Presentation on theme: "1 Receive Credit for this Course! Attending in Person? –Sign the attendance sheet Attending in a conference room at another location? –Sign the attendance."— Presentation transcript:
1 Receive Credit for this Course! Attending in Person? –Sign the attendance sheet Attending in a conference room at another location? –Sign the attendance sheet –Location POC, please send a copy of the attendance sheet to Attending via Webex and phone? –Announce yourself at the roll call at the end of this session AND –Send an to including the phone number from which you
Protection of Sensitive Information Summer 2013
3 Agenda What is sensitive information? How should you protect it? –Use encryption Public Key Infrastructure (PKI) Data at Rest (DAR) Encryption Other encryption tools –Label sensitive information appropriately –Store sensitive information in a protected location –Remove information that is no longer needed –Protect sensitive information while you “Work from Anywhere” What should you do if there is a breach? What compliance is required under privacy regulations?
4 What is Sensitive Information? Sensitive But Unclassified (SBU) Information SBU information is any information, the loss, misuse, or modification of which, or unauthorized access to, could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under the Privacy Act, but which has not been specifically authorized under criteria established by an executive order or an act of Congress to be kept secret in the interest of national defense or foreign policy. (Per Federal guidance, this type of information will be designated as Controlled Unclassified Information (CUI) in the future.) Personally Identifiable Information (PII) PII is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. Sensitive PII Sensitive PII is a combination of PII elements, which if lost, compromised, or disclosed without authorization could be used to inflict substantial harm, embarrassment, inconvenience, or unfairness to an individual.
5 Examples of SBU and PII Examples of Sensitive PII –a social security number by itself, or –an individual's first name or first initial and last name in combination with any one or more types of the following information, including, but not limited to: social security number passport number credit card number home telephone number personal cell phone number clearances bank numbers biometrics date and place of birth mother's maiden name criminal, medical and financial records, etc. This information may be in the form of paper, electronic, or any other media format.
6 General Protection Requirements Secure under lock and key when not being used. Information stored digitally (whether on workstations, private servers, or on publicly accessible systems such as certain SharePoint sites, shared folders or any publicly accessible web site) shall be encrypted. Files and devices shall be externally marked "SENSITIVE BUT UNCLASSIFIED" with NASA Form (NF) 1686 or NF 1534 as appropriate. When sending an within the boundaries of NASA’s network, use NASA’s Entrust Public Key Infrastructure. When sending an outside the boundaries of NASA’s network include sensitive information in an encrypted attachment only. Hard copy documents containing SBU/PII information may be mailed in a sealed envelope (appropriately labeled inside the envelope). Unencrypted transmission of documents containing SBU information to network printers is only permitted if the network printer and the originating computer are on an internal NASA network behind a NASA firewall. SBU information shall be picked up from printers immediately after sending.
7 Encryption Use Entrust, NASA’s Public Key Infrastructure (PKI) tool –For –For encrypting files on your computer or portable media How to get Entrust –Place an IdMAX/NAMS request (search: PKI) –Once installed, login to Entrust every 30 days to retain Entrust access Detailed Instructions for using Entrust (for Mac and Windows machines) can be found here:
8 Encryption Use-Cases 1.Encrypting s s should be encrypted when the body of the or an attachment to the contains PII/SBU information The subject of the does not get encrypted so DO NOT include sensitive information in the subject line 2.Encrypting files You can encrypt files on your local drive or on a shared drive so that you are the only individual who can access them 3.Adding individuals to encrypted files You can encrypt files for yourself as well as for other individuals so that those individuals will also have access to the file if it is shared via or on an shared drive 4.Using encryption groups Encryption groups can be created in Entrust so that you can encrypt files for a set group of people in a simplified manner – versus adding each person individually to the encrypted file
9 Encrypting s Select “Encrypt” icon in ribbon Enter recipient’s name and press “Send” When sending an containing PII outside the boundaries of NASA’s information network, FIPS validated encryption mechanisms must be used. Consult with your Center CISO for appropriate encryption tools.
