1 Auditing Your Fusion Center Privacy Policy. 22 Recommendations to the program resulting in improvements Updates to privacy documentation Informal discussions.

Slides:



Advertisements
Similar presentations
MONITORING OF SUBGRANTEES
Advertisements

Internal Control–Integrated Framework
[Organisation’s Title] Environmental Management System
CIP Cyber Security – Security Management Controls
Issue Identification, Tracking, Escalation, and Resolution.
Environmental Management System (EMS)
EPA EMS General Awareness Training Presented by David Guest, Esq. U.S. EPA Washington, D.C.
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
Discussion on SA-500 – AUDIT EVIDENCE
Audit Documentation PCAOB Auditing Standard no.3.
Environmental Management Systems An Overview With Practical Applications.
EMS Auditing Definitions
PPA 502 – Program Evaluation Lecture 5b – Collecting Data from Agency Records.
ASPEC Internal Auditor Training Version
Quality Representative Training Version
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
Certification of Market Values STEB PROGRAM Briefing Points 2011 Pennsylvania Department of the Auditor General Thomas E. Marks, CPA Deputy Auditor General.
Effectively applying ISO9001:2000 clauses 5 and 8
Approaches for forest certification System versus performance ? Presentation prepared by Pierre Hauselmann for the WWF / WB Alliance Capacity building.
Introduction to Software Quality Assurance (SQA)
1 Internal Controls. 2 Example Internal Control Manual  Focused Assessment Exhibit 4A  /trade/trade_programs/audits/focused.
SMS Operation.  Internal safety (SMS) audits are used to ensure that the structure of an SMS is sound.  It is also a formal process to ensure continuous.
Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.
ISO 14001:2004, Environmental Management System
The Audit Process Tahera Chaudry March Clinical audit A quality improvement process that seeks to improve patient care and outcomes through systematic.
1 DOE IMPLEMENTATION WORKSHOP ASSESSING MY EMS Steven R. Woodbury
INTERNAL CONTROL OVER FINANCIAL REPORTING
Chapter 5 Internal Control over Financial Reporting
Internal Control in a Financial Statement Audit
UT-Arlington Accounting CPE Day August 13, 2014 SEFA Preparation and Subrecipient Monitoring.
Appendix E – Checklist for Review of Performance Audits Presented by: Ashton Coleman Department of Defense Office of the Inspector General August 16, 2012.
Coding Compliance Plan July 12, Benefits of a compliance program  To demonstrate our commitment to honest and responsible conduct, decrease the.
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
SANEDI. INDEX  KEY ACTIVITIES DURING FINANCIAL YEAR  DISCUSSIONS ON KEY ACTIVITIES  CONCLUSION  APPRECIATION.
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
Evaluation of Internal Control System. Learning Objective 1 Contrast management’s need for internal control with the auditor’s need to consider internal.
DEPARTMENT OF DEFENCE Briefing on Audit Outcomes Year ended 31 March 2010 AGSA AUDIT TEAM.
The Audit as a Management Tool Vermont State Auditor’s Office – April 2009.
Webinar for FY 2011 i3 Grantees February 9, 2012 Fiscal Oversight of i3 Grants Erin McHughJames Evans, CPA, CGFM, CGMA Office of Innovation and Improvement.
1 Internal Audit. 2 Definition Is an independent activity established by management to examine and evaluate the organization’s risk management processes.
Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.
ANTI-MONEY LAUNDERING COMPLIANCE PROGRAM FCM TRAINING
CHAPTER 5 INTERNAL CONTROL OVER FINANCIAL REPORTING.
Tad and Terry Legal Issues in ILP. 28 CFR Part 23 The federal rule that governs or provides guidance for these issues. § 23.3 Applicability: These policy.
Casualty Loss Reserve Seminar General Session II September 9, 2003 Section 302/404 of Sarbanes-Oxley Act What Actuaries Need to Know Jan A. Lommele, FCAS,
 Definition of a quality Audit  Types of audit  Qualifications of quality auditors  The audit process.
ISO DOCUMENTATION. ISO Environmental Management Systems2 Lesson Learning Goals At the end of this lesson you should be able to:  Name.
Dispensary and Administration Site Information Presentation.
A Guide for Management. Overview Benefits of entity-level controls Nature of entity-level controls Types of entity-level controls, control objectives,
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
ISO Registration Common Areas of Nonconformances.
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
1 City of Shelby Wastewater Treatment Division Becomes State’s Second Public Agency to Implement a Certified Environmental Management System CERTIFICATION.
Session 11 & 12. Auditing standard of I.A. & A.D. Prescribes: Auditor should report about weakness in Internal Control of management (Para 7.1.) Weakness.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
Session 6: Data Flow, Data Management, and Data Quality.
Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Program Performance Criteria.
Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
Auditors’ Dilemma – reporting requirements on Internal Financial Controls under the Companies Act 2013 and Clause 49 of the Listing agreement V. Venkataramanan.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
Internal Control.
Internal control - the IA perspective
How to conduct Effective Stage-1 Audit
PFMA audit outcomes Portfolio – Minister of Police
Briefing to the Portfolio Committee on Police Audit outcomes of the Police portfolio for the financial year 13 October 2015.
An overview of Internal Controls Structure & Mechanism
Presentation transcript:

