460 likes | 727 Views
Receive C redit for this Course!. Attending in Person? Sign the attendance sheet Attending in a conference room at another location? Sign the attendance sheet Location POC, please send a copy of the attendance sheet to csat@hq.nasa.gov Attending via Webex and phone?
E N D
Receive Credit for this Course! • Attending in Person? • Sign the attendance sheet • Attending in a conference room at another location? • Sign the attendance sheet • Location POC, please send a copy of the attendance sheet to csat@hq.nasa.gov • Attending via Webex and phone? • Announce yourself at the roll call at the end of this session AND • Send an email to csat@hq.nasa.gov including the phone number from which you participated
Protection of Sensitive Information Summer 2013
Agenda • What is sensitive information? • How should you protect it? • Use encryption • Public Key Infrastructure (PKI) • Data at Rest (DAR) Encryption • Other encryption tools • Label sensitive information appropriately • Store sensitive information in a protected location • Remove information that is no longer needed • Protect sensitive information while you “Work from Anywhere” • What should you do if there is a breach? • What compliance is required under privacy regulations?
What is Sensitive Information? • Sensitive But Unclassified (SBU) Information • SBU information is any information, the loss, misuse, or modification of which, or unauthorized access to, could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under the Privacy Act, but which has not been specifically authorized under criteria established by an executive order or an act of Congress to be kept secret in the interest of national defense or foreign policy. (Per Federal guidance, this type of information will be designated as Controlled Unclassified Information (CUI) in the future.) • Personally Identifiable Information (PII) • PII is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. • Sensitive PII • Sensitive PII is a combination of PII elements, which if lost, compromised, or disclosed without authorization could be used to inflict substantial harm, embarrassment, inconvenience, or unfairness to an individual.
Examples of SBU and PII • Examples of Sensitive PII • a social security number by itself, or • an individual's first name or first initial and last name in combination with any one or more types of the following information, including, but not limited to: • social security number • passport number • credit card number • home telephone number • personal cell phone number • clearances • bank numbers • biometrics • date and place of birth • mother's maiden name • criminal, medical and financial records, etc. • This information may be in the form of paper, electronic, or any other media format.
General Protection Requirements • Secure under lock and key when not being used. • Information stored digitally (whether on workstations, private servers, or on publicly accessible systems such as certain SharePoint sites, shared folders or any publicly accessible web site) shall be encrypted. • Files and devices shall be externally marked "SENSITIVE BUT UNCLASSIFIED" with NASA Form (NF) 1686 or NF 1534 as appropriate. • When sending an e-mail within the boundaries of NASA’s network, use NASA’s Entrust Public Key Infrastructure. • When sending an e-mail outside the boundaries of NASA’s network include sensitive information in an encrypted attachment only. • Hard copy documents containing SBU/PII information may be mailed in a sealed envelope (appropriately labeled inside the envelope). • Unencrypted transmission of documents containing SBU information to network printers is only permitted if the network printer and the originating computer are on an internal NASA network behind a NASA firewall. • SBU information shall be picked up from printers immediately after sending.
Encryption • Use Entrust, NASA’s Public Key Infrastructure (PKI) tool • For email • For encrypting files on your computer or portable media • How to get Entrust • Place an IdMAX/NAMS request (search: PKI) • Once installed, login to Entrust every 30 days to retain Entrust access • Detailed Instructions for using Entrust (for Mac and Windows machines) can be found here: http://itcd.hq.nasa.gov/itsecurity/pki_entrust.html
Encryption Use-Cases • Encrypting emails • Emails should be encrypted when the body of the email or an attachment to the email contains PII/SBU information • The subject of the email does not get encrypted so DO NOT include sensitive information in the subject line • Encrypting files • You can encrypt files on your local drive or on a shared drive so that you are the only individual who can access them • Adding individuals to encrypted files • You can encrypt files for yourself as well as for other individuals so that those individuals will also have access to the file if it is shared via email or on an shared drive • Using encryption groups • Encryption groups can be created in Entrust so that you can encrypt files for a set group of people in a simplified manner – versus adding each person individually to the encrypted file
Encrypting Emails • Select “Encrypt” icon in Email ribbon • Enter recipient’s name and press “Send” When sending an e-mail containing PII outside the boundaries of NASA’s information network, FIPS 140-2 validated encryption mechanisms must be used. Consult with your Center CISO for appropriate encryption tools.
