Response to Privacy Program Information Request in OMBs Fiscal Year 2006 Reporting Instructions for FISMA and Agency Privacy Management

September 2006
Report No. 06-018

AUDIT REPORT

FDIC OIG, Office of Audits

Background and
Purpose of Audit


A number of federal statutes, policies, and guidelines are aimed at protecting the confidentiality, integrity, and availability of information in an identifiable form (IIF) from unauthorized use, access, disclosure, or sharing and protecting associated information systems from unauthorized access, modification, disruption, or destruction. Key federal statutes include the Privacy Act of 1974; section 208 of the E Government Act of 2002; and section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005, hereafter referred to as section 522.

The Federal Information Security Management Act of 2002 (FISMA) directs federal agencies to have an annual independent evaluation performed of their information security program and practices and to report the results of the evaluation to the Office of Management and Budget (OMB), the Comptroller General, and various congressional committees. On July 7, 2006, the OMB issued a memorandum entitled, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. In response to OMBís request for privacy program information, the FDIC Office of Inspector General contracted with KPMG LLP (KPMG) to audit and report on the privacy management areas addressed in the OMB memorandum.

The objective of this audit was to determine the current status of the FDICís efforts to implement a corporate-wide privacy protection program. While KPMG did not evaluate the FDICís privacy program as part of this audit, the report provides information on the program and related activities.

FDIC, Federal Deposit Insurance Corporation


Results of Audit


KPMG reported that the FDIC has taken a number of actions to protect IIF since the passage of the Privacy Act of 1974 and continually enhance the corporate privacy protection program, policies, and procedures. Such recent actions include strengthening controls related to IIF and implementing mandatory Web-based privacy training to promote Privacy Act awareness among FDIC employees and contractor personnel. In addition, the FDIC has identified 46 systems containing IIF and performed required Privacy Impact Assessments (PIA) for most of those systems.

These actions were positive; however, the FDIC could further strengthen its privacy program by completing ongoing efforts to:

  • monitor and enforce annual privacy awareness training requirements and formalize a privacy training program to ensure individuals in trusted roles receive job-specific training;
  • implement measures to ensure technologies used to collect, use, store, and disclose IIF allow for continuous auditing of compliance with stated privacy policies and practices as required by section 522; and
  • establish and implement a formal plan of action and milestones to track privacy program deficiencies such as those identified in PIAs and required privacy reviews.

In addition, the Corporation should determine when it will submit an annual report to the Congress on its privacy protection activities, including complaints of privacy violations, internal controls, and other relevant matters as discussed in section 522.

Recommendations and Management Response

KPMG made no recommendations in the report. However, the Privacy Program Manager provided informal comments on a draft version of this report, which KPMG considered and incorporated into the report, as appropriate. Under contract with the OIG, KPMG will perform a more in-depth review, as required by section 522, of the FDICís use of IIF and related privacy protection policy and procedures, and the firm will make appropriate recommendations, if necessary, at that time.


DATE: September 22, 2006
 
MEMORANDUM TO:Michael E. Bartell, Chief Privacy Officer
 
FROM:Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]
Assistant Inspector General for Audits
 
SUBJECT:KPMG LLP Report Entitled, Response to Privacy Program
Information Request in OMBs Fiscal Year 2006 Reporting
Instructions for FISMA and Agency Privacy Management

(Report No. 06-018)
 

Attached is a copy of the subject report prepared by KPMG LLP (KPMG) under a contract with the Office of Inspector General. Please refer to the Executive Summary for the overall audit results.

The Chief Information Security Officer provided informal comments on a draft version of this report. KPMG has considered and incorporated the comments into the report, as appropriate.

If you have any questions concerning the report, please contact Stephen M. Beard, Deputy Assistant Inspector General for Audits, at (703) 562-6352, or Mark F. Mulholland, Director, Systems Management and Security Audits Directorate, at (703) 562-6316. We appreciate the courtesies extended to the audit staff.

