I have attached a document that explains what needs to done. Thanks
Unformatted Attachment Preview
Using these readings, research 3 or more points of analysis that can be used in a critical
analysis for Case Study #1. Choose from the following list:
Provisions of the Privacy Act of 1974
Provisions of the Freedom of Information Act (FOIA)
CNCI Initiative #2. Deploy an intrusion detection system of sensors across the
Federal enterprise (EINSTEIN 2)
CNCI Initiative #3. Pursue deployment of intrusion prevention systems across the
Federal enterprise (EINSTEIN 3)
CNCI Initiative #5. Connect current cyber ops centers to enhance situational
Choose two different case studies posted by your peers and then write a critical analysis for
each using the points of analysis identified from the readings. I have links below.
Below are the Case studies I have selected
1) Case Study #1: Are Privacy Impact Assessments (PIA) useful as a policy tool?
“Safeguarding personally identifiable information and preventing its breach…are essential
to ensure the government retains the trust of the American public” (Johnson, 2007). The
Government regulates that requirement to protect individual’s privacy through a number
of laws. Those most significant to a discussion of Privacy Impact Assessments of
information technology systems and the collection and use of personally identifiable
information (PII) include the Privacy Act of 1974 (2012) and the E-Government Act of 2002
(2012). The latter forms the basis of the requirement for federal agencies to conduct
Privacy Impact Assessments.
A few terms require clear definitions to provide an informed discussion of privacy of
information. Personally identifiable information is that individually distinguishable
information that can be traced or linked to a specific individual (Johnson III,
2007). Individual, as the laws discussed above relate, refers to a United States citizen or
permanent resident (Bolton, 2003). A System of Records is a collection of data, under the
control of a federal agency, that uses an individual’s name or other unique identifier to
retrieve data records (Privacy Act of 1974, 2012).
Overview / Summary of Privacy Impact Assessments
The E-Government Act of 2002 requires that federal agencies conduct Privacy Impact
Assessments prior to initiating the development or purchase of information technology or
before beginning to collect new information using information technology. The assessment
must be “commensurate with the size of the information system being assessed, the
sensitivity of information that is in an identifiable form in that system, and the risk of harm
from unauthorized release of that information” (2012). The Act requires a number of
issues to be addressed. These include: what information is to be collected and why; how
the agency will use and share the information collected; information about notices and
opportunities to limit collection or sharing of information; what administrative and
technical measures will be put in place to secure the information collected; and whether a
system of records will be created (E-Government Act of 2002, 2012). According to
guidance issued by the Director, Office of Management and Budget, the Privacy Impact
Assessment should also include an analysis that describes the choices made by the agency
concerning the collection of information or the information technology system as a result of
conducting the assessment (Bolton, 2003).
Use of Privacy Impact Assessments (Privacy Advocates & General Public)
Federal agencies are required to make Privacy Impact Assessments available to the public
through their agency web site if practicable (E-Government Act of 2002, 2012). Once
publically available, the information contained in the assessment can be reviewed by
citizens and privacy advocates to ensure the agency, and the Government as a whole, are
doing all they can to incorporate privacy protections into their agency policies and
information technology systems. For example, the assessment must include a rationale
why privacy information is being collected and explain whom it will be shared amongst. If
privacy groups aren’t convinced that the stated needs to collect or share such information
outweigh an individual’s privacy concerns, they can initiate a campaign to grow public
awareness and apply pressure on the agency or elected leaders to require the information
gathering and/or sharing practice be changed or eliminated altogether. Without publically
available Privacy Impact Assessments, citizens would be left in the dark regarding gaps in
privacy protection, like those identified in the Department of Homeland Security’s (DHS)
cyber-threat information sharing system that facilitates sharing of information between
companies and the federal government (Lyngaas, 2016). By making this information
available, privacy advocates and policy makers can continue to apply pressure to ensure
the DHS’s plan to mitigate residual risk is working.