10 Encrypting Files (1 of 2) Right-click on the file Select “Encrypt file” “Encrypt Files Wizard” will guide you through the process
11 Encrypting Files (2 of 2) Review encryption options and select “Next” Ensure document icon indicates that the file has been encrypted Check “Delete the original files on finish” and click “Finish”
12 Adding Individuals to Encrypted Files (1 of 3) Right-click on the file Select “Encrypt file” “Encrypt Files Wizard” will guide you through the process
13 Adding Individuals to Encrypted Files (2 of 3) Review encryption options Check “Encrypt the files for other people…” Click “Next” “Additional Recipients” window will appear Click “Add”
14 Ensure document icon indicates that the file has been encrypted Check “Delete the original files on finish” and click “Finish” Adding Individuals to Encrypted Files (3 of 3) Search by individual’s name Select the correct name and click “OK” Added individual will show in “Additional Recipients” When done adding people, click “Next”
15 Using Encryption Groups (1 of 4) Entrust Certificate Explorer window will open Right-click on Entrust icon in the taskbar and select “Entrust Certificate Explorer”
16 Using Encryption Groups (2 of 4) Click “File” and select “New Personal Encryption Group” Click “Add” in the New Group window to assign members
17 Using Encryption Groups (3 of 4) Search by individual’s name Select the correct name and click “OK” Repeat as necessary Added individuals will show in the New Group window Type desired group name When finished, click “OK”
18 Using Encryption Groups (4 of 4) The new group will now be visible in your Entrust Certificate Explorer menu under “Personal Encryption Groups” When encrypting a file, you can select the Personal Encryption Group rather than selecting each individual
19 Encryption of Data At Rest (DAR) DAR products encrypt the entire contents of the hard drive. NASA has deployed Symantec PGP Desktop on all laptops. Symantec PGP Desktop will be deployed on all desktops containing sensitive information. IT POCs have been asked to provide information on all relevant desktop computers. Alternative solutions (e.g. FileVault for Mac) can be used for computers not supported by Symantec PGP Desktop but a waiver may be required.
20 Encryption of Data at Rest (DAR) DAR does not take the place of Entrust PKI for encrypting individual files or for sending encrypted messages. messages sent from your laptop or desktop will be unencrypted unless you use Entrust to protect the message. Helpful link for DAR:
21 DAR – How it Works Once the tool is set up: –At startup, enter your password to have access to your files –Use the computer as normal –When you shut down your computer, the hard drive is encrypted and the data is no longer accessible Your data is only protected if the computer is SHUT DOWN or in HIBERNATE mode! SLEEP or LOCKED mode does not require your DAR password to start back up.
22 DAR – How it Works DAR encryption on shared computers: multiple users can unlock the same computer. –Authorized user enters the DAR password to unlock the computer –New user logs into Windows using their NDC credentials –Symantec PGP Desktop automatically enrolls the new user so they can access the DAR’d hard drive Change your DAR password every time you change your NDC password (every 60 days). See instructions at
23 Proper Markings for SBU All sensitive information must be labeled –Headers and footers as part of the document –Cover sheet for printed copies NF 1686 is the cover sheet for SBU information NF 1534 is the cover sheet for Privacy Act information –Labels for CDs, DVDs, external hard drives, etc. Example text for front page or footer: WARNING: This document is SENSITIVE BUT UNCLASSIFIED (SBU). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with NASA policy relating to SBU information and is not to be released to the public or other personnel who do not have a valid "need-to-know" without prior approval of an authorized NASA official. Example text for footer: SENSITIVE BUT UNCLASSIFIED (SBU)
24 Storing Sensitive Data Where can you store sensitive data? –Locked office or cabinet –Computer hard drive (if computer has working DAR encryption) Best practice is to encrypt individual files using Entrust. –Encrypted USB drive Must be FIPS compliant Encrypted USB drives are available from the ACES catalog: How do I access the ACES Product Catalog? 1. Go to https://esd.nasa.gov (NASA Only) 2. Select Order Services 3. Select Other ACES Services 4. Select Request Now located next to APC - General Purchase 5. Click the ACES Product Catalog link. How do I find USB drives in the ACES Product Catalog? Enter the following in the Shop by area: Choose a Product Family: Memory Choose a Product Category: Flash USB Drive & Cards Enter the keyword “encrypt” Click Search
25 Storing Sensitive Data Where can you store sensitive data? –Shared drive? Only if encrypted. –Sharepoint? Only if encrypted. –Secured databases REMOVE FILES WHEN NO LONGER NEEDED, in accordance with NASA Record Retention Schedules
26 Purging Data Keep track of where you save files with sensitive information on your computer and remove when no longer needed. Downloaded files –Users often download files from databases, servers, WebMail –The default setting at NASA is for downloaded files to be stored in the ‘Downloads’ folder (accessible through ‘Computer’ in the start menu). Be sure to review downloaded files – delete or encrypt those with SBU! OMB Memo M-07-16: “Log all computer-readable data extracts from databases holding sensitive information and verify … whether sensitive data has been erased within 90 days or its use is still required”
27 Disposing of Hard Copies Shred it or put it in a burn bag or locked SBU container. Call the NASA Facilities Help Desk at or put in a Facilities Help Desk ticket to get discarded documents picked up at https://fhds.hq.nasa.gov.https://fhds.hq.nasa.gov During the HQ renovation, FASD is providing more frequent pickups of burn bags or containers on request.
