Presentation is loading. Please wait.

Presentation is loading. Please wait.

Receive Credit for this Course!

Similar presentations

Presentation on theme: "Receive Credit for this Course!"— Presentation transcript:

1 Receive Credit for this Course!
Attending in Person? Sign the attendance sheet Attending in a conference room at another location? Location POC, please send a copy of the attendance sheet to Attending via Webex and phone? Announce yourself at the roll call at the end of this session AND Send an to including the phone number from which you participated

2 Protection of Sensitive Information
Summer 2013 Kat

3 Agenda What is sensitive information? How should you protect it?
Use encryption Public Key Infrastructure (PKI) Data at Rest (DAR) Encryption Other encryption tools Label sensitive information appropriately Store sensitive information in a protected location Remove information that is no longer needed Protect sensitive information while you “Work from Anywhere” What should you do if there is a breach? What compliance is required under privacy regulations? Kat

4 What is Sensitive Information?
Sensitive But Unclassified (SBU) Information SBU information is any information, the loss, misuse, or modification of which, or unauthorized access to, could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under the Privacy Act, but which has not been specifically authorized under criteria established by an executive order or an act of Congress to be kept secret in the interest of national defense or foreign policy. (Per Federal guidance, this type of information will be designated as Controlled Unclassified Information (CUI) in the future.) Personally Identifiable Information (PII) PII is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. Sensitive PII Sensitive PII is a combination of PII elements, which if lost, compromised, or disclosed without authorization could be used to inflict substantial harm, embarrassment, inconvenience, or unfairness to an individual. Marion

5 Examples of SBU and PII Examples of Sensitive PII
a social security number by itself, or an individual's first name or first initial and last name in combination with any one or more types of the following information, including, but not limited to: social security number passport number credit card number home telephone number personal cell phone number clearances bank numbers biometrics date and place of birth mother's maiden name criminal, medical and financial records, etc. This information may be in the form of paper, electronic, or any other media format. Marion

6 General Protection Requirements
Secure under lock and key when not being used. Information stored digitally (whether on workstations, private servers, or on publicly accessible systems such as certain SharePoint sites, shared folders or any publicly accessible web site) shall be encrypted. Files and devices shall be externally marked "SENSITIVE BUT UNCLASSIFIED" with NASA Form (NF) 1686 or NF 1534 as appropriate. When sending an within the boundaries of NASA’s network, use NASA’s Entrust Public Key Infrastructure. When sending an outside the boundaries of NASA’s network include sensitive information in an encrypted attachment only. Hard copy documents containing SBU/PII information may be mailed in a sealed envelope (appropriately labeled inside the envelope). Unencrypted transmission of documents containing SBU information to network printers is only permitted if the network printer and the originating computer are on an internal NASA network behind a NASA firewall. SBU information shall be picked up from printers immediately after sending. Marion See NID for more information:

7 Encryption Use Entrust, NASA’s Public Key Infrastructure (PKI) tool
For For encrypting files on your computer or portable media How to get Entrust Place an IdMAX/NAMS request (search: PKI) Once installed, login to Entrust every 30 days to retain Entrust access Detailed Instructions for using Entrust (for Mac and Windows machines) can be found here: Kat

8 Encryption Use-Cases Encrypting emails Encrypting files
s should be encrypted when the body of the or an attachment to the contains PII/SBU information The subject of the does not get encrypted so DO NOT include sensitive information in the subject line Encrypting files You can encrypt files on your local drive or on a shared drive so that you are the only individual who can access them Adding individuals to encrypted files You can encrypt files for yourself as well as for other individuals so that those individuals will also have access to the file if it is shared via or on an shared drive Using encryption groups Encryption groups can be created in Entrust so that you can encrypt files for a set group of people in a simplified manner – versus adding each person individually to the encrypted file Kat

9 Encrypting Emails Select “Encrypt” icon in Email ribbon
Enter recipient’s name and press “Send” Kat Examples of encryption technology that might be used when corresponding with non-NASA personnel, depending on the situation: PGP, GPG, WinZip or other encryption technology that meets FIPS requirements for the appropriate algorithms. When sending an containing PII outside the boundaries of NASA’s information network, FIPS validated encryption mechanisms must be used. Consult with your Center CISO for appropriate encryption tools.