Best Practices and Recommendations for Ensuring Privacy
A number of best practices exist that can be implemented to improve privacy of personally
identifiable information (PII) throughout the federal government. The first best practice is
to reduce and minimize the overall use of PII. In order to do so, agencies should conduct an
inventory of their data and information technology systems (Federal Chief Information
Officers Council, 2012). It would be inefficient to attempt any efforts to minimize use
without first knowing what PII exists within the agency.
Once PII has been identified, it may be possible to eliminate the personally identifiable
characteristic of the information through de-identifying or anonymizing processes
(McCallister, E., Grance, T., & Kent, K., 2010). These two best practice recommendations
allow information to be “aggregated for the purposes of statistical analysis, such as making
comparisons, analyzing trends, or identifying patterns”, while protecting individual privacy
by disassociating PII from other abstract data (McCallister, E., et al., 2010). One very
specific recommendation originating from the Office of Management and Budget is to
eliminate the use of Social Security Numbers (Johnson III, 2007). In order to be most
effective, and allow for the data to be linked back to the individual, a unique code should be
assigned to the data records.
A compromise of some PII may be more or less significant than loss of another. Shirley
Radack, from the Information Technology Laboratory of the National Institute of Standards
and Technology (NIST) recommends that all PII be categorized based on its confidentiality
impact level using low, moderate, and high categories (2010). Things to consider when
categorizing PII data include determining the ease of identifying a specific individual, the
sensitivity of the PII data, and the overall context of the PII in relation to the other data. For
example, an email address on a marketing list may identify someone, but isn’t too sensitive
or contextually harmful. However, that person’s account number associated to a purchase
order or invoice is certainly more sensitive and provides a higher degree of context
between the data and PII (Radack, 2010).
Utilizing the PII impact category levels discussed above, the next best practice is to
implement security controls based upon the three impact levels (Johnson III,
2007). Specific recommendations include the use of encryption to protect PII during data
transmission and data-at-rest (Johnson III, 2007), using authentication and access control
to limit access to data containing PII (Radack, 2010), and establishment of PII retention
schedules, PII handling procedures, and PII use policies (McCallister, E., et al., 2010).
Another best practice for security of information and technology, including PII in
particular, is user awareness training. “The goal of training is to build knowledge and skills
that will enable staff to protect PII” (McCallister, E., et al., 2010). Each agency includes
recommendations concerning PII training for their employees, including management, and
it should be conducted on a recurring basis to maintain awareness (Johnson III, 2007). The
training should include topics such as applicable privacy laws, responsibilities for
protecting PII, retention of PII timeframes, restrictions on the use of PII, and how to
respond when a PII breach occurs (McCallister, E., et al., 2010).
So what happens when PII is compromised? Best practices include response plans to
address breaches of PII. A thoroughly developed response plan will help to mitigate the
impact of a PII breach. The response plan should include agency reporting procedures,
notification to those affected, user awareness training (as discussed above), and a checklist
of remediation steps (Johnson III, 2007). Remediation may include removing the PII from
information technology systems, personnel discipline for those responsible, and credit
monitoring services for those affected (Radack, 2010).
Bolton, J., (2003, September 26). OMB Guidance for Implementing the Privacy Provisions of
the E-Government Act of 2002. Retrieved from
E-Government Act of 2002, 44 U.S.C. § 208 (2012).
Federal Chief Information Officers Council, (2012, December). RECOMMENDATIONS FOR
STANDARDIZED IMPLEMENTATION OF DIGITAL PRIVACY CONTROLS. Retrieved from
Johnson III, C., (2007, May 22). Safeguarding Against and Responding to the Breach of
Personally Identifiable Information. Retrieved from
Lyngaas, S., (2016, March 15). DHS unveils post-CISA privacy assessment. Retrieved from
McCallister, E., Grance, T., & Kent, K. (2010). Guide to protecting the confidentiality of
Personally Identifiable Information (PII) recommendations of the National Institute of
Standards and Technology. Gaithersburg, MD: U.S. Dept. of Commerce, National Institute of
Standards and Technology.
Privacy Act of 1974, 5 U.S.C. § 552a (2012).
