FISMA Privacy Reporting Requirements United States Pacific Command (USPACOM) FOIA & Privacy Act Conference Presented by Samuel P. Jenkins, Director for.

Slides:



Advertisements
Similar presentations
June 27, 2005 Preparing your Implementation Plan.
Advertisements

MONITORING OF SUBGRANTEES
Management Internal Control Program Presented by: USU Manager's Internal Control Program Team Office of Accreditation and Organizational Assessment.
Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Auditing, Assurance and Governance in Local Government
Overview of the Privacy Act
Washington Headquarters Services Executive Services Directorate Information Management Division OMB Collection Number Paperwork Reduction Act – DoD Public.
IT Security Law for Federal Agencies As of: 30 December 2002.
New Uniform Guidance Combines the requirements of OMB Circulars A-21, A-87, A-110, A-122, A-89, A-102, A-133, and A-50 into a streamlined format. *NOTE:
Subrecipient Monitoring CCIA Spring Conference Sheena Tran, Rancho Santiago CCD Tania Walden, Los Rios CCD Tracy Young, Coast CCD May 2013.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
1  AGA-DC and GWSPCA 6 th ANNUAL CONFERENCE OMB Circular A-123, Appendix A Internal Control Over Financial Reporting Innovative Approaches Jerome A. Vaiana.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
The Department of Defense Intelligence Oversight Program
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
Recently Issued OHRP Documents: Guidance on Subject Withdrawal and Draft Revised FWA Secretary’s Advisory Committee on Human Research Protections October.
Annual Army FOIA/Privacy/Records Management Conference Privacy Leadership – Accountability - Action presented by Samuel P. Jenkins, Director Defense Privacy.
Data Classification & Privacy Inventory Workshop
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
CALIFORNIA DEPARTMENT OF EDUCATION Tom Torlakson, State Superintendent of Public Instruction Uniform Complaint Procedures Monitoring Requirements Training.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Office of Inspector General (OIG) Internal Audit
Financial Management For Project Administrators. How Feds View Themselves.
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Safeguarding Personally Identifiable Information (PII) Samuel P. Jenkins Director for Privacy Defense Privacy.
Complying With The Federal Information Security Act (FISMA)
Supporting Statement Outline. A.JUSTIFICATION 1.Need for the Information Collection: – Describe the information collection activity under review. – Explain.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.
United States Army Freedom of Information Act (Freedom of Information Act Managerial Training)
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
1 Internal Controls. 2 Example Internal Control Manual  Focused Assessment Exhibit 4A  /trade/trade_programs/audits/focused.
Robert M. Worley II Director, Education Service VETERANS BENEFITS ADMINISTRATION Department of Veterans Affairs 2013 CCME Annual Symposium February 26,
U.S. Department of Education Privacy Initiatives Kathleen M. Styles Chief Privacy Officer U.S. Department of Education April 18, 2011.
Session #57 All About Compliance Audits Katrina Turner.
Agency Risk Management & Internal Control Standards (ARMICS)
Financial Crimes Enforcement Network (FinCEN) Institute of International Bankers Annual Seminar on Regulatory Examination, Risk Management and Compliance.
Risk and Subaward Management under the Uniform Guidance U.S. Department of Education.
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
Department of Energy June 16, 2015 Executive Order (EO) 13673: Fair Pay and Safe Workplaces Jean Seibert Stucky Assistant General Counsel for Labor and.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Open Government, Social Media, and Information Policy: Constraints and Barriers John Carlo Bertot Professor and Director Center for Library & Information.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
Audit and Audit Resolution Presented by Wendy Spivey ADECA Audit Manager.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
DOC Web Policies & Best Practices Jennifer Hammond NOAA Research WebShop 2002 August 7, 2002.
ESEA Consolidated Monitoring Office of Federal Programs December 10, 2013.
OMB Memorandum M Implementation of the Government Charge Card Abuse Prevention Act of 2012 (Charge Card Act) September 2013.
Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process A course for the Department of Commerce contracting and contracting.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
Privacy Act United States Army (Managerial Training)
Public Law Government Charge Card Abuse Prevention Act of 2012 (Charge Card Act) REPORTS December 2013.
FOIA Processing and Privacy Awareness at NOAA Prepared by Mark H. Graff NOAA FOIA Officer OCIO/GPD (301)
Procedural Safeguards for Parents What Educators Should Know Michelle Mobley NELA Cohort III.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Federal Information Security Management Act (F.I.S.M.A.) [ Justin Killian ]
Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.
1 Auditing Your Fusion Center Privacy Policy. 22 Recommendations to the program resulting in improvements Updates to privacy documentation Informal discussions.
Nassau Association of School Technologists
NRC’s 10 CFR Part 37 Program Review of Radioactive Source Security
Finance Committee Update
Obligations of Educational Agencies: Parents’ Bill of Rights
FOIA, Privacy & Records Management Conference 2009
FOIA, Privacy & Records Management Conference 2009
Disability Services Agencies Briefing On HIPAA
Protecting Student Data/ Financial Aid Data Sharing
Update on the Developments in Government Auditing Standards
Presentation transcript:

