[ISN] OMB to agencies: Review personal data protections

From: InfoSec News (isn@private)
Date: Mon May 22 2006 - 22:23:10 PDT


By Mary Mosquera
GCN Staff

The Office of Management and Budget has directed agencies' senior
privacy officials to review and correct any policies and processes to
ensure that they protect against misuse of or unauthorized access to
personally identifiable information.

The memo, dated today from OMB acting director Clay Johnson, comes on
the same day the Veterans Affairs Department announced that electronic
data containing the personal information of up to 26.5 million
veterans was stolen from the home of a VA employee.

"Because federal agencies maintain significant amounts of information
concerning individuals, we have a special duty to protect that
information from loss and misuse," he said in the memo.

The memo re-emphasizes agencies' responsibility to safeguard sensitive
personally identifiable information and to train employees on their
responsibilities, especially related to provisions of the Privacy Act.

The Privacy Act requires each agency to set the rules of conduct
related to any system of records, to instruct each employee as to what
is required to comply with them and the penalties for not adhering to
them. Under the statute, agencies are required to establish
administrative, technical and physical safeguards to insure the
security and confidentiality of records.

Agencies are to evaluate all means used to control personally
identifiable information, including procedures and restrictions on its
use or removal beyond agency premises or control, OMB said. Agencies
will include the results in their next report in the fall detailing
compliance with the Federal Information Security Management Act.

Within the next 30 days, agencies are to remind their employees of
their specific responsibilities for safeguarding personally
identifiable information, the rules for acquiring and using such
information, and the penalties for violating these rules.

Under FISMA and related policy, agencies are to "promptly and
completely" report security incidents to proper authorities, including
the inspector general, law enforcement authorities and, under some
circumstances, the Homeland Security Department.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Mon May 22 2006 - 22:46:01 PDT