10 1 2 Encrypting Files (1 of 2) Right-click on the file
Select “Encrypt file” 2 Kat “Encrypt Files Wizard” will guide you through the process

11 Encrypting Files (2 of 2) Review encryption options and select “Next” 3 4 Kat Ensure document icon indicates that the file has been encrypted Check “Delete the original files on finish” and click “Finish”

12 Adding Individuals to Encrypted Files (1 of 3)
Right-click on the file Select “Encrypt file” 1 Kat 2 “Encrypt Files Wizard” will guide you through the process

13 Adding Individuals to Encrypted Files (2 of 3)
Review encryption options Check “Encrypt the files for other people…” Click “Next” 3 4 Kat “Additional Recipients” window will appear Click “Add”

14 Adding Individuals to Encrypted Files (3 of 3)
Search by individual’s name Select the correct name and click “OK” 5 Added individual will show in “Additional Recipients” When done adding people, click “Next” 6 Kat 7 Ensure document icon indicates that the file has been encrypted Check “Delete the original files on finish” and click “Finish”

15 Using Encryption Groups (1 of 4)
Right-click on Entrust icon in the taskbar and select “Entrust Certificate Explorer” Entrust Certificate Explorer window will open Kat 2

16 Using Encryption Groups (2 of 4)
Click “File” and select “New Personal Encryption Group” 3 4 Kat Click “Add” in the New Group window to assign members

17 Using Encryption Groups (3 of 4)
Search by individual’s name Select the correct name and click “OK” Repeat as necessary 5 Kat Added individuals will show in the New Group window Type desired group name When finished, click “OK” 6

18 Using Encryption Groups (4 of 4)
The new group will now be visible in your Entrust Certificate Explorer menu under “Personal Encryption Groups” When encrypting a file, you can select the Personal Encryption Group rather than selecting each individual Kat

19 Encryption of Data At Rest (DAR)
DAR products encrypt the entire contents of the hard drive. NASA has deployed Symantec PGP Desktop on all laptops. Symantec PGP Desktop will be deployed on all desktops containing sensitive information. IT POCs have been asked to provide information on all relevant desktop computers. Alternative solutions (e.g. FileVault for Mac) can be used for computers not supported by Symantec PGP Desktop but a waiver may be required. Marion If the computer is lost or stolen, the contents of the hard drive are protected. The average person would not be able to access the data on the computer without the password.

20 Encryption of Data at Rest (DAR)
DAR does not take the place of Entrust PKI for encrypting individual files or for sending encrypted messages. messages sent from your laptop or desktop will be unencrypted unless you use Entrust to protect the message. Helpful link for DAR: Marion

21 DAR – How it Works Once the tool is set up:
At startup, enter your password to have access to your files Use the computer as normal When you shut down your computer, the hard drive is encrypted and the data is no longer accessible Your data is only protected if the computer is SHUT DOWN or in HIBERNATE mode! SLEEP or LOCKED mode does not require your DAR password to start back up. Kat

22 DAR – How it Works DAR encryption on shared computers: multiple users can unlock the same computer. Authorized user enters the DAR password to unlock the computer New user logs into Windows using their NDC credentials Symantec PGP Desktop automatically enrolls the new user so they can access the DAR’d hard drive Change your DAR password every time you change your NDC password (every 60 days). See instructions at Kat

23 Proper Markings for SBU
All sensitive information must be labeled Headers and footers as part of the document Cover sheet for printed copies NF 1686 is the cover sheet for SBU information NF 1534 is the cover sheet for Privacy Act information Labels for CDs, DVDs, external hard drives, etc. Example text for front page or footer: WARNING: This document is SENSITIVE BUT UNCLASSIFIED (SBU). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with NASA policy relating to SBU information and is not to be released to the public or other personnel who do not have a valid "need-to-know" without prior approval of an authorized NASA official. Example text for footer: SENSITIVE BUT UNCLASSIFIED (SBU) Marion

24 Storing Sensitive Data
Where can you store sensitive data? Locked office or cabinet Computer hard drive (if computer has working DAR encryption) Best practice is to encrypt individual files using Entrust. Encrypted USB drive Must be FIPS compliant Encrypted USB drives are available from the ACES catalog: Marion How do I access the ACES Product Catalog? 1. Go to (NASA Only) 2. Select Order Services 3. Select Other ACES Services 4. Select Request Now located next to APC - General Purchase 5. Click the ACES Product Catalog link. How do I find USB drives in the ACES Product Catalog? Enter the following in the Shop by area: Choose a Product Family: Memory Choose a Product Category: Flash USB Drive & Cards Enter the keyword “encrypt” Click Search

25 Storing Sensitive Data
Where can you store sensitive data? Shared drive? Only if encrypted. Sharepoint? Only if encrypted. Secured databases REMOVE FILES WHEN NO LONGER NEEDED, in accordance with NASA Record Retention Schedules Marion