Attachment

cc: James H. Angel, Jr., OERM
 Rack Campbell, DIT


Response to Privacy Program Information Request in
OMBís Fiscal Year 2006 Reporting Instructions for
FISMA and Agency Privacy Management
Report Number 06-018


Prepared for the
Federal Deposit Insurance Corporation
Office of Inspector General


FINAL REPORT





Prepared by:
KPMG LLP
Advisory Services Ė Federal Practice
2001 M. Street, NW
Washington, DC 20036
(202) 533-3000



TABLE OF CONTENTS

INTRODUCTION
BACKGROUND
RESULTS OF AUDIT
STATUS OF THE FDICíS PRIVACY PROTECTION POLICIES AND PROCEDURES

Policies and Procedures

Awareness and Training

Privacy Reviews

Privacy Impact Assessments and Notice Requirements

Persistent Tracking

Internal Oversight

OIG Coordination

APPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY
APPENDIX II: PRIVACY-RELATED LAWS, POLICIES, AND GUIDELINES

ACRONYMS 
CPO Chief Privacy Officer
FDIC Federal Deposit Insurance Corporation
FISMA Federal Information Security Management Act
FOIA Freedom of Information Act
GAGAS Generally Accepted Government Auditing Standards
IG Inspector General
IIF Information in an Identifiable Form
ISM Information Security Manager
KPMG KPMG LLP
OIG Office of Inspector General
OMB Office of Management and Budget
PIA Privacy Impact Assessment
POA&M Plan of Action and Milestones
SORN System of Records Notice
SSN Social Security Number


INTRODUCTION

On July 17, 2006, the Office of Management and Budget (OMB) issued Memorandum M 06 20 entitled, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. In response to OMBís request for privacy program information, the Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) contracted with KPMG LLP (KPMG) to conduct a performance audit and report on the privacy management areas addressed in Section D of the OMB memorandum. This is the second year that KPMG has supported the FDIC OIG in this audit work. KPMG conducted its performance audit in accordance with generally accepted government auditing standards (GAGAS) issued by the Comptroller General of the United States.

The objective of this audit was to determine the current status of the FDICís efforts to implement a corporate-wide privacy program. While KPMG did not evaluate the effectiveness of the FDICís privacy program as part of this audit, this report provides information on the program and related activities. Reports on (1) the FDIC OIG responses to specific security-related questions in the referenced OMB memorandum and (2) the independent security evaluation required by the Federal Information Security Management Act of 2002 (FISMA), will be provided under separate cover.[ 1 ] Those two reports and this report are intended to fulfill the FDIC OIGís reporting responsibilities under FISMA and related OMB guidance. In addition, further information on the effectiveness of the FDICís privacy program will be provided as part of the independent, third-party review required under section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005, hereafter referred to as section 522. The FDIC OIG also contracted with KPMG to fulfill the review requirements of section 522.

Appendix I describes our objective, scope, and methodology. Appendix II contains brief descriptions of key privacy-related laws, policies, and guidelines and their applicability to the FDIC.

The FDICís Privacy Program Manager provided informal comments in response to a draft of this report. KPMG considered and incorporated the comments, as appropriate, into the report. In general, the Privacy Program Manager agreed with KPMGís observations for strengthening the FDICís privacy program.

BACKGROUND

The protection of sensitive information has never been more important or more threatened. The increasing use of computers to store and retrieve personal data about individuals has highlighted the governmentís duty to balance the necessity of maintaining information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy. In addition, recent high-profile incidents involving the potential compromise or loss of sensitive personal information further reinforce the need for federal agencies to implement measures to protect sensitive information entrusted to them.

A number of federal statutes, policies, and guidelines are aimed at protecting information in an identifiable form (IIF)[ 2 ] and associated information systems from unauthorized access, use, disclosure, disruption, modification, or destruction, as discussed in Appendix II. One of the key policies is OMB Circular A-130, Management of Federal Information Resources, and its appendices.