28 Working from Anywhere Bring your laptop only if –DAR encryption software is installed and active (computer is shut down or in hibernate mode) –The laptop is on your person or locked in a car trunk during transit –No unauthorized persons access it Don’t put NASA data on your home computer. –If accessing Web Mail from your home computer, don’t download files with sensitive information. Ensure that your files and laptop are physically protected at all times. Don’t plug NASA USB/flash drives into your home computer. Don’t plug personal USB/flash drives into your NASA computer.
29 What to do in case of a Breach Report all PII breaches, whether suspected or confirmed, immediately to: NASA SOC (If your computer contains PII, be sure to inform the SOC technician who answers your call) NASA-SEC ( ) Center Privacy Manager Work with HQ Incident Response Team to determine what happened, extent of breach, impact, mitigation actions, etc. Participate in Breach Response Team (BRT), if applicable.
30 Privacy Compliance Requirements Collections Privacy and CUI Assessment Tool (PCAT) Privacy Act of 1974 (PA) Children’s Online Privacy Protection Act (COPPA) Paperwork Reduction Act (PRA) Records Management
31 What are “Collections”? From the privacy perspective, any holding of information is considered a collection This includes: –Applications –Websites –Information systems –Cloud systems –Paper records –Other electronic records The NASA official responsible for any collection of such information is the “collection owner.”
32 What are the Requirements? Regardless of whether or not PII is collected, an Initial Privacy Threshold Analysis (IPTA) must be conducted in PCAT for each application, website, information system or collection of information to determine what, if any, privacy requirements are applicable. –IPTAs require approval from the collection owner and Center Privacy Manager Generally, information collections on members of the public require a Privacy Impact Assessment (PIA) –PIAs require approval from the collection owner, Center Privacy Manager, Agency Privacy Program Manager, and Agency Chief Information Officer –PIAs will be published online – available to the public As outlined in NPR , NASA may only collect/maintain the minimum necessary information about individuals which is relevant and necessary to accomplish a NASA purpose
33 PCAT NASA requires an Initial Privacy Threshold Analysis (IPTA) to be conducted on all applications, Websites and information collections. The IPTA is a brief pre-assessment done to determine if each collection will require a full Privacy Impact Assessment (PIA) or not. This initial assessment and the overall PIA (if required) are both accomplished through the NASA Privacy and CUI Assessment Tool (PCAT) at pcat.nasa.gov.pcat.nasa.gov
34 Privacy Act of 1974 (PA) The Privacy Act of 1974 governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by Federal Agencies. System of Records (SOR) –A group of any records under the control of any agency from which information is routinely retrieved by The name of the individual Some identifying number, symbol, or other assigned individual identifier Requirement: SOR must be covered by a System of Records Notice (SORN) published in the Federal Register –Published NASA SORNs are listed at
35 Children’s Online Privacy Protection Act (COPPA) The primary goal of COPPA is to place parents in control over what information is collected from their young children online. COPPA was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. COPPA applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. Requirement: COPPA requires websites that target or solicit information from children and collect PII to provide conspicuous notice of the information collection practices, verifiable parental consent, and access.
36 Paperwork Reduction Act (PRA) The purpose of the PRA is to ensure that federal agencies do not overburden the public with federally sponsored data collections. PRA is triggered when information is collected in a standard way from 10 or more persons who are members of the public, NASA contractors, grantees, or other non-NASA personnel. –This applies regardless of whether the information collection is voluntary or mandatory Requirement: OMB clearance is required for any collections that fall under PRA. Collection owner should work with the Agency PRA Officer to obtain an OMB approval number.
37 Records Management A collection contains federal records if: –It contains word-processing files, databases, photographs, maps, drawings, sound recordings, or materials in other forms that contain information regarding the conduct of NASA business; or, –It contains data in any of the above formats that constitutes information created by NASA activities and that is of value in and of itself to the engineering, scientific, academic and business communities within and outside of NASA. If a collection contains federal records, there may be specific retention and disposal guidelines that must be followed. Requirement: Work with Center Records Manager to identify specific retention schedule and ensure all records are maintained in accordance with it.