26 Purging Data Keep track of where you save files with sensitive information on your computer and remove when no longer needed. Downloaded files Users often download files from databases, servers, WebMail The default setting at NASA is for downloaded files to be stored in the ‘Downloads’ folder (accessible through ‘Computer’ in the start menu). Be sure to review downloaded files – delete or encrypt those with SBU! OMB Memo M-07-16: “Log all computer-readable data extracts from databases holding sensitive information and verify … whether sensitive data has been erased within 90 days or its use is still required” Kat Databases: do the existing workflows force you to save/download data locally? If so, may need to update workflows. Web browsers, Outlook and other programs store data in temporary files while you are working on it. Sometimes, temporary files can be left behind when you close the program. However, temporary files with sensitive information are unlikely remain on the computer if: the web browser session was using encryption, e.g. SSL (look for https in URL or lock in browser window) was encrypted with Entrust

27 Disposing of Hard Copies
Shred it or put it in a burn bag or locked SBU container. Call the NASA Facilities Help Desk at or put in a Facilities Help Desk ticket to get discarded documents picked up at During the HQ renovation, FASD is providing more frequent pickups of burn bags or containers on request. Marion

28 Working from Anywhere Bring your laptop only if
DAR encryption software is installed and active (computer is shut down or in hibernate mode) The laptop is on your person or locked in a car trunk during transit No unauthorized persons access it Don’t put NASA data on your home computer. If accessing Web Mail from your home computer, don’t download files with sensitive information. Ensure that your files and laptop are physically protected at all times. Don’t plug NASA USB/flash drives into your home computer. Don’t plug personal USB/flash drives into your NASA computer. Marion

29 What to do in case of a Breach
Report all PII breaches, whether suspected or confirmed, immediately to: NASA SOC (If your computer contains PII, be sure to inform the SOC technician who answers your call) 1-877-NASA-SEC ( ) Center Privacy Manager Work with HQ Incident Response Team to determine what happened, extent of breach, impact, mitigation actions, etc. Participate in Breach Response Team (BRT), if applicable. Marion

30 Privacy Compliance Requirements
Collections Privacy and CUI Assessment Tool (PCAT) Privacy Act of 1974 (PA) Children’s Online Privacy Protection Act (COPPA) Paperwork Reduction Act (PRA) Records Management Marion

31 What are “Collections”?
From the privacy perspective, any holding of information is considered a collection This includes: Applications Websites Information systems Cloud systems Paper records Other electronic records The NASA official responsible for any collection of such information is the “collection owner.” Marion

32 What are the Requirements?
Regardless of whether or not PII is collected, an Initial Privacy Threshold Analysis (IPTA) must be conducted in PCAT for each application, website, information system or collection of information to determine what, if any, privacy requirements are applicable. IPTAs require approval from the collection owner and Center Privacy Manager Generally, information collections on members of the public require a Privacy Impact Assessment (PIA) PIAs require approval from the collection owner, Center Privacy Manager, Agency Privacy Program Manager, and Agency Chief Information Officer PIAs will be published online – available to the public As outlined in NPR , NASA may only collect/maintain the minimum necessary information about individuals which is relevant and necessary to accomplish a NASA purpose Marion

33 PCAT Marion The PCAT tool will walk you through the Initial Privacy Threshold Analysis. Depending on how you answer the questions it will guide you on how to address the requirements of various regulations. NASA requires an Initial Privacy Threshold Analysis (IPTA) to be conducted on all applications, Websites and information collections. The IPTA is a brief pre-assessment done to determine if each collection will require a full Privacy Impact Assessment (PIA) or not. This initial assessment and the overall PIA (if required) are both accomplished through the NASA Privacy and CUI Assessment Tool (PCAT) at

34 Privacy Act of 1974 (PA) The Privacy Act of 1974 governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by Federal Agencies. System of Records (SOR) A group of any records under the control of any agency from which information is routinely retrieved by The name of the individual Some identifying number, symbol, or other assigned individual identifier Requirement: SOR must be covered by a System of Records Notice (SORN) published in the Federal Register Published NASA SORNs are listed at Marion

35 Children’s Online Privacy Protection Act (COPPA)
The primary goal of COPPA is to place parents in control over what information is collected from their young children online. COPPA was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. COPPA applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. Requirement: COPPA requires websites that target or solicit information from children and collect PII to provide conspicuous notice of the information collection practices, verifiable parental consent, and access. Marion

36 Paperwork Reduction Act (PRA)
The purpose of the PRA is to ensure that federal agencies do not overburden the public with federally sponsored data collections. PRA is triggered when information is collected in a standard way from 10 or more persons who are members of the public, NASA contractors, grantees, or other non-NASA personnel. This applies regardless of whether the information collection is voluntary or mandatory Requirement: OMB clearance is required for any collections that fall under PRA. Collection owner should work with the Agency PRA Officer to obtain an OMB approval number. Marion

