TSA needs privacy IT tools, IG says

Audit recommends automated testing and monitoring tools

The Transportation Security Administration should deploy automated tools to test and monitor the effectiveness of privacy safeguards in its programs, according to a new report from Homeland Security Inspector General Richard Skinner.

In a report issued Sept. 18, Skinner recommended that TSA’s Office of the Chief Information Officer implement such tools, and the agency's officials agreed with the recommendation.

Overall, TSA has made progress in implementing privacy protections but could do better if it used the automated tools, Skinner concluded. The agency is required to protect personally identifiable information from loss, destruction, modification or inappropriate disclosure. The agency stores and uses personal data in several of its programs.

Although the CIO’s office is responsible for securing data, including personally identifiable information, the office is not providing automated tools for doing so, Skinner wrote. For enforcement, the agency's Office for Privacy Policy Compliance (OPPC) checks TSA's databases to see if sensitive data has been leaked. The office has indeed found some cases where data appears to have been exposed, Skinnner found.

“Personally identifiable information data was found that should not have been accessible through the periodic checks,” the report said. “Further, according to TSA, data spills, unprotected e-mails of personnel information, and lost folders containing personally identifiable information have occurred.”

The current privacy monitoring system is inadequate, and there needs to be further collaboration between the CIO’s office and the privacy compliance office to identify privacy tools, Skinner wrote.

“Although OPPC implements privacy policies and interacts with personnel, the office of the CIO cannot electronically monitor privacy behavior continuously and measure the strength of personally-identifiable information protections,” the report said.

“TSA has not purchased tools and technologies to automate privacy protections because further research and collaboration by OPPC and the office of the CIO is necessary to identify requirements and appropriate approaches within the TSA computing environment,” the report concluded.

Without such tools, TSA cannot compare the effectiveness of privacy protection across different systems, and cannot improve overall privacy data protection and monitoring, the IG said.

Automated monitoring and reporting tools are also being applied in other areas of government. The Office of Management and Budget recently required federal agencies to submit compliance reports using such tools for the Federal Information Security Management Act.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.