TSA needs privacy IT tools, IG says

Audit recommends automated testing and monitoring tools

The Transportation Security Administration should deploy automated tools to test and monitor the effectiveness of privacy safeguards in its programs, according to a new report from Homeland Security Inspector General Richard Skinner.

In a report issued Sept. 18, Skinner recommended that TSA’s Office of the Chief Information Officer implement such tools, and the agency's officials agreed with the recommendation.

Overall, TSA has made progress in implementing privacy protections but could do better if it used the automated tools, Skinner concluded. The agency is required to protect personally identifiable information from loss, destruction, modification or inappropriate disclosure. The agency stores and uses personal data in several of its programs.

Although the CIO’s office is responsible for securing data, including personally identifiable information, the office is not providing automated tools for doing so, Skinner wrote. For enforcement, the agency's Office for Privacy Policy Compliance (OPPC) checks TSA's databases to see if sensitive data has been leaked. The office has indeed found some cases where data appears to have been exposed, Skinnner found.

“Personally identifiable information data was found that should not have been accessible through the periodic checks,” the report said. “Further, according to TSA, data spills, unprotected e-mails of personnel information, and lost folders containing personally identifiable information have occurred.”

The current privacy monitoring system is inadequate, and there needs to be further collaboration between the CIO’s office and the privacy compliance office to identify privacy tools, Skinner wrote.

“Although OPPC implements privacy policies and interacts with personnel, the office of the CIO cannot electronically monitor privacy behavior continuously and measure the strength of personally-identifiable information protections,” the report said.

“TSA has not purchased tools and technologies to automate privacy protections because further research and collaboration by OPPC and the office of the CIO is necessary to identify requirements and appropriate approaches within the TSA computing environment,” the report concluded.

Without such tools, TSA cannot compare the effectiveness of privacy protection across different systems, and cannot improve overall privacy data protection and monitoring, the IG said.

Automated monitoring and reporting tools are also being applied in other areas of government. The Office of Management and Budget recently required federal agencies to submit compliance reports using such tools for the Federal Information Security Management Act.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.