1 Auditing Your Fusion Center Privacy Policy

22 Recommendations to the program resulting in improvements Updates to privacy documentation Informal discussions about lessons learned Formal report either internal or publicly available Heightened awareness by all participants about privacy Early issue identification and remediation What Are the Outcomes and Benefits of a Privacy Audit?

33 The privacy policy is a series of promises to demonstrate the enter is performing This means BOTH: – Reviewing the policy for accuracy and keeping it up to date (“type A”) – Auditing center use of data per privacy policy (“type B”) Privacy Policies from an audit perspective Privacy Policy Development Implementation Audit

44 Annual review of policy for accuracy – Are governance structures in place (e.g., privacy/CL committee, audit committee)? – Are standard operating procedures and other policies referenced in place? – Are access and dissemination logs maintained? Annual review of policy for currency – Do changes need to be made in response to changes in applicable law, technology, the purpose and use of the information systems, and public expectations? Resource: Compliance Verification Tool Type A – Audit Keeping Policy Accurate and Current

55 Goes a step beyond verifying that policies and procedures are in place Requires development of review mechanisms that demonstrate that the privacy policy and policies and procedures are adhered to Looks at center’s actual use of data – Data quality (e.g., labeling/tagging) – Data use (e.g., access and dissemination logs) – Retention (e.g., Are records maintained within the specified retention schedule?) Type B – Auditing Center Use of Data

66 May be required in existing privacy policy Opportunity to identify strengths, weaknesses, and corrective actions Heightens awareness and the importance of adherence to the policy Demonstrates center accountability and sends a message to the public about your commitment to adhere to the policy Ultimately strengthens the program! The value of audits

77 Auditing Fundamentals: Elements of a Finding Criteria, Condition, Cause, and Effect Criteria: The laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings. —Generally Accepted Government Auditing Standards (GAGAS) 4.11 The fusion center’s privacy policy is the criteria that the center and other oversight entities will use to design an audit.

88 Fusion Center Privacy Policy as Criteria (Example 1: Data Quality) Deconstruct the privacy policy into a series of requirements against which to review center performance. Example 1: The P/CRCL Officer or designee audits the quality of information received from an originating agency to ensure, to the extent possible, that it: (1) is accurate and complete, (2) does not include incorrectly merged information, (3) is not out of date, (4) can be verified, (5) does not lack adequate context such that the rights of the individual may be affected, and (6) was not gathered in violation of federal, state, or local laws or ordinances. Audit Procedure: Identify applicable systems and determine whether information obtained from an originating agency is appropriately tagged with the source, and review selected records from the system against the six items identified in the privacy/CL policy.

99 Fusion Center Privacy Policy as Criteria (Example 2: Data Use) The fusion center will maintain an access log and dissemination record (audit trail) when the database is accessed or information is disseminated from the intelligence system. This dissemination record contains the following information: the date of dissemination of the information, the name of the individual requesting the information, the name of the agency requesting the information, the reason for the release of the information, the description of the information provided to the requestor, and the name of the fusion center person disseminating the information. Audit Procedure: Obtain and review access logs from intelligence systems and verify that the log is designed to capture the information specified in the privacy policy/CL and that information is properly filled out. Design considerations: Number of systems to be reviewed? Number of records to review? It may not be feasible to review every record or log entry or to even review a statistically significant sample.

10 Auditing Fundamentals: Elements of a Finding —Condition Criteria, Condition, Cause, and Effect Condition: Condition is a situation that exists. The condition is determined and documented during the audit. —GAGAS 4.12 Possible Conditions for Example 1 (Data Quality Audit): I.A review of 30 percent of records from 3 of the center’s largest information systems found that most records specified 4 of the 6 data quality elements in the center’s policy. II.We could not assess whether records originating from another agency met the 6 criteria. Possible Conditions for Example 2 (Data Use Audit): I.A review of the audit log for 24 randomly selected days in 2011 (2 days per month) found that the log was designed to capture all of the information specified in the privacy policy. The logs we reviewed demonstrated that all fields were filled out. II.We found that the audit log was designed to capture only 3 of the 6 data elements specified in the privacy policy.

11 Elements of a Finding—Cause Criteria, Condition, Cause, and Effect Cause: The cause identifies the reason or explanation for the condition or the factors responsible for the difference between the situation that exists (condition) and the required or desired state (criteria), which may also serve as a basis for recommendations for corrective actions. Common factors include poorly designed policies, procedures, or criteria; inconsistent, incomplete, or incorrect implementation; or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference between the condition and the criteria. —GAGAS 4.13 Potential Cause(s) for Examples 1 and 2: Systems were not designed to capture the information specified in the policy Privacy/CL policy was not implemented—analysts were not aware of their responsibilities to tag the information Not feasible to capture certain aspects of this information in the log

12 Elements of a Finding – Effect or Potential Effect Effect or potential effect: The effect is a clear, logical link to establish the impact or potential impact of the difference between the situation that exists (condition) and the required or desired state (criteria). The effect or potential effect identifies the outcomes or consequences of the condition. When the audit objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the audit, “effect” is a measure of those consequences. Effect or potential effect may be used to demonstrate the need for corrective action in response to identified problems or relevant risks. —GAGAS 4.14 In privacy audits, look for a direct effect on an individual or a potential effect. Often this could be the potential for action to be taken against an individual based on inaccurate or untimely information.

13 Audit Recommendations Should logically flow from findings. If a deficiency is found, the recommendation should be targeted at correcting the deficiency Example recommendations: – The center should modify its systems to ensure that appropriate databases capture fields as specified in the privacy/civil liberties policy – Standard operating procedures and training should be put in place to inform analysts of their responsibilities to record information related to sharing records with external entities Document your audit findings and recommendations Follow up on your recommendations, whether made by the P/CRCL Officer or an oversight entity

14 Recommended Areas for Audits Data quality Data use and sharing—review your logs! Contributions to the Nationwide Suspicious Activity Reporting Initiative (NSI) – Use the ISE-SAR Functional Standard (FS) Version 1.5 as your criteria – Review the content of NSI submissions for adherence to the FS – Remove reports that do not meet the FS or require updates that make NSI submissions FS-compliant

15 Fusion center P/CRCL Officer-led State auditing agency State Inspector General Third-party audit Peer-to- Peer audit (DHS is a resource for matching fusion centers) Possible Resources for Fusion Center Audits

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.