Audit of USAID's Implementation of Key Components of a Privacy Program for its Information Technology Systems

Recommendation
1

USAID's Assistant Administrator for Management send a written request to the Administrator that he designate a senior-level agency official for privacy with Agency-wide responsibility for information privacy issues, as required by Office of Management and Budget M-05-08.

Questioned Cost
0
Close Date
Recommendation
2

After final action is taken on Recommendation 1, USAID's Director, Human Resources, modify the written position description of the senior agency official for privacy to fully incorporate responsibility for privacy across the Agency.

Questioned Cost
0
Close Date
Recommendation
3

After final action is taken on Recommendation 1, the supervisor for the senior agency official for privacy modify the written work objectives for the senior agency official for privacy to fully incorporate accountability for privacy across the Agency.

Questioned Cost
0
Close Date
Recommendation
4

USAID's Chief Privacy Officer perform a written privacy threshold analysis for the Agency's Wellness Staff Care Web site, https://wellnessstaffcare.usaid.gov, and, based on the results of the analysis, prepare a written privacy impact assessment and written system of record notice, if required.

Questioned Cost
0
Close Date
Recommendation
5

USAID's Chief Information Security Officer prepare the following for the Agency's Wellness Staff Care Web site, https://wellnessstaffcare.usaid.gov:
-A documented review of the security package for the system.
-A documented review of the security risks if the Agency uses the system.
-A written authorization for the system to operate if the system meets security requirements, or if not, take action to discontinue use of the Web site and document its discontinuation.

Questioned Cost
0
Close Date
Recommendation
6

USAID's Chief Privacy Officer update the Privacy Office's Training Plan for Basic Privacy Training (September 1, 2013) to:
-Explain what action will be taken when individuals do not meet privacy training requirements.
-Require annual privacy refresher training.

Questioned Cost
0
Close Date
Recommendation
7

USAID's Chief Privacy Officer develop and implement written annual basic privacy training that covers the following privacy topics:
-The definition of personally identifiable information (PII).
-Applicable privacy laws, regulations, and policies.
-Restrictions on data collection, storage, and use of PII.
-Roles and responsibilities for using and protecting PII.
-Appropriate disposal of PII.
-Sanctions of a security or privacy incident involving PII.
-Roles and responsibilities in responding to PII-related incidents and reporting.
-How to respond to an incident, should one occur.
-Rules for teleworking.

Questioned Cost
0
Close Date
Recommendation
8

USAID's Chief Privacy Officer develop and implement documented role-based privacy training for the following employees: security staff, human resources staff, contracting officers' staff, financial officers' staff, chief information security office staff, and travel staff.

Questioned Cost
0
Close Date
Recommendation
9

USAID's Chief Privacy Officer update the Privacy Office's Role-Based Personally Identifiable Information (PII) Training Plan (November 1, 2013) to:
-Require role-based privacy training at least annually for employees in the identified roles who handle personally identifiable information.
-List the privacy topics that will be addressed for travel staff.

Questioned Cost
0
Close Date
Recommendation
10

USAID's Chief Privacy Officer document and implement a process to maintain records of employees who attend role-based privacy training, to include comparing those records to a list of employees that should receive the training.

Questioned Cost
0
Close Date
Recommendation
11

USAID's Chief Privacy Officer complete written system of record notices for the Web Time and Attendance System and End-to-End Travel System, and publish them in the Federal Register.

Questioned Cost
0
Close Date
Recommendation
12

USAID's Chief Privacy Officer develop and implement written procedures to review and update system of records notices on at least a biennial basis.

Questioned Cost
0
Close Date
Recommendation
13

USAID's Chief Privacy Officer finalize the written privacy impact assessments for Facebook (https://www.facebook.com/USAID), Twitter (https://twitter.com/#!/usaid), and Youtube (http://www.youtube.com/usaidvideo).

Questioned Cost
0
Close Date
Recommendation
14

USAID's Chief Privacy Officer update and finalize the written privacy impact assessment for Making All Voices Count, (http://www.makingallvoicescount.org) to explain the specific purpose of the Agency's use of the third-party Web site or application, whether and how the Agency will maintain personally identifiable information, and for how long, and what other privacy risks exist and how the Agency will mitigate those risks.

Questioned Cost
0
Close Date
Recommendation
15

USAID's Bureau for Legislative and Public Affairs, Strategic Adviser for Strategic Communications, post final privacy impact assessments on USAID's official external Web site for the following third-party Web sites and document the results:
-Facebook, https://ww.facebook.com/USAID
-GitHub, https://github.com/USAID
-Linkedin, http://www.linkedin.com/groups?gid=118430
-Making All Voices Count, http://www.makingallvoicescount.org/
-Twitter, https://twitter.com/#!/usaid
-Youtube, http://www.youtube.com/usaidvideo

Questioned Cost
0
Close Date
Recommendation
16

USAID's Chief Privacy Officer review the FLIKR Web site, http://www.flickr.com/people/usaid-indonesia, and make a written determination whether it may provide personally identifiable information to the Agency, and, based on that determination, prepare a privacy impact assessment, as appropriate.

Questioned Cost
0
Close Date
Recommendation
17

USAID's Bureau for Legislative and Public Affairs, Strategic Adviser for Strategic Communications, implement a written process to maintain an Agency-wide inventory of third-party Web sites that make personally identifiable information available to the Agency.

Questioned Cost
0
Close Date
Recommendation
18

USAID's Chief Privacy Officer make a written risk-based determination of the frequency that the data loss prevention tool and Pretty Good Privacy should be monitored, and based on that, implement appropriate corrective actions and document the results.

Questioned Cost
0
Close Date
Recommendation
19

USAID's Chief Privacy Officer revise its written plan to eliminate the unnecessary collection and use of Social Security numbers, to include time frames for reviewing and eliminating the unnecessary collection and use of partial and full Social Security numbers in Agency forms and systems

Questioned Cost
0
Close Date
Recommendation
20

After taking final action on Recommendation 19, USAID's Chief Privacy Officer implement its plan to eliminate the unnecessary collection and use of Social Security numbers and document the results.

Questioned Cost
0
Close Date
Recommendation
21

USAID's Chief Privacy Officer develop and implement documented procedures for reviewing the Agency's personally identifiable information holdings. At a minimum, those procedures must include who is responsible for conducting those reviews, the schedule for conducting them, and how they will be conducted.

Questioned Cost
0
Close Date
Recommendation
22

USAID's Chief Privacy Officer make the Agency's written schedule for reviewing its personally identifiable information holdings publicly available.

Questioned Cost
0
Close Date
Recommendation
23

USAID's Chief Privacy Officer prepare written privacy notices and post them on the following Web sites at all locations where the public might make personally identifiable information available to the Agency, as required:
-Facebook, https://www.facebook.com/USAID
-GitHub, https://github.com/USAID
-Linkedin, http://www.linkedin.com/groups?gid=118430
-Making All Voices Count, http://www.makingallvoicescount.org
-Twitter, https://twitter.com/#!/usaid
-YouTube, http://www.youtube.com/usaidvideo

Questioned Cost
0
Close Date
Recommendation
24

USAID's Chief Privacy Officer develop and implement a written process to periodically review the Agency's inventory of third-party Web sites for completeness, and prepare privacy notices and post them on the Web sites at all locations where the public might make personally identifiable information available to the Agency.

Questioned Cost
0
Close Date
Recommendation
25

USAID's Chief, Systems Development Branch, either configure the server that hosts http://www.usaid.gov/comment to require the use of Transport Layer Security 1.0 or higher, or if not needed, discontinue collecting "names" on http://www.usaid.gov/comment, and document the results.

Questioned Cost
0
Close Date
Recommendation
26

USAID's Chief Privacy Officer revise the Privacy Office's Guidance for USAID Breach Response Team (August 2007) to include:
-Instructions on how to handle a delay to send notifications of a privacy breach, including who should make this decision and what they are required to do once the decision is made.
-A statement on whether breached information was encrypted or protected by other means, when appropriate.
-A reassessment of the impact level as defined by the National Institute of Standards and Technology following an information breach.

Questioned Cost
0
Close Date
Recommendation
27

USAID's Bureau for Legislative and Public Affairs, Director of Digital Communications, fix the broken links to the system of record notices on the Agency's external Web site, http://www.usaid.gov/privacy-program, and document the results.

Questioned Cost
0
Close Date
Recommendation
28

USAID's Bureau for Legislative and Public Affairs, Director of Digital Communications, fix the broken link to the privacy impact assessment for AIDNet on the Agency's external Web site, http://www.usaid.gov/privacy-policy//ia-summaries, and document the results.

Questioned Cost
0
Close Date
Recommendation
29

USAID's Chief, Bureau for Management, Office of Management Services, Information and Records Division, work with the National Archives and Records Administration to update the electronic records disposition schedule in Automated Directives System 502 to identify the following third-party Web sites that make personally identifiable information available to the Agency: Facebook, GitHub, LinkedIn, Making All Voices Count, Twitter, and YouTube.

Questioned Cost
0
Close Date
Recommendation
30

USAID's Chief, Bureau for Management, Office of Management Services, Information and Records Division, work with the National Archives and Records Administration to update the electronic records disposition schedule in Automated Directives System 502 to identify the following Agency systems that contain personally identifiable information: Agency Correspondence Tracking System, ePerformance, End to End Travel, Partner Vetting System, and Web Time and Attendance System.

Questioned Cost
0
Close Date
Recommendation
31

USAID's Senior Agency Official for Privacy formally establish in writing the Agency's Privacy Office within the organizational structure.

Questioned Cost
0
Close Date
Recommendation
32

USAID's Chief Privacy Officer conduct a written comprehensive review of the Agency's privacy program and report any weaknesses identified during that review in the Agency's written plan of action and milestones required by the Federal Information Security Management Act of 2002.

Questioned Cost
0
Close Date
Recommendation
33

After final action is taken on Recommendation 32, we recommend that USAID's Senior Agency Official for Privacy perform a written comprehensive analysis to determine the resources (including staff, budget, and tools) needed to correct the weaknesses in the Agency's privacy program, and based on that analysis, allocate the resources.

Questioned Cost
0
Close Date
Recommendation
34

USAID's Chief Information Officer request in writing that the Agency's Management Control Review Committee make a written determination whether the weaknesses in the Agency's privacy program should be reported, tracked, and monitored as a material weakness pursuant to the Federal Managers' Financial Integrity Act of 1982.

Questioned Cost
0
Close Date