Encrypting Files (1 of 2) • Right-click on the file • Select “Encrypt file” 1 2 • “Encrypt Files Wizard” will guide you through the process
Encrypting Files (2 of 2) • Review encryption options and select “Next” 3 • Ensure document icon indicates that the file has been encrypted • Check “Delete the original files on finish” and click “Finish” 4
Adding Individuals to Encrypted Files (1 of 3) • Right-click on the file • Select “Encrypt file” 1 2 • “Encrypt Files Wizard” will guide you through the process
Adding Individuals to Encrypted Files (2 of 3) • Review encryption options • Check “Encrypt the files for other people…” • Click “Next” 3 4 • “Additional Recipients” window will appear • Click “Add”
Adding Individuals to Encrypted Files (3 of 3) • Search by individual’s name • Select the correct name and click “OK” 5 • Added individual will show in “Additional Recipients” • When done adding people, click “Next” 6 7 • Ensure document icon indicates that the file has been encrypted • Check “Delete the original files on finish” and click “Finish”
Using Encryption Groups (1 of 4) 1 • Right-click on Entrust icon in the taskbar and select “Entrust Certificate Explorer” • Entrust Certificate Explorer window will open 2
Using Encryption Groups (2 of 4) • Click “File” and select “New Personal Encryption Group” 3 4 • Click “Add” in the New Group window to assign members
Using Encryption Groups (3 of 4) • Search by individual’s name • Select the correct name and click “OK” • Repeat as necessary 5 • Added individuals will show in the New Group window • Type desired group name • When finished, click “OK” 6
Using Encryption Groups (4 of 4) • The new group will now be visible in your Entrust Certificate Explorer menu under “Personal Encryption Groups” • When encrypting a file, you can select the Personal Encryption Group rather than selecting each individual
Encryption of Data At Rest (DAR) • DAR products encrypt the entire contents of the hard drive. • NASA has deployed Symantec PGP Desktop on alllaptops. • Symantec PGP Desktop will be deployed on all desktops containing sensitive information. IT POCs have been asked to provide information on all relevant desktop computers. • Alternative solutions (e.g. FileVault for Mac) can be used for computers not supported by Symantec PGP Desktop but a waiver may be required.
Encryption of Data at Rest (DAR) • DAR does not take the place of Entrust PKI for encrypting individual files or for sending encrypted e-mail messages. E-mail messages sent from your laptop or desktop will be unencrypted unless you use Entrust to protect the message. • Helpful link for DAR: http://itcd.hq.nasa.gov/DAR_encryption.html
DAR – How it Works • Once the tool is set up: • At startup, enter your password to have access to your files • Use the computer as normal • When you shut down your computer, the hard drive is encrypted and the data is no longer accessible • Your data is only protected if the computer is SHUT DOWNor in HIBERNATE mode! SLEEP or LOCKED mode does not require your DAR password to start back up.
DAR – How it Works • DAR encryption on shared computers: multiple users can unlock the same computer. • Authorized user enters the DAR password to unlock the computer • New user logs into Windows using their NDC credentials • Symantec PGP Desktop automatically enrolls the new user so they can access the DAR’d hard drive • Change your DAR password every time you change your NDC password (every 60 days). See instructions at http://itcd.hq.nasa.gov/secure/aces/PGP_passwords.pdf.
