Privacy, security depend on program managers, experts say

Program managers need to apply privacy and security best practices early when they plan systems if they want to manage risk effectively, said Robert Wright, principal at Merrill and former chief of the plans and program management unit in the FBI’s Cyber Division. Program management is about managing risk, he said.

To know what to implement, program managers should use as their reference guide laws such as the Privacy Act and requirements of the Office and Management and Budget that govern privacy and security, said Sally Wallace, associate deputy assistant secretary for privacy and records management at the Veterans Affairs Department.

Agency executives who are responsible for their organizations' compliance with security and privacy laws and regulations push them down to program managers to follow through in daily operations.

For example, OMB has directed that agencies use personally identifiable information only when necessary and reduce the use of Social Security numbers. Program managers also must produce privacy impact assessments when they develop or procure information systems that use or collect sensitive data. The assessments are a tool for ensuring that privacy is addressed through the life cycle of each IT system, and they identify risks in collecting information, Wallace said Oct. 11 at the Program Management Summit 2007, sponsored by the E-Gov Institute, a division of Federal Computer Week’s corporate owner, 1105 Media.

The Privacy Act requires agencies to publish in the Federal Register system of records notices for systems that store data and from which agencies retrieve information by an individual’s name or other identifier. The agency must detail in the notice the conditions under which it will use the personal information.

Most of VA’s attention surrounding privacy and security issues has focused on electronic data. But department officials plan to establish by December a policy to help safeguard information on paper, Wallace said.

VA plans to expand safeguards for paper-based data. Paper and mail have been issues, she said. For example, when a veteran wants to appeal a decision made at a regional office, that record is sent to VA offices in Washington. VA wants to make sure that it gets tracked, delivered and received, and doesn’t tear open or get sent to the wrong person. Those policies and procedures are in place for electronic data.

“We’re going to mandate those actions or equivalent, especially where we’re sending irreplaceable records from one place to another in VA,” Wallace said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.