TSA needs privacy IT tools, IG says

Audit recommends automated testing and monitoring tools

The Transportation Security Administration should deploy automated tools to test and monitor the effectiveness of privacy safeguards in its programs, according to a new report from Homeland Security Inspector General Richard Skinner.

In a report issued Sept. 18, Skinner recommended that TSA’s Office of the Chief Information Officer implement such tools, and the agency's officials agreed with the recommendation.

Overall, TSA has made progress in implementing privacy protections but could do better if it used the automated tools, Skinner concluded. The agency is required to protect personally identifiable information from loss, destruction, modification or inappropriate disclosure. The agency stores and uses personal data in several of its programs.

Although the CIO’s office is responsible for securing data, including personally identifiable information, the office is not providing automated tools for doing so, Skinner wrote. For enforcement, the agency's Office for Privacy Policy Compliance (OPPC) checks TSA's databases to see if sensitive data has been leaked. The office has indeed found some cases where data appears to have been exposed, Skinnner found.

“Personally identifiable information data was found that should not have been accessible through the periodic checks,” the report said. “Further, according to TSA, data spills, unprotected e-mails of personnel information, and lost folders containing personally identifiable information have occurred.”

The current privacy monitoring system is inadequate, and there needs to be further collaboration between the CIO’s office and the privacy compliance office to identify privacy tools, Skinner wrote.

“Although OPPC implements privacy policies and interacts with personnel, the office of the CIO cannot electronically monitor privacy behavior continuously and measure the strength of personally-identifiable information protections,” the report said.

“TSA has not purchased tools and technologies to automate privacy protections because further research and collaboration by OPPC and the office of the CIO is necessary to identify requirements and appropriate approaches within the TSA computing environment,” the report concluded.

Without such tools, TSA cannot compare the effectiveness of privacy protection across different systems, and cannot improve overall privacy data protection and monitoring, the IG said.

Automated monitoring and reporting tools are also being applied in other areas of government. The Office of Management and Budget recently required federal agencies to submit compliance reports using such tools for the Federal Information Security Management Act.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.