Proper Markings for SBU • All sensitive information must be labeled • Headers and footers as part of the document • Cover sheet for printed copies • NF 1686 is the cover sheet for SBU information • NF 1534 is the cover sheet for Privacy Act information • Labels for CDs, DVDs, external hard drives, etc. Example text for front page or footer: WARNING: This document is SENSITIVE BUT UNCLASSIFIED (SBU). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with NASA policy relating to SBU information and is not to be released to the public or other personnel who do not have a valid "need-to-know" without prior approval of an authorized NASA official. Example text for footer:SENSITIVE BUT UNCLASSIFIED (SBU)
Storing Sensitive Data • Where can you store sensitive data? • Locked office or cabinet • Computer hard drive (if computer has working DAR encryption) • Best practice is to encrypt individual files using Entrust. • Encrypted USB drive • Must be FIPS 140-2 compliant • Encrypted USB drives are available from the ACES catalog: • How do I access the ACES Product Catalog? • 1. Go to https://esd.nasa.gov (NASA Only) • 2. Select Order Services • 3. Select Other ACES Services • 4. Select Request Now located next to APC - General Purchase • 5. Click the ACES Product Catalog link. • How do I find USB drives in the ACES Product Catalog? • Enter the following in the Shop by area: • Choose a Product Family: Memory • Choose a Product Category: Flash USB Drive & Cards • Enter the keyword “encrypt” • Click Search
Storing Sensitive Data • Where can you store sensitive data? • Shared drive? Only if encrypted. • Sharepoint? Only if encrypted. • Secured databases • REMOVE FILES WHEN NO LONGER NEEDED, in accordance with NASA Record Retention Schedules
Purging Data • Keep track of where you save files with sensitive information on your computer and remove when no longer needed. • Downloaded files • Users often download files from databases, servers, WebMail • The default setting at NASA is for downloaded files to be stored in the ‘Downloads’ folder (accessible through ‘Computer’ in the start menu). Be sure to review downloaded files – delete or encrypt those with SBU! • OMB Memo M-07-16: “Log all computer-readable data extracts from databases holding sensitive information and verify … whether sensitive data has been erased within 90 days or its use is still required”
Disposing of Hard Copies • Shred it or put it in a burn bag or locked SBU container. Call the NASA Facilities Help Desk at 202-358-0233 or put in a Facilities Help Desk ticket to get discarded documents picked upat https://fhds.hq.nasa.gov. • During the HQ renovation, FASD is providing more frequent pickups of burn bags or containers on request.
Working from Anywhere • Bring your laptop only if • DAR encryption software is installed and active (computer is shut down or in hibernate mode) • The laptop is on your person or locked in a car trunk during transit • No unauthorized persons access it • Don’t put NASA data on your home computer. • If accessing Web Mail from your home computer, don’t download files with sensitive information. • Ensure that your files and laptop are physically protected at all times. • Don’t plug NASA USB/flash drives into your home computer. • Don’t plug personal USB/flash drives into your NASA computer.
What to do in case of a Breach • Report all PII breaches, whether suspected or confirmed, immediately to: • NASA SOC (If your computer contains PII, be sure to inform the SOC technician who answers your call) • 1-877-NASA-SEC (1-877-627-2732) • soc@nasa.gov • Center Privacy Manager • Work with HQ Incident Response Team to determine what happened, extent of breach, impact, mitigation actions, etc. • Participate in Breach Response Team (BRT), if applicable.
Privacy Compliance Requirements • Collections • Privacy and CUI Assessment Tool (PCAT) • Privacy Act of 1974 (PA) • Children’s Online Privacy Protection Act (COPPA) • Paperwork Reduction Act (PRA) • Records Management
What are “Collections”? • From the privacy perspective, any holding of information is considered a collection • This includes: • Applications • Websites • Information systems • Cloud systems • Paper records • Other electronic records • The NASA official responsible for any collection of such information is the “collection owner.”