FISMA Privacy Reporting Requirements United States Pacific Command (USPACOM) FOIA & Privacy Act Conference Presented by Samuel P. Jenkins, Director for Privacy, Defense Privacy & Civil Liberties Office January 2011

PACOM Conference 2 FISMA & Privacy Reporting Requirements Agenda Federal Information Security Management Act (FISMA) – Division of Responsibilities FISMA Purpose The Reporting Requirements as found in the OMB A- 130, Appendix I The eleven questions that report on annual Agency Privacy Program Oversight FISMA Annual Report to Congress

PACOM Conference 3 Federal Information Security Management Act (FISMA) Division of Responsibilities FISMA & Privacy Reporting Requirements

PACOM Conference 4 From Report GAO INFORMATION SECURITY, “Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses,“ July FISMA & Privacy Reporting Requirements

PACOM Conference 5 FISMA & Privacy Reporting Requirements Federal Information Security Management Act Purpose

PACOM Conference 6 Origin of FISMA The E-Government Act (Public Law )E-Government Act (Public Law ) passed by the 107th Congress and signed into law by the President in December Recognized the importance of information security to the economic and national security interests of the United States. FISMA & Privacy Reporting Requirements

PACOM Conference 7 Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA) requires: Each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger- Cohen Act), explicitly emphasizes a risk-based policy for cost- effective security. FISMA & Privacy Reporting Requirements

PACOM Conference 8 In support of and reinforcing this legislation, the Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires executive agencies within the federal government to: Plan for security Ensure that appropriate officials are assigned security responsibility Periodically review the security controls in their information systems Authorize system processing prior to operations and, periodically, thereafter FISMA & Privacy Reporting Requirements

PACOM Conference 9 In June 2005, OMB issued memo M-05-15, “FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management” which: Initiated a number of questions regarding agency’s privacy program (Section D of the report) Senior Agency Official for Privacy. These questions related, in part, to agency implementation of the privacy provisions of the E- Government Act of FISMA & Privacy Reporting Requirements

PACOM Conference 10 In April 2010, OMB issued memo M “FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management ” which formed a comprehensive context for security and privacy of Federal information across government to include: The number of each type of privacy reviews conducted during the last fiscal year; Information about the advice-formal written policies, procedures, guidance, or interpretations of privacy requirements. FISMA & Privacy Reporting Requirements

PACOM Conference 11 OMB memo M “FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management” (Continued) The number of written complaints for each type of privacy issue allegation received to include:  Process and procedural issues (consent, collection, and appropriate notice);  Redress issues (non-Privacy Act inquiries seeking resolution of difficulties or concerns about privacy matters); or  Operational issues (inquiries regarding Privacy Act matters not including Privacy Act requests for access and/or corrections); For each type of privacy issue received for alleged privacy violations, the number of complaints the agency referred to another agency with jurisdiction. FISMA & Privacy Reporting Requirements