RESULTS OF AUDIT

The FDIC has taken a number of actions to protect IIF since the passage of the Privacy Act of 1974 and continually enhanced the corporate privacy program, policies, and procedures. Such actions include strengthening controls related to IIF and implementing mandatory Web-based privacy training to promote Privacy Act awareness among corporate employees and contractor personnel. In addition, the FDIC has identified 46 systems containing IIF and completed required Privacy Impact Assessments (PIAs) [ 3 ] for 43 of those systems. These actions were positive; however, the FDIC could further strengthen its privacy program by completing ongoing efforts to:

  • monitor and enforce annual privacy awareness training requirements and formalize a privacy training program to ensure individuals in trusted roles receive job-specific training;
  • implement measures to ensure technologies used to collect, use, store, and disclose IIF allow for continuous auditing of compliance with stated privacy policies and practices as required by section 522;
  • establish and implement a formal plan of action and milestones (POA&M) to track privacy management deficiencies such as those identified in PIAs and required privacy reviews; and
  • submit an annual report to the Congress consistent with the provisions of section 522, addressing privacy protection activities, including complaints of privacy violations, internal controls, and other relevant matters.

KPMG is not making recommendations in this report. The FDIC OIG also contracted with KPMG to perform a privacy review, as required by section 522, of the FDICís use of IIF and related FDIC privacy and data protection policies and procedures, and the firm will make appropriate recommendations, if necessary, at that time.

STATUS OF THE FDICíS PRIVACY PROTECTION POLICIES AND PROCEDURES

The FDIC recognizes the need to take additional steps to implement a more effective privacy program. Since the 2005 OIG privacy evaluation,[ 4 ] the FDIC continues to develop and strengthen its privacy program, policies, and procedures. KPMGís review indicated that the FDIC has made progress by identifying computer applications processing IIF, establishing corporate privacy awareness training, conducting PIAs and required Privacy Act-related reviews, and satisfying records notification requirements. Key privacy initiatives, addressing areas in Section D of OMB Memorandum M-06-20, are detailed below.

Policies and Procedures. In accordance with section 522, the FDICís Chief Privacy Officer (CPO) has primary responsibility for the Corporationís privacy protection policy and ensuring that IIF and related information systems are protected.

The FDICís privacy program includes policies and procedures to manage and protect IIF. For example, the FDICís PIA guide and template assist system owners in completing PIAs, if they are necessary based on the presence of IIF. Further, the FDIC has strengthened and revised its procedures related to the overall sensitivity of FDIC computer applications by using the Application Security Assessment,[ 5 ] which includes questions to aid identifying any IIF in an application. During FY 2006, the FDIC identified applications containing IIF and developed a phased approach for performing PIAs. As of September 20, 2006, the FDIC had completed PIAs for 43 out of 46 applications identified as containing IIF. In addition, the FDIC made sanitized versions of all but one[ 6 ] of the completed PIAs publicly available on the FDICís Privacy Program Web site in accordance with the E-Government Act of 2002 requirements. Furthermore, in response to OMBís Memorandum M-06-16, Protection of Sensitive Agency Information, dated June 23, 2006, the FDIC is drafting a policy that requires encryption of production data stored at a remote location, authorization for the duplication of IIF information, and disposal of any copies of privacy information within 90 days of the duplication. The FDIC has also acted to ensure its remote authentication and ďtime-outĒ functions meet OMB requirements.

Awareness and Training. In October 2005, the FDIC implemented corporate-wide privacy awareness training that included coverage of privacy laws, regulations, and policies. The completion of this Web-based course is mandatory for all FDIC employees and contractors. The FDIC tracks training completion using a security awareness and training database. However, the FDIC could strengthen monitoring and enforcing compliance with the privacy awareness training requirements. During the 12 months ended June 2006, the FDIC had created 983 new user (employee and contractor) accounts. KPMG sampled 45 such user accounts and found that 9 of those users had not completed the required privacy awareness training. The FDIC attributed the lack of compliance to a delay between the privacy awareness training completion deadline[ 7 ] and the time divisional Information Security Managers (ISM) could access privacy training compliance reports to perform necessary follow-up. The FDIC is addressing this issue, and ISMs have been reminded to comply with the awareness training requirement.