37 Records Management A collection contains federal records if:
It contains word-processing files, databases, photographs, maps, drawings, sound recordings, or materials in other forms that contain information regarding the conduct of NASA business; or, It contains data in any of the above formats that constitutes information created by NASA activities and that is of value in and of itself to the engineering, scientific, academic and business communities within and outside of NASA. If a collection contains federal records, there may be specific retention and disposal guidelines that must be followed. Requirement: Work with Center Records Manager to identify specific retention schedule and ensure all records are maintained in accordance with it. Marion

38 Next Steps All collections owners should initiate an IPTA in PCAT for each collection of information This will determine which additional privacy requirements are applicable Additional organization-specific training for PCAT is available Contact HQ CPM or CPM Support Marion

39 SBU Protection Summary
DO Encrypt SBU data prior to or upon any transmission electronically Store SBU data encrypted on any mobile devices or media Store SBU data in locked containers when not attended Destroy SBU data according to current guidelines when no longer required to ensure non-recoverability Start an IPTA for any “collection” of which you are the owner DO NOT Leave SBU data unattended on desktops Leave SBU data visible on commonly viewable computer screens Relay SBU data via phone where you can be easily overheard Leave SBU data on back seats, floorboards or otherwise visible locations in your Government or privately owned vehicle Leave SBU data unattended at airports, bus or train stations Dispose of SBU data in common trash or recycling receptacles. Kat

40 Contacts HQ Chief Information Security Officers (CISO)
Marion Meissner (also HQ Center Privacy Manager) , Aaron Goad (also HQ Incident Response Manager) , HQ Center Privacy Manager Support Angela Craig , NASA Privacy Programs Manager Bryan McCall , Kat

41 Contacts (cont’d) NASA Privacy Act Officer NASA PRA Officer
Patti Stockman , NASA PRA Officer Fran Teel , HQ Records Manager Pat Southerland , Kat

42 Governance for Privacy
Privacy information is officially a subset of information which falls under SBU. NASA collects, stores, maintains and/or transmits Privacy information from various sources (government and private sector), resulting in our being obligated by law to comply with numerous privacy-specific Federal laws, policies and government-wide regulations. Privacy Related Federal Laws, Policies and Guidelines: NASA privacy policy and procedures (NPD H and NPR ) are developed from privacy-specific Federal laws, statutes, government-wide policy and Office of Management and Budget (OMB) memoranda. Examples are listed below, though this is not an all inclusive list: Privacy Act of 1974 Freedom of Information Act (FOIA) – 1974 Section 208 of the E-Government Act of 2002 National Institute of Standards and Technology (NIST) Special Publication , Rev. 4, Appendix J, Privacy Control Catalog (Appendix J.a. is under development and coming soon!) Federal OCIO Council Privacy Best Practices: from the Elements of a Federal Privacy Program A multitude of Office of Management and Budget (White House) Memoranda: M M M M M Circular A-130 M M M M M Circular A-11 M M M M M-11-33 M M M M-10-15 Kat

43 Useful Links PCAT (
Privacy requirements are further described in ITS‐HBK‐ ‐0: Privacy Risk Management and Compliance – Collections, PIAs, and SORNs (https://nodis- _Docs/ITS-HBK_1382_03-01_.pdf) NPR D: NASA Records Retention Schedule ( Kat

44 NASA Policy Reference ITS-HBKs (1382 Series Handbooks) have been developed to provide a logical breakdown and focused subject matter reference material all derived from NPR A. They individually address the various aspects of the aforementioned policy and procedures in a much more focused, digestible and easily updated document, available through PCAT or NODIS. NITR : NASA Rules and Consequences to Safeguarding PII (Will be cancelled by ITS-HBK upon release of NPR A) ITS-HBK : Privacy and Information Security: Overview ITS-HBK : Privacy Accountability: Overview ITS-HBK : Privacy Notice and Redress: Web Privacy & Written Notice, Complaints, Access and Redress ITS-HBK : Privacy Awareness and Training: Overview ITS-HBK : Privacy Rules of Behavior and Consequences: Overview ITS-HBK : Privacy Risk Management and Compliance: Collections, PIAs and SORNs ITS-HBK : Privacy Incident Response and Management: Breach Response Team Checklist ITS-HBK : Privacy Goals and Objectives ITS-HBK : Privacy Risk Management and Compliance: Annual Reporting Procedures for Reviewing and Reducing PII and Eliminating the Unnecessary Use of SSN Additional Policy documents: ITS-NITR , NASA Rules and Consequences to Safeguarding PII, with Change 1, dated 02/04/2008 NID 5.24 Sensitive but Unclassified (SBU) Controlled Information, NID NPR A, Security of Information Technology (Revalidated with Change 1, dated May 19, 2011) NASA Administrator’s Memo on “Protection of Sensitive Agency Information, “ dated 4/3/12 Kat

45 Questions…

Download ppt "Receive Credit for this Course!"

Similar presentations

Ads by Google