PACOM Conference 12 OMB and Annual FISMA Reporting: Senior Agency Official for Privacy (SAOP) Questions FISMA & Privacy Reporting Requirements

PACOM Conference 13 Assignment of Responsibilities OMB Circular No. A-130, “Management of Federal Information Resources,” November 28, 2000, Appendix 1.3.a. states:  All Federal Agencies. In addition…the head of each agency shall ensure that the reviews are conducted as often as specified in the accompanying chart. (next slide)  Prepare to report to the Director, OMB, the results of such reviews and the corrective action taken to resolve problems uncovered. FISMA & Privacy Reporting Requirements

PACOM Conference 14 OMB Circular No. A-130 Appendix 1., Privacy Reviews RequirementPeriodicity 1. Matching ProgramsReview annually 2. Recordkeeping PracticesBiennially 3. Privacy Act TrainingBiennially 4. ViolationsBiennially 5. Systems of Records NoticesBiennially 6. Section (m) ContractsEvery two years a random sample of agency contracts 7. Routine Use DisclosuresEvery four years 8. Exemption of Systems of RecordsEvery four years FISMA & Privacy Reporting Requirements

PACOM Conference 15 Question 1: Information Security Systems Identify: the number of agency and contractors systems that contain Federal information in identifiable form the number of agency and contractor systems for which a Privacy Impact Assessment (PIA) is required under the E-Gov Act the number of agency and contractor systems covered by an existing PIA the number of systems for which a system of records notice (SORN) is required under the Privacy Act the number of systems for which a current SORN has been published in the Federal Register FISMA & Privacy Reporting Requirements

PACOM Conference 16 Question 2: Links to PIAs and SORNS Provide the URL of the centrally located page on the agency web site listing working links to agency PIAs. Provide the URL of the centrally located page on the agency web site listing working links to the published SORNs. FISMA & Privacy Reporting Requirements

PACOM Conference 17 Question 3: Senior Agency Official for Privacy (SAOP) Responsibilities Yes or No—Can your agency demonstrate through documentation that the privacy official: Participates in all agency information privacy compliance activities (i.e., privacy policy as well as IT information policy); Participates in evaluating the privacy implications of legislative, regulatory, and other policy proposals, as well as testimony and comments under OMB Circular A-19; Participates in assessing the impact of the agency’s use of technology on privacy and the protection of personal information? FISMA & Privacy Reporting Requirements

PACOM Conference 18 Question 4: Information Privacy Training and Awareness Does your agency have: A policy to ensure that all personnel (employees, contractors, etc.) with access to Federal data are generally familiar with information privacy laws, regulations and policies, and understand the ramifications of inappropriate access and disclosure? A program for job-specific and comprehensive information privacy training for all personnel (employees, contractors, etc.) directly involved in the administration of personal information or information technology systems, or with significant information security responsibilities? FISMA & Privacy Reporting Requirements

PACOM Conference 19 Question 5: Does the agency have a written policy or process for each of the following? PIA Practices: Determining whether a PIA is needed Conducting a PIA Evaluating changes in technology or business practices that are identified during the PIA process Ensuring systems owners, privacy officials, and IT experts participate in conducting the PIA Making PIAs available to the public as required by law and OMB policy Monitoring the agency’s systems and practices to determine when and how PIAs should be updated Assessing the quality and thoroughness of each PIA and performing reviews to ensure that appropriate standards for PIA are maintained FISMA & Privacy Reporting Requirements

PACOM Conference 20 Question 5: Does the agency have a written policy or process for each of the following web privacy practices? Determining circumstances where the agency’s web- based activities warrant additional consideration of privacy implications Making appropriate updates and ensuring continued compliance with stated web privacy policies Requiring machine-readability of public-facing agency web sites (i.e. use of P3P) FISMA & Privacy Reporting Requirements

