Notification to Third Parties XII. Documentation of Breach Notification Response XIII. Evaluation of Breach Response
13
Federal IT Summit Marc Groman, Chief Privacy Officer Federal Trade Commission October 9, 2007
14
FEDERAL CIO SUMMIT Office of the Chief Information Officer October 9, 2007
15
Commerce Mission Census Bureau –Collect, analyze, and disseminate demographic and economic data about citizens, businesses,… Patent and Trademark Office –Applicant information and intellectual property NOAA –License application data Bureau of Industry and Security –Export license applications and requests Just to mention a few… “to foster, promote, and develop the foreign and domestic commerce”
16
Preparedness for PII Commerce is serious about its responsibility to safeguard PII data. To ensure this: –IT Security Awareness Training includes focus on PII –Reporting process includes Bureau/Office CIRT, DOC CIRT, US-CERT, FedCIRC, law enforcement, and the Inspector General –Executive Management Team meets and discusses PII related matters routinely – proactive in addition to reactive –Policy on laptops, thumb drive usage, FIPS 140-2 encryption on all laptops –Waiver process for any deviation to PII policy and controls, to include countermeasure put in place to allow change –Department’s ID Theft Task Force convened anytime a moderate or high risk PII loss occurs timely implement a risk-based, tailored response to each breach –Breach Notification Response Plan Plan details prompt and proper response to protect PII entrusted to Commerce
17
Commerce Breach Notification Work Flow Matrix
18
Commerce PII Risk Analysis Matrix
19
Evolving PII Issues Policy changes, software and hardware tools –also a change in the business model: do we need to even collect certain data, i.e., SSN’s HSPD-12 and PIV potential issues Decentennial Census 2010 New PII issues what have we not imagined yet?
20
Dave Jarrell djarrell@doc.gov FEDERAL CIO SUMMIT
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.