Radack, S. (2010, April). GUIDE TO PROTECTING PERSONALLY IDENTIFIABLE
INFORMATION. Retrieved from http://csrc.nist.gov/publications/nistbul/april2010_guide-protecting-pii.pdf
2) Case Study #1: Are Privacy Impact Assessments (PIA) Useful as a Policy Tool?
The Homeland Security sees the Privacy Impact Assessments (PIA) as a decision tool
that it uses to identify and mitigate privacy risks that notifies the public. The privacy
impact assessment defines what personally identifiable information is collected. It also
explains how that collected PII is maintained; how it will be protected and shared.
(Margaret Rouse, 2013). Many questions are to be asked concerning the Personally
Identifiable Information that the DHS (Department of Homeland Security) is collecting.
Those questions are:
What is the purpose of collecting PII by the DHS
What PII is the DHS collecting
How does the DHS collect, use, access, share, safeguard and store the PII collected
There are different programs or components that make up the DHS privacy impact
assessment. These programs range from the DHS programs themselves, to the Coast Guard
and Secret Service programs, passing through some components such as the Customs and
Border Protection (CBP). There are three main objectives of using PIA: Ensure
conformance with applicable legal, regulatory, and policy requirements for privacy;
Determine the risks and effects; Evaluate protections and alternative processes to mitigate
potential privacy risks.
Under the E-Government act of 2002, the section 208 allows federal agencies to conduct
privacy impact assessments for government programs and system that collect personal
information online. Within agencies, CIOs or other equivalent officer have the
responsibility to ensure that the PIA are conducted and reviewed for applicable IT systems.
The same E-Government act of 2002 also permits that PIA be conducted when an IT system
is substantially revised. The Department of Homeland Security conducts a PIA when it is
developing or providing a new system that handle PII, when it is updating a new system
that ends up in new privacy risks, when it is providing new updates that entails the
collection of PII, when it is submitting a budget to the office of management and budget
that affect PII. Since the PIA is concerned with the collection of information, there are other
terms such as SORN (System of Records Notice); PTA (Privacy Threshold Analysis) that
need to be mentioned. The System of Records is a collection of records from which
information is retrieved when conducting the privacy impact assessment. This is done by a
UPI (Unique Personal Identifier) assigned to an individual. Now the System of Records
Notice is a notice to the public that defines the purpose of collecting the PII, the source, the
type and the way the PII is collected and shared externally, and lastly the way to access and
make changes to any PII maintained by the DHS. This notice is published in the federal
register. The Privacy Threshold Analysis marks the beginning of the compliance process.
The PTA is a required document that is used as the official determination to verify whether
a system as privacy implications, and if there is a need of an additional privacy compliance
documentation. The purpose of the privacy threshold analysis is to:
Demonstrate compliance with privacy laws and regulations
Demonstrate the inclusion of privacy consideration during the review of a system
Identify programs and systems that are privacy-sensitive
Provide a record of the program or system and its privacy requirements at the
Department’s privacy office.
The PIA starts after the PTA has been reviewed by one of the officer, who also
determine that the PIA is required. The program officer, the privacy officer and the
component counsel should work collaboratively to draft the PIA. View its important in the
Department of Homeland Security and in other federal agencies and departments such as
the US Department of Education, the Federal Trade Commission and many others, we can
confirm that Privacy Impact Assessments are very useful as policy tool because it ensures
that system and program managers are accountable for the proper handling of privacy
issues; it provides the public with the assurances that their personal information is
Margaret Rouse (December, 2013). Privacy Impact Assessment (PIA). WhatIs.com;
TechTarget, SearchCompliance. Retrieved March 18, 2016
Homeland Security (August 24, 2015). Privacy Impact Assessment. US Department of
Homeland Security. Retrieved March 18, 2016 from https://www.dhs.gov/privacy-impactassessments
US Department of Education (March17, 2016). Privacy Impact Assessments (PIA).
Retrieved March 18, 2016 from https://www2.ed.gov/notices/pia/index.html
Purchase answer to see full
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.Read more
Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.Read more
Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.Read more
Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.Read more
By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.Read more