In addition, the FDIC provides one-on-one or team-specific privacy training on an ad-hoc basis. However, this type of training has not been incorporated into a formal privacy training program. The Privacy Program Manager indicated that the Corporation has undertaken an initiative with the Corporate University to provide specific privacy training. A formal job-specific training program would help to ensure that FDIC personnel and contractors directly involved in administering IIF or information systems processing IIF are familiar with information privacy laws and regulations applicable to their specific job duties and responsibilities and help prevent inappropriate access and disclosure.

Privacy Reviews. The FDIC has completed all reviews of FDIC compliance with various provisions of the Privacy Act as required by OMB Circular A-130, Appendix 1, Federal Agency Responsibilities for Maintaining Records About Individuals.[ 8 ] These reviews focus attention on particular Privacy Act requirements as indicated by the following examples from the circular:

  • Recordkeeping Practices. Biennially review agency recordkeeping and disposal policies and practices in order to assure compliance with the Privacy Act, paying particular attention to the maintenance of automated records.
  • Privacy Act Training. Biennially review agency training practices in order to ensure that all agency personnel are familiar with the requirements of the Act, the agency's implementing regulation, and any special requirements of their specific jobs.

Privacy Impact Assessments and Notice Requirements. The FDIC has made significant progress in identifying systems containing IIF. For example, the FDIC completed an initial exercise in September 2005 to identify computer applications with Social Security number (SSN) information. Following the completion of this exercise, the FDIC conducted another review to identify systems with any additional IIF data. The FDIC identified 46 applications containing IIF and developed a phased approach for performing the associated PIAs. As of September 20, 2006, the FDIC had completed PIAs for 43 of these applications. The PIAs for the remaining three applications containing IIF are scheduled for completion by December 31, 2006. Additionally, the FDIC has published 24 System of Records[ 9 ] Notices (SORN) on the FDIC Web site and in the Federal Register, as required by the Privacy Act, and is proposing 4 new FDIC Privacy Act SORNs to replace the outdated Unofficial Personnel Records notice.[ 10 ] The SORNs help to ensure that information about FDIC maintenance and use of records containing IIF is publicly disclosed. The FDIC has also included its privacy policies on its public-facing Web site in furtherance of its disclosure activities.

Persistent Tracking. The FDIC continues to annually review the use of persistent tracking technologies, also known as Web site cookies. There are two types of Web site cookies, session and persistent cookies. Session cookies are temporary and are erased when a user closes the Web browser, whereas persistent cookies remain on a userís computer until the user erases them. The FDIC uses persistent cookies only as part of the Statistics on Depository Institutions application. The FDIC has properly obtained agency-head approval to collect this information and informs visitors of its use. Additionally, the FDIC posts Privacy Notices on all public Web sites and on any Web page where the FDIC uses session cookies to collect information consistent with OMB guidance.[ 11 ]

Internal Oversight. In addition to performing the privacy reviews discussed earlier to comply with requirements in OMB Circular A-130, Appendix I, the FDIC conducts internal reviews of compliance with information privacy laws and regulations. For example, in November 2005, the FDIC conducted a review of several published directives that contain privacy references and added or revised content, language, and references, as necessary. Continuing these reviews will help the FDIC to ensure compliance with current privacy requirements, such as OMBís memorandum M-06-16, Protection of Sensitive Agency Information, dated June 23, 2006, which emphasized critical safeguards for protecting privacy information on mobile computers and devices. The memorandum requires an agency review of these safeguards.

