Privacy, security depend on program managers, experts say

Program managers need to apply privacy and security best practices early when they plan systems if they want to manage risk effectively, said Robert Wright, principal at Merrill and former chief of the plans and program management unit in the FBI’s Cyber Division. Program management is about managing risk, he said.

To know what to implement, program managers should use as their reference guide laws such as the Privacy Act and requirements of the Office and Management and Budget that govern privacy and security, said Sally Wallace, associate deputy assistant secretary for privacy and records management at the Veterans Affairs Department.

Agency executives who are responsible for their organizations' compliance with security and privacy laws and regulations push them down to program managers to follow through in daily operations.

For example, OMB has directed that agencies use personally identifiable information only when necessary and reduce the use of Social Security numbers. Program managers also must produce privacy impact assessments when they develop or procure information systems that use or collect sensitive data. The assessments are a tool for ensuring that privacy is addressed through the life cycle of each IT system, and they identify risks in collecting information, Wallace said Oct. 11 at the Program Management Summit 2007, sponsored by the E-Gov Institute, a division of Federal Computer Week’s corporate owner, 1105 Media.

The Privacy Act requires agencies to publish in the Federal Register system of records notices for systems that store data and from which agencies retrieve information by an individual’s name or other identifier. The agency must detail in the notice the conditions under which it will use the personal information.

Most of VA’s attention surrounding privacy and security issues has focused on electronic data. But department officials plan to establish by December a policy to help safeguard information on paper, Wallace said.

VA plans to expand safeguards for paper-based data. Paper and mail have been issues, she said. For example, when a veteran wants to appeal a decision made at a regional office, that record is sent to VA offices in Washington. VA wants to make sure that it gets tracked, delivered and received, and doesn’t tear open or get sent to the wrong person. Those policies and procedures are in place for electronic data.

“We’re going to mandate those actions or equivalent, especially where we’re sending irreplaceable records from one place to another in VA,” Wallace said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Cybersecurity
    malware detection (Alexander Yakimov/Shutterstock.com)

    Microsoft targets copycat influence websites

    Microsoft went to court to take down websites it believes to be part of a foreign intelligence operation targeting conservative think tanks and the U.S. Senate.

  • Cybersecurity
    secure network

    FAA explores shifting its network to FISMA high

    The Federal Aviation Administration is exploring an upgrade to the information security categorization of IT systems as part of air traffic control modernization.

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.