Group items tagged

Government Computer News presents Pat Howard, chief information security officer of the Nuclear Regulatory Commission, and Ari Schwartz, vice president and chief operating officer of the Center for Democracy and Technology, in an eSeminar recoreded at 2 p.m. Wednesday, Nov. 19, where they discuss personally identifiable information in the government. Federal IT officials must continually balance competing demands to share information while also complying with various mandates to protect the privacy of PII within federal information systems and programs. During the presentation, Mr. Howard discusses: * How IT and program managers are adapting to these challenges; * The latest laws and guidance on PII; * Measures taken by the NRC to strengthen PII protections; and * New demands concerning privacy in the federal marketplace. A question-and-answer session follows the presentation. GCN Editor in Chief Wyatt Kash moderates.

The National Institute of Standards and Technology (NIST) this month released preliminary recommendations that federal agencies -- and their contractors -- should follow to protect the confidentially of personally identifiable information (PII). U.S. government agencies should take a number of precautions when dealing with personal information residing in their organizations, according to the NIST document. The recommendations are intended to be for U.S. federal government agencies, and companies with which they work, but NIST said that other verticals may also find value in it. The report states that organizations should store only PII necessary to conduct business, develop an incident response plan for the event of a breach and encourage coordination for data-loss incidents among CIOs, information security officers and legal counsel.

IT practices such as identity management, email and URL filtering, virus scanning and electronic monitoring of employees can get companies that do business globally into a heap of trouble if deployed without an understanding of global data privacy laws. The warning was one of several alarms raised in a presentation on global privacy best practices by Gartner Inc. analysts Arabella Hallawell and Carsten Casper at the recent Gartner Risk Management and Compliance Summit in Chicago. Always a thorny issue, the protection of personally identifiable information (PII) is made more complicated in a world where there is limited agreement on how best to do that. According to the Gartner analysts, the world is divided into three parts when it comes to data privacy laws: countries with strong, moderate or inadequate legislation. The European Union, under the European Union Directive on Data Protection, possesses the strongest privacy regulations, followed by Canada and Argentina; Australia, Japan and South Africa have moderate to strong, recent legislation; laws in China, India and the Philippines are the least effective or laxly enforced. The United States has the dubious distinction of occupying two categories -- the strong column, due to the 45 state breach notification laws on the books, and the weak column, because of the lack of a federal law. Even among the three categories, nuances abound. Under the European Union Directive, member countries enact their own principles into legislation, and some laws (like Italy's) are more stringent than the directive's standards. Russia's very recent law is modeled after the strong EU laws, but how it will be enforced remains questionable. And in the U.S., state breach notification laws vary, with Nevada and Massachusetts proposing the most prescriptive data privacy legislation to date.

Weak security policies and practices in nearly all 24 major federal agencies in 2008 have resulted in exposing personally identifiable information of Americans, according to a new report from the Government Accountability Office (GAO). "An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs," according to the GAO report, issued Monday. "As a result, agencies have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise." Federal agencies have reported some progress, providing awareness training for employees and testing system contingency plans, the GAO said. Still, employees with significant security responsibilities are not getting enough security training and known vulnerabilities remain wide open. The GAO conducts a periodic review of information security policies and procedures at federal agencies. Inspectors general review agency conformity to the Federal Information Security Management Act of 2002 (FISMA) and report their findings to Congress.