Group items tagged

The Department of Homeland Security's Data Privacy and Integrity Advisory Committee has offered DHS Secretary Janet Napolitano 16 recommendations on how to best address privacy issues currently facing the department. The panel stressed that "the need to update the government's legal authority to protect and defend cyberspace in the U.S. classified intelligence systems raise specific and sometimes significant privacy issues, including the conflict between transparency and redress." The committee has asked that each DHS component - such as the Federal Emergency Management Agency and Office of Intelligence and Analysis - have a designated privacy officer that would report to the head of the section. The committee also "encourages DHS to continue to work toward policy and functional interoperability in the development of new systems and when making major modifications to existing systems," according to a letter from the committee hand delivered to Napolitano. Additionally, the panel said the 1974 Privacy Act has "not kept pace with the evolution of technology and developments in how data is collected, used, shared and stored. To the extent the Secretary is asked to submit recommendations to Congress for making the act more relevant and effective, the committee recommends that the secretary seek guidance from the Privacy Office staff, who are experts in applying the Act's provisions throughout the department." For more on the recommendations, read the committee's letter here.

The Homeland Security Department's privacy office will hold a conference to explore the use of social media as if affects security and privacy. The "Government 2.0: Privacy and Best Practices" conference will be held June 22 to June 23 in Washington and is open to the public. The workshop is meant to help agencies use Web 2.0 technologies in ways to protect privacy and security, and to explore the best practices for implementing President Barack Obama's memo on open government that was released in January, according to a notice published in the federal register April 17. Panelists will discuss topics such as transparency and participation in government, privacy and legal concerns brought by the government's use of social media, and how the government can best use the technologies while protecting privacy rights during the conference, DHS officials said. DHS is asking for comments by June 1 on topics such as: * How the government is using social media. * The risks, benefits and operational concerns that come from government use of the technologies. * Privacy, security and legal issues raised by the government's use of social media. * Recommendations on best practices for government use of the technologies.

Outgoing CPO of the Department of Homeland Security Hugo Teufel discusses his team's accomplishments and the challenges ahead for his successor. If you had a chance to pose any question to the person in charge of protecting Americans' privacy as the U.S. Department of Homeland Security executes its mission, what would you say? I had that chance this month when Hugo Teufel, departing chief privacy officer at the DHS, delivered an address, entitled "Reflections on My Time as DHS CPO of the War on Terror," to the Twin Cities Privacy Retreat. After the address, I cornered Teufel for some follow-up questions. Those and his answers follow.

The Oklahoma Department of Human Services (DHS) is notifying more than one million state residents that their personal data was stored on an unencrypted laptop that was stolen from an agency employee. The computer file contained the names, Social Security numbers, birth dates and home addresses of Oklahoma's Human Services' clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits, the agency announced Thursday. The computer, which was stolen when a thief broke into the car April 3 after the employee stopped on her way home from work, was password protected, and officials do not believe the burglar realized what he or she was stealing. Therefore, the risk of the data being accessed is minimal, according to the agency. "We feel this was not a situation where someone was targeting the agency or that information," DHS spokeswoman Mary Leaver told SCMagazineUS.com on Friday. "We feel it was random." Leaver said the state Office of Inspector General is conducting an investigation, out of which likely will come a mandatory review of information security policies. However, it is not believed the employee violated existing policy when the incident occurred, she said. News of the theft comes one day after the Ponemon Institute, in conjunction with Intel, released a study that found the average value of a lost laptop is $49,246. About 80 percent of the cost is related to the chance that a breach could occur, the study showed.

Travelers arriving at U.S. borders may soon be confronted with their laptops, PDAs, and other digital devices being searched, copied and even held by customs agents -- all without need to show suspicion for cause. Notices are being proposed by the Privacy Office at the U.S. Department of Homeland Security (DHS), which last week released a report approving the suspicionless searches of electronic devices at U.S. borders. The 51-page Privacy Impact Assessment also supported the right of U.S. Immigration and Customs Enforcement agents to copy, download, retain or seize any content from these devices, or the devices themselves, without assigning any specific reason for doing so.

Supercharging the HVA Engineering and Maintenance Risk Assessment in the Healthcare Setting Webinar Registration Hospitals have been under close scrutiny for years to insure they evaluate and mitigate risks and exposures that could impact their ability to deliver healthcare services under all conditions. A staple of this activity is the "Hazard Vulnerability Assessment". A traditional HVA looks at specific threats within four categories (natural, technological, human and hazardous materials). While the HVA is useful for auditors looking to confirm minimum compliance, it does not properly arm the organization to assess how risk, mitigation strategies and limited capital can effectively be deployed for maximum benefit. Come hear from leaders of Deaconess Health Systems Engineering and Maintenance team on how they partnered with Virtual Corporation to execute an effective risk assessment methodology and toolkit across the DHS enterprise. Participants will see examples of innovative risk mapping and reporting methods that yield high information density in simple, understandable format. Presenters: Mark Merrill, Facility Engineer, Deaconess Health System Tom Barnett, Manager, Engineering and Maintenance, Deaconess Health System Scott Ream, President, Virtual Corporation Webinar Registration Hospitals have been under close scrutiny for years to insure they evaluate and mitigate risks and exposures that could impact their ability to deliver healthcare services under all conditions. A staple of this activity is the "Hazard Vulnerability Assessment". A traditional HVA looks at specific threats within four categories (natural, technological, human and hazardous materials). While the HVA is useful for auditors looking to confirm minimum compliance, it does not properly arm the organization to assess how risk, mitigation strategies and limited capital can effectively be deployed for maximum benefit. Come hear from leaders of Deaconess H

