Presentation on theme: "DoD IT Privacy Impact Assessments/ Emerging Technologies and Privacy USPACOM FREEDOM OF INFORMATION ACT (FOIA) & PRIVACY ACT (PA) CONFERENCE 11 – 13 January,"— Presentation transcript:
DoD IT Privacy Impact Assessments/ Emerging Technologies and Privacy USPACOM FREEDOM OF INFORMATION ACT (FOIA) & PRIVACY ACT (PA) CONFERENCE 11 – 13 January, 2011 Gary J. Evans Office of the DoD CIO 703-699-0108
3 Web portals and shared drives Blogs Email Hackers Human error Insider threat Official and unofficial forms Malicious software Records management Disposal of storage media IT systems Contractor services Data mining Teleworking Spreadsheets Hard drives Flash storage media DAR encryption implementation Budget and resources Changing business processes
http://www.facebook.com/video/video.php?v=141629337756&ref=share Social Media
Uses of Social Media Public Affairs Outreach Situational Awareness Law Enforcement/Intelligence Collaboration and Information Sharing War fighters communicating with families
Social Media Types Social media where users and public users may have an account to use applications tailored to the specific website. This social media includes, but is not limited to, Facebook, MySpace, Ustream, LinkedIn, and GovLoop Video and Image websites users may have an account to post but public users may not be required to have an account to see the video or image. In order for public users to comment, they may need an account. This social media includes, but is not limited to, YouTube, Flickr, Picasa, Blip.tv, and Ustream Blogs and similar websites users may have an account to post but public users may not be required to have an account to see the blog. In order for public users to comment, they may need an account. This includes, but is not limited to, Twitter, Google Blogger, and Wordpress
Responsible and Effective Use of Social Media Directive-Type Memorandum (DTM) 09-026 – Responsible and Effective Use of Internet-based Capabilities 25 Feb 10 –Effective immediately, the DTM states that the default for the DoD non-classified network (the NIPRNET) is for open access so that all of DoD can use new media –Directs open and consistent access across the board –Commanders at all levels and heads of DoD components will continue to keep networks safe from malicious activity and take actions, as required, to safeguard missions –Service members and DoD employees are welcome and encouraged to use new media to communicate with family and friends — at home stations or deployed — but do it safely For more info go to: (http://socialmedia.dod.gov) Implementation guidance is in development –SNS sites, web mail, etc
Growth in FaceBook Accounts Comparison period between 14 June through 08 December, 2010 FaceBook14 June8 July8 December Army336395783 Navy139228342 USMC 76 73176 USAF110120181 6618161482
Highlights of OMB Guidance M-10-23 This Memorandum requires Federal agencies to take specific steps to protect individual privacy whenever they use third-party websites and applications to engage with the public. Scope : This Memorandum applies to any Federal agency use of third-party websites or applications to engage with the public for the purpose of implementing the principles of the Open Government Directive. The guidance also applies when an agency relies on a contractor (or other non-Federal entity) to operate a third-party website or application to engage with the public on the agency’s behalf.
Highlights of M-10-23 – Social Media PIA is required if Agency makes PII available to the agency. Make PII Available. When any agency action causes PII to become available or accessible to the agency, whether or not the agency solicits or collects it. This is can include activities commonly referred to as “friend-ing,” “following,” “liking,” joining a “group,” becoming a “fan,” and comparable functions. PIA can cover multiple websites or applications that are functionally comparable and practices are substantially similar. If an agency’s use of a website or application raises distinct privacy risks, the agency should prepare a PIA that is exclusive to that website or application.
Examples of PIAs on Social Media DHS - Use of Social Networking Interactions and Applications Communications/Outreach/Public Dialogue http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_dhs_socialnetworkinginteractions.pdf http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_dhs_socialnetworkinginteractions.pdf DHS – Publicly Available Social Media Monitoring and Situational Awareness Initiative http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_ops_publiclyavailablesocialmedia.pdf DHS - Department of Homeland Security Our Border Network (Privacy Specific Risk PIA) http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_dhs_ning.pdf http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_dhs_ning.pdf DOJ - Privacy Impact Assessment for Third-Party Social Web Services http://www.justice.gov/opcl/docs/opa-webservices-pia.pdf http://www.justice.gov/opcl/docs/opa-webservices-pia.pdf
Adapted PIA Questions What is the specific purpose of the component’s use of the third-party website or application? List any PII that is likely to become available to the component through public use of the third-party website or application What is the component’s intended or expected use of PII? With whom will the component share PII? Describe whether and how the component will maintain PII, and for how long Describe how the component will secure PII that it uses or maintains Describe what other privacy risks exist and how the component will mitigate those risks Describe whether the component’s activities will create or modify a “system of records” under the Privacy Act
PII Breach Media Improving here, but only takes one Still # 1 And complacency …..
Example PII Breaches In Plain SightThe Convenience
Example PII Breaches Laptops in Luggage Eyes on Laptop
PII Breach Media Copiers and printers are a problem Sent to recipients “without a need to know” / unencrypted.
The Cost of A PII Breach The most significant cost to an organization results from lost confidence and trust by our sailors, marines, government civilians and public –for a company that translates into customer turnover and loss of brand equity –impacts employee morale, ability to recruit new hires and job satisfaction Potential class action law suits and or criminal prosecution Mailings, call center costs and credit monitoring Expenses associated with identity theft
25 Phishing is the process of attempting to acquire sensitive information such as usernames, passwords or financial account details by masquerading as a trustworthy entity in an electronic communication. This is a growing activity within the DON. They generally ask you to click a link back to a spoof web site. Doing so could subject you to the installation of key logging software or viruses. They use fear to motivate you to respond – “your account has been temporarily suspended due to recent fraudulent activity, we need you to verify your account information…” Never open emails from unknown sources or institutions soliciting: Passwords Credit card information ATM/Debit Card number Social Security Number Bank/financial account number If in doubt about validity of the email, call their customer service number. Notify your network administrator. For NMCI go to : https://www.homeport.navy.mil/support/articles/report-spam-phishing/ https://www.homeport.navy.mil/support/articles/report-spam-phishing/ Phishing
Privacy Do’s Encrypt all emails containing PII Reduce human error Reduce the use of SSN Ensure IA controls are in place on document repositories such as Sharepoint
Privacy Don’ts Do not place PII on Internet public-facing websites or shared drives Do not collect PII that is not needed for business Do not send documents containing PII to personal email addresses (e.g., yahoo, hotmail) Do not download PII to personal computers, USB drives, or any removable media unless the devices are approved and encrypted.
The Scoop Deck blog shed light on a Dec. 2009 Al- Qaeda call for their members to monitor what we say about ourselves, our units and our families online in order to gather intelligence. “Information on every U.S. Naval unit should be quietly gathered… their ranks, what state they are from, their family situation, and where their family members live… …search for the easiest ways of striking these ships…. Do not underestimate the importance of any piece of information, as simple as it may seem….” WHAT THEY WANTED: The call wasn’t just about unit missions, location, troop manning, weapons, movement and route. They asked for members’ names, ranks, home state, family situation and family names. The Threat is Real