What are the Requirements? • Regardless of whether or not PII is collected, an Initial Privacy Threshold Analysis (IPTA) must be conducted in PCAT for each application, website, information system or collection of information to determine what, if any, privacy requirements are applicable. • IPTAs require approval from the collection owner and Center Privacy Manager • Generally, information collections on members of the public require a Privacy Impact Assessment (PIA) • PIAs require approval from the collection owner, Center Privacy Manager, Agency Privacy Program Manager, and Agency Chief Information Officer • PIAs will be published online – available to the public • As outlined in NPR 1382.1, NASA may only collect/maintain the minimum necessary information about individuals which is relevant and necessary to accomplish a NASA purpose
PCAT • NASA requires an Initial Privacy Threshold Analysis (IPTA) to be conducted on all applications, Websites and information collections. The IPTA is a brief pre-assessment done to determine if each collection will require a full Privacy Impact Assessment (PIA) or not. This initial assessment and the overall PIA (if required) are both accomplished through the NASA Privacy and CUI Assessment Tool (PCAT) at pcat.nasa.gov.
Privacy Act of 1974 (PA) • The Privacy Act of 1974 governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by Federal Agencies. • System of Records (SOR) • A group of any records under the control of any agency from which information is routinely retrieved by • The name of the individual • Some identifying number, symbol, or other assigned individual identifier • Requirement: SOR must be covered by a System of Records Notice (SORN) published in the Federal Register • Published NASA SORNs are listed at http://www.nasa.gov/privacy/nasa_sorn_index.html
Children’s Online Privacy Protection Act (COPPA) • The primary goal of COPPA is to place parents in control over what information is collected from their young children online. COPPA was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. • COPPA applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. • Requirement: COPPA requires websites that target or solicit information from children and collect PII to provide conspicuous notice of the information collection practices, verifiable parental consent, and access.
Paperwork Reduction Act (PRA) • The purpose of the PRA is to ensure that federal agencies do not overburden the public with federally sponsored data collections. • PRA is triggered when information is collected in a standard way from 10 or more persons who are members of the public, NASA contractors, grantees, or other non-NASA personnel. • This applies regardless of whether the information collection is voluntary or mandatory • Requirement: OMB clearance is required for any collections that fall under PRA. Collection owner should work with the Agency PRA Officer to obtain an OMB approval number.
Records Management • A collection contains federal records if: • It contains word-processing files, databases, photographs, maps, drawings, sound recordings, or materials in other forms that contain information regarding the conduct of NASA business; or, • It contains data in any of the above formats that constitutes information created by NASA activities and that is of value in and of itself to the engineering, scientific, academic and business communities within and outside of NASA. • If a collection contains federal records, there may be specific retention and disposal guidelines that must be followed. • Requirement: Work with Center Records Manager to identify specific retention schedule and ensure all records are maintained in accordance with it.
Next Steps • All collections owners should initiate an IPTA in PCAT for each collection of information • This will determine which additional privacy requirements are applicable • Additional organization-specific training for PCAT is available • Contact HQ CPM or CPM Support
SBU Protection Summary • DO • Encrypt SBU data prior to or upon any transmission electronically • Store SBU data encrypted on any mobile devices or media • Store SBU data in locked containers when not attended • Destroy SBU data according to current guidelines when no longer required to ensure non-recoverability • Start an IPTA for any “collection” of which you are the owner • DO NOT • Leave SBU data unattended on desktops • Leave SBU data visible on commonly viewable computer screens • Relay SBU data via phone where you can be easily overheard • Leave SBU data on back seats, floorboards or otherwise visible locations in your Government or privately owned vehicle • Leave SBU data unattended at airports, bus or train stations • Dispose of SBU data in common trash or recycling receptacles.