The FDIC needs to implement measures that would provide assurance that the technologies used to collect, use, store, and disclose IIF allow for continuous auditing of compliance with stated privacy policies and practices as required by section 522 and discussed in OMB Memorandum M-06-20. The need for continuous auditing of systems security controls was also identified in the FY 2006 independent evaluation of the FDICís security program.[ 12 ] The Privacy Program Manager indicated that a DIT project team is evaluating technologies to provide continuous monitoring. Continuous monitoring of compliance controls will provide the FDIC with ongoing awareness and periodic compliance metrics regarding the collection, use, and distribution of IIF. Additionally, the FDIC needs to complete a comprehensive and formal POA&M to track privacy program compliance deficiencies. The Privacy Program Manager indicated that corrective actions related to audits would be tracked through the corporate audit finding tracking system and non-audit related initiatives through the established Privacy Program monthly status report. However, the Privacy Program monthly status report was not always completed and did not consistently include required resources or track items through completion. A formal POA&M for the privacy program will enhance the FDICís ability to identify, assess, prioritize, and monitor the progress of corrective efforts for identified privacy weaknesses, including those contained in PIAs and privacy reviews.

The FDIC has determined that the Corporation needs to report annually to Congress regarding activities affecting privacy as required by section 522. The FDIC Privacy Program Manager indicated the FDIC plans to comply with this requirement by submitting such a report in FY 2006. KPMG intends to follow up in the upcoming section 522 compliance audit to determine the status on the FDICís preparation of this report.

OIG Coordination. The FDIC coordinated with the OIG on privacy program oversight by providing the OIG with a compilation of FDIC privacy and data protection policies and procedures, a summary of the FDIC use of IIF, and verification of the intent to comply with both federal and corporate agency policies and procedures. Section 522 required the FDIC to provide a report containing this information to the Inspector General; the report was received on September 15, 2005.

KPMG is making no recommendations in this report. The FDIC OIG has contracted with KPMG to perform a privacy review, designed to meet the various requirements of section 522, of the FDICís use of IIF and related privacy protection policy and procedures, and the firm will make appropriate recommendations, if necessary, at that time.


APPENDIX I

OBJECTIVE, SCOPE, AND METHODOLOGY

The objective of KPMGís performance audit was to determine the current status of the FDICís efforts to implement a corporate-wide privacy program. The audit focused on privacy program areas addressed in Section D of OMBís July 17, 2006 memorandum M-06-20 entitled, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. As part of the audit work, KPMG reviewed prior OIG reports (listed below) related to privacy. The results of this audit support the OIG in fulfilling its evaluation and reporting responsibilities under FISMA and M-06-20.

To accomplish the objective, KPMG relied on information-gathering techniques such as interviewing key FDIC officials with privacy responsibilities; reviewing relevant FDIC policies, procedures, and documentation; and performing other appropriate audit procedures. Also, KPMG considered the results from the following OIG reports but did not follow up on the recommendations in those reports. Such follow-up will be performed as part of the required review under section 522.

KPMG did not separately perform procedures to review program performance measures, assess the FDICís compliance with laws and regulations, evaluate the FDICís internal control, or determine that computer-based data were valid and reliable. In addition, KPMG did not design specific audit procedures to detect fraud; however, throughout the audit, KPMG and the OIG were sensitive to the potential for fraud, waste, abuse, and mismanagement. KPMG performed the audit at the FDIC's offices in Arlington, Virginia, during the period June through August 2006 in accordance with GAGAS issued by the Comptroller General of the United States.


APPENDIX II

PRIVACY-RELATED LAWS, POLICIES, AND GUIDELINES

A number of federal statutes, policies, and guidelines are aimed at protecting IIF from unauthorized use, access, disclosure, or sharing and associated information systems from unauthorized access, modification, disruption, or destruction. Brief descriptions of key privacy-related statutes, policies, and guidelines and their applicability to the FDIC follow.


Last updated 11/29/2006