Here are five interesting factoids regarding information security culled from documents and statements accompanying President Obama's fiscal year 2010 budget: The current number of positions filled in the federal IT workforce totals 17,785, with 8,407 of them - or 47 percent - deemed IT security. The Department of Homeland Security seeks $75.1 million more in the coming year to develop and deploy cybersecurity technologies for the entire government to counter continuing, real-world national cyber threats and apply effective analysis and risk mitigation strategies to detect and deter threats. Homeland Security also seeks $37.2 million, a $6.6 million increase, to address critical capability gaps identified in the government's Comprehensive National Cybersecurity Initiative. Specifically, says DHS Secretary Janet Napolitano, this effort would seek and/or develop technologies to secure the nation's critical information infrastructure and networks. Nearly half of the federal workforce - 2.7 million individuals - have been issued credentials that provide for digital signature, encryption, archiving of documents, multi-factor authentication and reduced sign-on to improve security and facilitate information sharing. The total federal IT budget for 2010, including funds earmarked to secure data and systems, tops $75.8 billion, up $5.1 billion or 7.2 percent from the current fiscal year.

Travelers arriving at U.S. borders may soon be confronted with their laptops, PDAs, and other digital devices being searched , copied and even held by customs agents -- all without need to show suspicion for cause. Notices are being proposed by the Privacy Office at the U.S. Department of Homeland Security (DHS), which last week released a report approving the suspicionless searches of electronic devices at U.S. borders. The 51-page Privacy Impact Assessment also supported the right of U.S. Immigration and Customs Enforcement agents to copy, download, retain or seize any content from these devices, or the devices themselves, without assigning any specific reason for doing so. Also, while in many cases searches would be done with the knowledge of the traveler in some situations, the report says, "it is not practicable for law enforcement reasons to inform the traveler that his electronic device has been searched." In arriving at the assessment, the Privacy Office argued that such searches of electronic devices were really no different from searches of briefcases and backpacks. They are needed to interdict and investigate violations of federal law at U.S. borders and have been supported by courts in the past, the assessment said.

"As the federal government readies the third iteration of Einstein, privacy concerns over the intrusion detection system were voiced at a Senate hearing on Tuesday. Philip Reitinger, Department of Homeland Security deputy undersecretary for the National Protection and Programs Directorate, told the Senate Committee on the Judiciary's Subcommittee on Terrorism and Homeland Security that DHS envisions deploying Einstein 3 as an intrusion prevention system. Einstein 1 monitors network flow and Einstein 2 detects system intrusions. "This more robust version of Einstein would provide the federal government with an improved early warning and an enhanced situational awareness; the ability to automatically detect malicious activity; and the capability to prevent malicious intrusions before harm is done," Reitinger said. But Gregory Nojeim, senior counsel and director of Project Freedom, Security and Technology at the Center for Democracy and Technology, cited press accounts that Einstein 3 would rely on pre-defined signatures of malicious code that might contain personally identified information, and threaten the privacy of law-abiding citizens. "While Einstein 2 merely detected and reported malicious code, Einstein 3 is to have the capability of intercepting threatening Internet traffic before it reaches a government system, raising additional concerns," Nojeim testified. Einstein 3 reportedly could operate within the networks of private telecommunications companies, and Nojeim wondered if the technology could analyze private-to-private communications. "If Einstein were to analyze private-to-private communications, that would likely be an interception under the electronic surveillance laws, requiring a court order," he said. "

A group of federal agencies and private organizations, including the National Security Agency and the Department of Homeland Security, has released a set of guidelines defining the top 20 things organizations should do to prevent cyberattacks. The Consensus Audit Guidelines (CAG) describe the 20 key actions, referred to as security controls, that organizations should take to defend their computer systems. The controls are expected to become baseline best practices for computer security, following further public- and private-sector review. CAG is being led by John Gilligan, formerly the CIO for both the U.S. Air Force and the U.S. Department of Energy, and a member of the Obama transition team dealing with IT in the Department of Defense and various intelligence agencies. "We are in a war, a cyberwar," Gilligan said on a media conference call. "And the federal government is one of many large organizations that are being targeted. Our ability at present to detect and defend against these attacks is really quite weak in many cases." Borrowing an analogy he attributed to an unnamed federal CIO, Gilligan said, "We're bleeding badly and we really need triage and we need to focus on things that will keep this patient alive." The CAG initiative represents part of a larger effort, backed by the Center for Strategic and International Studies (CSIS) in Washington, D.C., to implement recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.