PACOM Conference 21 Question 6: Reviews Mandated by Privacy Act of 1974, the E- Government Act of 2002, and the Federal Agency Data Mining Reporting Act of Indicate which reviews were conducted in the last year for the following: Requires a Check MarkRequires a Number Section M ContractsExemptions Records PracticesMatching Programs Routine UsesSystem of Records TrainingPrivacy Act, (e)(3) Statements Violations: Civil Action and Remedial Action Privacy Impact Assessments and Updates Data Mining Impact Assessment FISMA & Privacy Reporting Requirements

PACOM Conference 22 Question 7: Written Privacy Complaints Indicate the number of written complaints for each type of privacy issue received by the SAOP or others at the agency Process and Procedural -- consent, collection, and appropriate notice Redress -- non-Privacy Act inquiries seeking resolution of difficulties or concerns about privacy matters Operational -- inquiries regarding Privacy Act matters not including Privacy Act requests for access and/or correction Referrals – complaints referred to another agency with jurisdiction FISMA & Privacy Reporting Requirements

PACOM Conference 23 Question 8: Policy Compliance Review Does the agency:  have current documentation demonstrating review of compliance with information privacy laws, regulations, and policies?  Use technologies that enable continuous auditing of compliance with stated privacy policies and practices?  Coordinate with the agency's Inspector General on privacy program oversight? Can the agency provide documentation of planned, in progress, or completed corrective actions necessary to remedy deficiencies identified in compliance reviews? FISMA & Privacy Reporting Requirements

PACOM Conference 24 Question 9: Information About Advice Provided by the SAOP (Yes or No) Indicate if the SAOP has provided formal written advice or guidance in each of the listed categories, and briefly describe the advice or guidance if applicable. The categories are: Agency policies, orders, directives, or guidance governing agency handling of personally identifiable information’ Written Agreements (either Interagency or with Non-Federal Entities) pertaining to information sharing, computer matching, and similar issues The agency’s practices for conducting, preparing, and releasing SORNs and PIAs Reviews or feedback outside of the SORN and PIA process (e.g. formal written advice in the context of budgetary or programmatic activities or planning) Privacy Training (either stand-alone or included with training on related issues)  Provide the number of employees (or contractors) who participated in the training. FISMA & Privacy Reporting Requirements

PACOM Conference 25 Question 10: Agency Use of Persistent Tracking Technology Indicate Yes or No for each item below: Does the agency use web management and customization technologies on any web site or application? Does the agency annually review the use of web management and customization technologies to ensure compliance with all laws, regulations, and OMB guidance? Can the agency demonstrate, with documentation, the continued justification for, and approval to use, web management and customization technologies? Can the agency provide the notice language or citation for the web privacy policy that informs visitors about the use of web management and customization technologies? FISMA & Privacy Reporting Requirements

PACOM Conference 26 Question 11: Privacy Points of Contact Information Please provide the names, phone numbers, and addresses of the following officials: Agency HeadChief Privacy Officer Chief Information OfficerPrivacy Advocate Agency Inspector GeneralPrivacy Act Officer Chief Information Security OfficerReviewing Official for PIAs Senior Agency Official for PrivacyPOC for URL links provided in question #2 FISMA & Privacy Reporting Requirements

PACOM Conference 27 Federal Information Security Management Act (FISMA) Privacy Reporting at the Agency Level FISMA & Privacy Reporting Requirements

PACOM Conference 28 Conclusion: Our Agency Annual FISMA Reporting to OMB. From Report GAO INFORMATION SECURITY, “Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses,“ July FISMA & Privacy Reporting Requirements

PACOM Conference 29 Resources OMB Memorandum M-10-15, of April 21, 2010 “FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management.” Office of Management and Budget Circular No. A-130, November 28, 2000 “Management of Federal Information Resources” Federal Information Security Management Act of 2002 (Pub. L ). OMB Memorandum M-07-16, of May 22, 2007 “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.” FY 2008 Report to Congress on Implementation of The Federal Information Security Management Act of GAO Report : INFORMATION SECURITY, Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses, July 2007.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.