Introduction
The uncertain balance between personal privacy and national security has become even more delicate following the tragic events of September 11. The strengthening of security controls throughout the country will undoubtedly heighten America’s sensitivity to the protection of civil liberties. The office of the Department of the Navy Chief Information Officer (DON CIO) recognizes this fact and is taking proper steps to ensure privacy of DON information systems while ensuring maximum security for the warfighter. Moreover, DON CIO believes that the privacy and protection of personal information is a vital element of its overall Full Dimensional Protection program and the Department’s successful transition to electronic government services.
With the rapid dissemination of sensitive information, such as home addresses and phone numbers, social security numbers, birth dates and even buyer preferences, consumers—and now the Federal Government—are growing more concerned with how that information is obtained and used. Over the past several years, the issue of Internet privacy has generated substantial interest and action in Congress, where several legislative initiatives are being debated. Public awareness and concern regarding the unauthorized collection and release of private/sensitive information, along with the growing threat of Identity Theft, demand that the DON take appropriate actions to inform and protect all users that any data collected or maintained by the respective component is secure.
Information is, without question, a critical resource to DON operations and management; as such, DON CIO has identified privacy protection as a key initiative and placed increased emphasis on protecting personal information. To demonstrate the importance of privacy the DON Information Management/Information Technology (IM/IT) Strategic Plan for FY 2002-2003 includes two objectives concerning privacy protection.
The proliferation and ease of use of computer technology has created an environment in which an individual, business, foreign government, or terrorist can easily access personal or private information on individuals and organizations. The DON must be able to protect the privacy of its personnel and operations, as well as that of contractors. In order to be effective, this privacy initiative must include the development and utilization of effective policies, training and awareness, technical tools and resources.
Policy
DON CIO is currently working to incorporate recent regulations pertaining to the protection of personal information when using technologies such as the Internet. The DON CIO’s Privacy Team is developing an instruction that defines privacy policies and procedures for information management systems and technology. The guidance has been designed to include elements associated with the Privacy Act of 1974, Web content and administrative directives, and management practices as they pertain to information systems.
Additionally, the Privacy Team at DON CIO is working closely with representatives from the Navy Chief of Information (CHINFO), United States Marine Corps (USMC) Command, Control, Communication and Computers (C4), the Chief of Naval Operations (CNO N09B10), and various other DON components to ensure procedures are implemented to: 1) address special precautions when posting DON information to the Web, 2) determine appropriateness of information, 3) identify and secure privacy sensitive information, 4) establish procedures to ensure continued privacy of information and systems, and 5) determine mechanisms for reviewing information. Privacy policies and procedures establish criteria for such measures as well as provide access controls. A draft privacy policy is currently being reviewed and is planned to be signed-out in the near future.
Training, Education and Awareness
The establishment of sound privacy guidance furthers DONs capability to address training, education, and awareness. Educating DON personnel about policy and potential threats to their privacy, through training and awareness initiatives, is critical to the success of the DON’s privacy efforts. DON personnel must possess enough information to understand how and why sensitive information may be vulnerable to misuse, as well as actions they can take to help prevent such a potentially destructive situation. To highlight the importance of training, education, and awareness, DON CIO has developed a CD-ROM entitled, "Privacy Protection in the Information Age," that includes important privacy-related information for all DON personnel. The CD-ROM includes a video and other specific information on how individuals can protect themselves from the growing risk of identity theft. The CD-ROM also includes various links to other privacy-related resources. Updated versions of this tool will be released periodically, as the Federal, DoD, and DON privacy landscape changes. Confidence building through training, education, and awareness is essential to privacy policy compliance and protection of DON personnel.
Technology Tools and Resources
Technological tools and resources are available to protect information. The private sector has capitalized on the consumer demand for such tools. The Senate Judiciary Committee's recent publication, "Know The Rules, Use The Tools, Privacy in the Digital Age: A Resource for Internet Users," outlines a number of resources to protect personal information, including identity scrubbers, privacy preferences, digital identity managers, encryption, and "cookie" controls (cookies are electronic tags placed on the hard drive of a user’s computer by Web sites visited). In addition to such tools, DON must utilize technologies to regularly monitor Web sites and information systems for vulnerabilities and possible incursions. Publicly accessible material, in particular, must undergo screening for appropriateness. Furthermore, the use of password protection and Public Key Infrastructure (PKI) encryption for sensitive information is critical. DON CIO conducts monthly reviews of current technical tools which DON personnel can make daily use of in their public and personal lives. Privacy protection will be enhanced as the DoD issues the Common Access Card (CAC). The CAC is the new military identification card that enables encryption of unclassified e-mail.
Safeguarding Information
With increasing sensitivity regarding privacy protection, it is also worth emphasizing that DON privacy policies will include procedures and criteria for the protection of personal information collected, disseminated, used, and archived by DON information systems. Currently, DON CIO is working closely with the Naval Audit Service (NAS) to ensure that DON components follow strict privacy guidelines for information collection and dissemination on Web sites and information systems.
Privacy issues must also be addressed when systems are being developed or modified, and privacy protections must be integrated into the development life cycle of information systems. The Privacy Impact Assessment (PIA) is an assessment methodology for addressing privacy issues in information systems under development or major modification. The Internal Revenue Service’s (IRS) version of the PIA is now recognized by the Federal CIO Council as a "Government Wide Best Practice." The PIA is an effective tool used to ensure compliance with applicable laws and regulations governing personal privacy. DON CIO is currently developing a PIA to incorporate into the DON’s processes in fiscal year 2002.
Conclusion
As the DON endeavors to secure the pathways of knowledge, while respecting the right to privacy of its workers and the public, it is faced with challenges such as new technologies that change the way in which personal information must be kept secure. It is imperative that policy decisions keep pace with the technology that drives them. Because of the integrated nature of the DON CIO team, the security policies established for the DON reflect the importance of privacy while maintaining the security needed to ensure the protection and performance of the war fighter. The DON is sensitive to the right to privacy of its military and civilian members, as well as, the public. Hence, each security measure is fully vetted to ensure it meets the privacy regulations of the federal government, DoD, and DON, while complying with the overall federal IA and Critical Infrastructure Protection (CIP) missions.
Available Resources: DON CIO has developed a CD-ROM entitled, "Privacy Protection in the Information Age," that includes important privacy-related information for all DON personnel. The Senate Judiciary Committee's recent publication, "Know The Rules, Use The Tools, Privacy in the Digital Age: A Resource for Internet Users,"outlines a number of resources to protect personal information, including identity scrubbers, privacy preferences, digital identity managers, encryption, and "cookie" controls.