TSA needs privacy IT tools, IG says

Audit recommends automated testing and monitoring tools

The Transportation Security Administration should deploy automated tools to test and monitor the effectiveness of privacy safeguards in its programs, according to a new report from Homeland Security Inspector General Richard Skinner.

In a report issued Sept. 18, Skinner recommended that TSA’s Office of the Chief Information Officer implement such tools, and the agency's officials agreed with the recommendation.

Overall, TSA has made progress in implementing privacy protections but could do better if it used the automated tools, Skinner concluded. The agency is required to protect personally identifiable information from loss, destruction, modification or inappropriate disclosure. The agency stores and uses personal data in several of its programs.

Although the CIO’s office is responsible for securing data, including personally identifiable information, the office is not providing automated tools for doing so, Skinner wrote. For enforcement, the agency's Office for Privacy Policy Compliance (OPPC) checks TSA's databases to see if sensitive data has been leaked. The office has indeed found some cases where data appears to have been exposed, Skinnner found.

“Personally identifiable information data was found that should not have been accessible through the periodic checks,” the report said. “Further, according to TSA, data spills, unprotected e-mails of personnel information, and lost folders containing personally identifiable information have occurred.”

The current privacy monitoring system is inadequate, and there needs to be further collaboration between the CIO’s office and the privacy compliance office to identify privacy tools, Skinner wrote.

“Although OPPC implements privacy policies and interacts with personnel, the office of the CIO cannot electronically monitor privacy behavior continuously and measure the strength of personally-identifiable information protections,” the report said.

“TSA has not purchased tools and technologies to automate privacy protections because further research and collaboration by OPPC and the office of the CIO is necessary to identify requirements and appropriate approaches within the TSA computing environment,” the report concluded.

Without such tools, TSA cannot compare the effectiveness of privacy protection across different systems, and cannot improve overall privacy data protection and monitoring, the IG said.

Automated monitoring and reporting tools are also being applied in other areas of government. The Office of Management and Budget recently required federal agencies to submit compliance reports using such tools for the Federal Information Security Management Act.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.