Contacts • HQ Chief Information Security Officers (CISO) Marion Meissner (also HQ Center Privacy Manager) 202-358-0585, marion.meissner@nasa.gov Aaron Goad (also HQ Incident Response Manager) 202-358-1014, aaron.m.goad@nasa.gov • HQ Center Privacy Manager Support Angela Craig202-358-2218, angela.craig@nasa.gov • NASA Privacy Programs Manager Bryan McCall 202-358-1767, bryan.d.mccall@nasa.gov
Contacts (cont’d) • NASA Privacy Act Officer Patti Stockman 202-358-4787, patti.stockman@nasa.gov • NASA PRA Officer Fran Teel 202-358-2225, frances.c.teel@nasa.gov • HQ Records Manager Pat Southerland 202-358-0621, patricia.a.southerland@nasa.gov
Governance for Privacy Privacy information is officially a subset of information which falls under SBU. NASA collects, stores, maintains and/or transmits Privacy information from various sources (government and private sector), resulting in our being obligated by law to comply with numerous privacy-specific Federal laws, policies and government-wide regulations. Privacy Related Federal Laws, Policies and Guidelines: NASA privacy policy and procedures (NPD 1382.17H and NPR 1382.1) are developed from privacy-specific Federal laws, statutes, government-wide policy and Office of Management and Budget (OMB) memoranda. Examples are listed below, though this is not an all inclusive list: • Privacy Act of 1974 • Freedom of Information Act (FOIA) – 1974 • Section 208 of the E-Government Act of 2002 • National Institute of Standards and Technology (NIST) Special Publication 800-53, Rev. 4, Appendix J, Privacy Control Catalog (Appendix J.a. is under development and coming soon!) • Federal OCIO Council Privacy Best Practices: from the Elements of a Federal Privacy Program • A multitude of Office of Management and Budget (White House) Memoranda: M-99-05 M-03-22 M-06-15 M-08-09 M-10-22 Circular A-130 M-99-18 M-05-04 M-06-16 M-09-12 M-10-23 Circular A-11 M-00-13 M-05-08 M-06-19 M-10-06 M-11-33 M-01-05 M-05-24 M-07-16 M-10-15
Useful Links • PCAT (https://pcat.nasa.gov/pcat/index.php/) • Privacy requirements are further described in ITS‐HBK‐1382.03‐0: Privacy Risk Management and Compliance – Collections, PIAs, and SORNs (https://nodis-dms.gsfc.nasa.gov/NASA_Wide/restricted_directives/OCIO_Docs/ITS-HBK_1382_03-01_.pdf) • NPR 1441.1D: NASA Records Retention Schedule (http://nodis3.gsfc.nasa.gov/displayDir.cfm?t=NPR&c=1441&s=1D)
NASA Policy Reference • ITS-HBKs (1382 Series Handbooks) have been developed to provide a logical breakdownand focused subject matter reference material all derived from NPR 1382.1A. They individually address the various aspects of the aforementioned policy and procedures in a much more focused, digestible and easily updated document, available through PCAT or NODIS. • NITR 1382.0002: NASA Rules and Consequences to Safeguarding PII(Will be cancelled by ITS-HBK 1382.09-01 upon release of NPR 1372.1A) • ITS-HBK 1382.04-01: Privacy and Information Security: Overview • ITS-HBK 1382.08-01: Privacy Accountability: Overview • ITS-HBK 1382.06-01: Privacy Notice and Redress: Web Privacy & Written Notice, Complaints, Access and Redress • ITS-HBK 1382.07-01: Privacy Awareness and Training: Overview • ITS-HBK 1382.09-01: Privacy Rules of Behavior and Consequences: Overview • ITS-HBK 1382.03-01: Privacy Risk Management and Compliance: Collections, PIAs and SORNs • ITS-HBK 1382.05-01: Privacy Incident Response and Management: Breach Response Team Checklist • ITS-HBK 1382.02-01: Privacy Goals and Objectives • ITS-HBK 1382.03-02: Privacy Risk Management and Compliance: Annual Reporting Procedures for Reviewing and Reducing PII and Eliminating the Unnecessary Use of SSN • Additional Policy documents: • ITS-NITR-1382.2, NASA Rules and Consequences to Safeguarding PII, with Change 1, dated 02/04/2008 • NID 5.24 Sensitive but Unclassified (SBU) Controlled Information, NID 1600-55 • NPR 2810.1A, Security of Information Technology (Revalidated with Change 1, dated May 19, 2011) • NASA Administrator’s Memo on “Protection of Sensitive Agency Information, “ dated 4/3/12