Case Study #1: Are Privacy Impact Assessments (PIA) useful as a risk management tool?
A client has asked your cybersecurity consulting firm to provide it with a white paper which discusses the usefulness of Privacy Impact Assessments (PIA) as a risk management tool. The purpose of this white paper is to inform attendees at an inter-agency workshop on writing Privacy Impact Assessments for their IT investments. PIA’s are required by the E-Government Act of 2002 and must be submitted to the Office of Management and Budget (OMB) each year by agencies as part of their E-Government Act compliance reports. OMB, in turn, forwards a summary of these reports to Congress as part of the administration’s E-Government Act Implementation Report. See the Week 1 readings for copies of the legislation and a recent implementation report.
1.Privacy Impact Assessment (PIA): this term is defined in the readings for the assignment. Basically, a PIA is both a process and a document. It is a process that focuses upon identifying and assessing risks related to privacy of data handled by a specific IT system or database. A PIA is also a document in which the results of the assessment are communicated to stakeholders. Some PIA’s are released to the public in full while others are redacted to remove sensitive / non-public information. You should focus on both the process and the document in your white paper for this assignment.
2. Redaction: the process of removing sensitive or nonpublic information from a document. Redacted information is represented by black rectangles such as this.
3.White Paper: a white paper is an authoritative report used to present expert opinion and analysis about an issue or issues.
- Read / Review the Week 1 readings.
- Review the requirements in federal law to protect the privacy of individuals (see week 1 readings plus research additional sources).
- Research how Privacy Impact Assessments are used by Chief Privacy Officers at the federal agency level and in the Executive Office of the President (Whitehouse) to manage risk by ensuring that personally identifiable information is handled in accordance with the requirements of federal law.
- Find three or more additional sources which provide information about best practice recommendations for managing risks related to privacy and/or ensuring the privacy of information processed by or stored in an organization’s IT systems and databases. These additional sources can include analyst reports and/or news stories about recent attacks / threats, data breaches, cybercrime, cyber terrorism, etc. which impacted the privacy of individuals whose information was stored in federal IT systems and databases.
Write a two to three page summary of your research. At a minimum, your summary must include the following:
1.An introduction or overview of privacy which provides definitions and addresses the laws, regulations, and policies which require federal IT managers to protect the privacy of individuals whose information is processed or stored in federal IT systems. This introduction should be suitable for an executive audience.
2.A separate section which addresses the contents of Privacy Impact Assessments and how they are used to assess and monitor risks associated with personally identifiable information.
3.An analysis of whether or not privacy impact assessments provide useful information to Chief Privacy Officers, agency heads, OMB Staff, White House Staff, Congressional Committees and their staff members, and Members of Congress (Representatives & Senators).
4.A discussion of best practice recommendations for reducing risk by improving or ensuring the privacy of information processed by or stored in an organization’s IT systems and databases. These recommendations should be well supported by information from your research.
- A closing section in which you summarize your research and your best practice recommendations.
Your white paper should use standard terms and definitions for cybersecurity and privacy. The following sources are recommended:
ISACA Glossary http://www.isaca.org/pages/glossary.aspx
Guidelines on Security and Privacy in Public Cloud Computing http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf