TSA needs privacy IT tools, IG says

The Transportation Security Administration should deploy automated tools to test and monitor the effectiveness of privacy safeguards in its programs, according to a new report from Homeland Security Inspector General Richard Skinner.

In a report issued Sept. 18, Skinner recommended that TSA’s Office of the Chief Information Officer implement such tools, and the agency's officials agreed with the recommendation.

Overall, TSA has made progress in implementing privacy protections but could do better if it used the automated tools, Skinner concluded. The agency is required to protect personally identifiable information from loss, destruction, modification or inappropriate disclosure. The agency stores and uses personal data in several of its programs.

Although the CIO’s office is responsible for securing data, including personally identifiable information, the office is not providing automated tools for doing so, Skinner wrote. For enforcement, the agency's Office for Privacy Policy Compliance (OPPC) checks TSA's databases to see if sensitive data has been leaked. The office has indeed found some cases where data appears to have been exposed, Skinnner found.

“Personally identifiable information data was found that should not have been accessible through the periodic checks,” the report said. “Further, according to TSA, data spills, unprotected e-mails of personnel information, and lost folders containing personally identifiable information have occurred.”

The current privacy monitoring system is inadequate, and there needs to be further collaboration between the CIO’s office and the privacy compliance office to identify privacy tools, Skinner wrote.

“Although OPPC implements privacy policies and interacts with personnel, the office of the CIO cannot electronically monitor privacy behavior continuously and measure the strength of personally-identifiable information protections,” the report said.

“TSA has not purchased tools and technologies to automate privacy protections because further research and collaboration by OPPC and the office of the CIO is necessary to identify requirements and appropriate approaches within the TSA computing environment,” the report concluded.

Without such tools, TSA cannot compare the effectiveness of privacy protection across different systems, and cannot improve overall privacy data protection and monitoring, the IG said.

Automated monitoring and reporting tools are also being applied in other areas of government. The Office of Management and Budget recently required federal agencies to submit compliance reports using such tools for the Federal Information Security Management Act.