All DON personnel should continue to increase their level of awareness about properly safeguarding personally identifiable information (PII). To learn more about properly safeguarding PII, go to http://privacy.navy.mil.
PII and Virtual Workspaces
The synopsis shown below of a recently reported loss or breach of PII, highlights common mishandling mistakes made by individuals within the Department of the Navy.
Incidents such as this will be reported continually in CHIPS magazine to increase PII awareness. Names have been changed, but details are factual and based on reports sent to the DON Privacy Office.
On Oct. 17, 2007, a recall roster was discovered posted to a virtual workspace portal on the Navy Marine Corps Intranet. The roster contained the names, home addresses, home phone numbers and cell phone numbers of command and contractor personnel. The portal was accessible to NMCI users only, but no other access restrictions were in place. The roster was immediately removed from the portal and the affected individuals were notified.
IT system owners and Web site managers must implement strict business rules that allow access to PII posted to a Web site or virtual workspace only to those with a "need to know." Commands should periodically spot check their Web sites for unrestricted PII.
Spot checks are now required twice yearly as required in ALNAV 070/07, DTG 042232Z of Oct. 4, 2007, "Department of the Navy Personally Identifiable Information Annual Training Policy."
A sample spot check form can be found on the DON Privacy Office Web site at http://privacy.navy.mil, along with other tools and information for protecting privacy.
Steve Muck is the DON CIO critical infrastructure protection and privacy team lead. Our apologies to Mr. Muck; his last name was misspelled as "Mauck" in the October-December 2007 edition of the "Hold Your Breaches" article.