38 Next Steps All collections owners should initiate an IPTA in PCAT for each collection of information –This will determine which additional privacy requirements are applicable Additional organization-specific training for PCAT is available –Contact HQ CPM or CPM Support
39 SBU Protection Summary DO –Encrypt SBU data prior to or upon any transmission electronically –Store SBU data encrypted on any mobile devices or media –Store SBU data in locked containers when not attended –Destroy SBU data according to current guidelines when no longer required to ensure non- recoverability –Start an IPTA for any “collection” of which you are the owner DO NOT –Leave SBU data unattended on desktops –Leave SBU data visible on commonly viewable computer screens –Relay SBU data via phone where you can be easily overheard –Leave SBU data on back seats, floorboards or otherwise visible locations in your Government or privately owned vehicle –Leave SBU data unattended at airports, bus or train stations –Dispose of SBU data in common trash or recycling receptacles.
40 Contacts HQ Chief Information Security Officers (CISO) Marion Meissner (also HQ Center Privacy Manager) , Aaron Goad (also HQ Incident Response Manager) , HQ Center Privacy Manager Support Angela Craig , NASA Privacy Programs Manager Bryan McCall ,
41 Contacts (cont’d) NASA Privacy Act Officer Patti Stockman , NASA PRA Officer Fran Teel , HQ Records Manager Pat Southerland ,
43 Useful Links PCAT (https://pcat.nasa.gov/pcat/index.php/)https://pcat.nasa.gov/pcat/index.php/ Privacy requirements are further described in ITS‐HBK‐ ‐0: Privacy Risk Management and Compliance – Collections, PIAs, and SORNs (https://nodis- dms.gsfc.nasa.gov/NASA_Wide/restricted_directives/OCIO _Docs/ITS-HBK_1382_03-01_.pdf)https://nodis- dms.gsfc.nasa.gov/NASA_Wide/restricted_directives/OCIO _Docs/ITS-HBK_1382_03-01_.pdf NPR D: NASA Records Retention Schedule (http://nodis3.gsfc.nasa.gov/displayDir.cfm?t=NPR&c=144 1&s=1D)http://nodis3.gsfc.nasa.gov/displayDir.cfm?t=NPR&c=144 1&s=1D
44 NASA Policy Reference ITS-HBKs (1382 Series Handbooks) have been developed to provide a logical breakdown and focused subject matter reference material all derived from NPR A. They individually address the various aspects of the aforementioned policy and procedures in a much more focused, digestible and easily updated document, available through PCAT or NODIS. NITR : NASA Rules and Consequences to Safeguarding PII (Will be cancelled by ITS-HBK upon release of NPR A) NITR : NASA Rules and Consequences to Safeguarding PII ITS-HBK : Privacy and Information Security: Overview ITS-HBK : Privacy and Information Security: Overview ITS-HBK : Privacy Accountability: Overview ITS-HBK : Privacy Accountability: Overview ITS-HBK : Privacy Notice and Redress: Web Privacy & Written Notice, Complaints, Access and Redress ITS-HBK : Privacy Notice and Redress: Web Privacy & Written Notice, Complaints, Access and Redress ITS-HBK : Privacy Awareness and Training: Overview ITS-HBK : Privacy Awareness and Training: Overview ITS-HBK : Privacy Rules of Behavior and Consequences: Overview ITS-HBK : Privacy Rules of Behavior and Consequences: Overview ITS-HBK : Privacy Risk Management and Compliance: Collections, PIAs and SORNs ITS-HBK : Privacy Risk Management and Compliance: Collections, PIAs and SORNs ITS-HBK : Privacy Incident Response and Management: Breach Response Team Checklist ITS-HBK : Privacy Incident Response and Management: Breach Response Team Checklist ITS-HBK : Privacy Goals and Objectives ITS-HBK : Privacy Goals and Objectives ITS-HBK : Privacy Risk Management and Compliance: Annual Reporting Procedures for Reviewing and Reducing PII and Eliminating the Unnecessary Use of SSN ITS-HBK : Privacy Risk Management and Compliance: Annual Reporting Procedures for Reviewing and Reducing PII and Eliminating the Unnecessary Use of SSN Additional Policy documents: ITS-NITR , NASA Rules and Consequences to Safeguarding PII, with Change 1, dated 02/04/2008 NID 5.24 Sensitive but Unclassified (SBU) Controlled Information, NID NPR A, Security of Information Technology (Revalidated with Change 1, dated May 19, 2011) NASA Administrator’s Memo on “Protection of Sensitive Agency Information, “ dated 4/3/12