1

Receive Credit for this Course!

Attending in Person?– Sign the attendance sheet

Attending in a conference room at another location?– Sign the attendance sheet– Location POC, please send a copy of the attendance sheet to

csat@hq.nasa.gov

Attending via Webex and phone?– Announce yourself at the roll call at the end of this session

AND– Send an email to csat@hq.nasa.gov including the phone number

from which you participated

Protection of Sensitive Information

Summer 2013

3

Agenda

What is sensitive information? How should you protect it?

– Use encryption • Public Key Infrastructure (PKI)• Data at Rest (DAR) Encryption• Other encryption tools

– Label sensitive information appropriately– Store sensitive information in a protected location– Remove information that is no longer needed– Protect sensitive information while you “Work from Anywhere”

What should you do if there is a breach? What compliance is required under privacy regulations?

4

What is Sensitive Information?

Sensitive But Unclassified (SBU) Information SBU information is any information, the loss, misuse, or modification of which, or

unauthorized access to, could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under the Privacy Act, but which has not been specifically authorized under criteria established by an executive order or an act of Congress to be kept secret in the interest of national defense or foreign policy. (Per Federal guidance, this type of information will be designated as Controlled Unclassified Information (CUI) in the future.)

Personally Identifiable Information (PII) PII is information that can be used to uniquely identify, contact, or locate a single

person or can be used with other sources to uniquely identify a single individual.

Sensitive PII Sensitive PII is a combination of PII elements, which if lost, compromised, or

disclosed without authorization could be used to inflict substantial harm, embarrassment, inconvenience, or unfairness to an individual.

5

Examples of SBU and PII

Examples of Sensitive PII– a social security number by itself, or – an individual's first name or first initial and last name in combination with any one or more

types of the following information, including, but not limited to: social security number passport number credit card number home telephone number personal cell phone number clearances bank numbers biometrics date and place of birth mother's maiden name criminal, medical and financial records, etc.

This information may be in the form of paper, electronic, or any other media format.

6

General Protection Requirements

Secure under lock and key when not being used. Information stored digitally (whether on workstations, private servers, or on

publicly accessible systems such as certain SharePoint sites, shared folders or any publicly accessible web site) shall be encrypted.

Files and devices shall be externally marked "SENSITIVE BUT UNCLASSIFIED" with NASA Form (NF) 1686 or NF 1534 as appropriate.

When sending an e-mail within the boundaries of NASA’s network, use NASA’s Entrust Public Key Infrastructure.

When sending an e-mail outside the boundaries of NASA’s network include sensitive information in an encrypted attachment only.

Hard copy documents containing SBU/PII information may be mailed in a sealed envelope (appropriately labeled inside the envelope).

Unencrypted transmission of documents containing SBU information to network printers is only permitted if the network printer and the originating computer are on an internal NASA network behind a NASA firewall.

SBU information shall be picked up from printers immediately after sending.

7

Encryption

Use Entrust, NASA’s Public Key Infrastructure (PKI) tool– For email

– For encrypting files on your computer or portable media

How to get Entrust– Place an IdMAX/NAMS request (search: PKI)

– Once installed, login to Entrust every 30 days to retain Entrust access

Detailed Instructions for using Entrust (for Mac and Windows machines) can be found here: http://itcd.hq.nasa.gov/itsecurity/pki_entrust.html

8

Encryption Use-Cases

1. Encrypting emails Emails should be encrypted when the body of the email or an attachment to the email

contains PII/SBU information

The subject of the email does not get encrypted so DO NOT include sensitive information in the subject line

2. Encrypting files You can encrypt files on your local drive or on a shared drive so that you are the only

individual who can access them

3. Adding individuals to encrypted files You can encrypt files for yourself as well as for other individuals so that those

individuals will also have access to the file if it is shared via email or on an shared drive

4. Using encryption groups Encryption groups can be created in Entrust so that you can encrypt files for a set group

of people in a simplified manner – versus adding each person individually to the encrypted file

9

Encrypting Emails

Select “Encrypt” icon in Email ribbon

Enter recipient’s name and press “Send”

When sending an e-mail containing PII outside the boundaries of NASA’s information network, FIPS 140-2 validated encryption mechanisms must be

used. Consult with your Center CISO for appropriate encryption tools.

10

Encrypting Files (1 of 2)

Right-click on the file Select “Encrypt file”

“Encrypt Files Wizard” will guide you through the process

1

2

11

Encrypting Files (2 of 2)

3

Review encryption options and select “Next”

Ensure document icon indicates that the file has been encrypted

Check “Delete the original files on finish” and click “Finish”

4

12

Adding Individuals to Encrypted Files (1 of 3)

Right-click on the file Select “Encrypt file”

“Encrypt Files Wizard” will guide you through the process

1

2

13

Adding Individuals to Encrypted Files (2 of 3)

3

4

Review encryption options Check “Encrypt the files for

other people…” Click “Next”

“Additional Recipients” window will appear

Click “Add”

14

Ensure document icon indicates that the file has been encrypted

Check “Delete the original files on finish” and click “Finish”

Adding Individuals to Encrypted Files (3 of 3)

Search by individual’s name Select the correct name and click “OK”

Added individual will show in “Additional Recipients”

When done adding people, click “Next”

76

5

15

Using Encryption Groups (1 of 4)

Entrust Certificate Explorer window will open

Right-click on Entrust icon in the taskbar and select “Entrust Certificate Explorer” 1

2

16

Using Encryption Groups (2 of 4)

Click “File” and select “New Personal Encryption Group”

Click “Add” in the New Group window to assign members

4

3

17

Using Encryption Groups (3 of 4)

Search by individual’s name

Select the correct name and click “OK”

Repeat as necessary

Added individuals will show in the New Group window

Type desired group name When finished, click “OK”

5

6

18

Using Encryption Groups (4 of 4)

The new group will now be visible in your Entrust Certificate Explorer menu under “Personal Encryption Groups”

When encrypting a file, you can select the Personal Encryption Group rather than selecting each individual

19

Encryption of Data At Rest (DAR)

DAR products encrypt the entire contents of the hard drive.

NASA has deployed Symantec PGP Desktop on all laptops.

Symantec PGP Desktop will be deployed on all desktops containing sensitive information. IT POCs have been asked to provide information on all relevant desktop computers.

Alternative solutions (e.g. FileVault for Mac) can be used for computers not supported by Symantec PGP Desktop but a waiver may be required.

20

Encryption of Data at Rest (DAR)

DAR does not take the place of Entrust PKI for encrypting individual files or for sending encrypted e-mail messages. E-mail messages sent from your laptop or desktop will be unencrypted unless you use Entrust to protect the message.

Helpful link for DAR: http://itcd.hq.nasa.gov/DAR_encryption.html

21

DAR – How it Works

Once the tool is set up:– At startup, enter your password to have access to your files– Use the computer as normal– When you shut down your computer, the hard drive is encrypted

and the data is no longer accessible

Your data is only protected if the computer is SHUT DOWN or in HIBERNATE mode! SLEEP or LOCKED mode does not require your DAR password to start back up.

22

DAR – How it Works

DAR encryption on shared computers: multiple users can unlock the same computer.– Authorized user enters the DAR password to unlock the computer– New user logs into Windows using their NDC credentials– Symantec PGP Desktop automatically enrolls the new user so they can

access the DAR’d hard drive

Change your DAR password every time you change your NDC password (every 60 days). See instructions at http://itcd.hq.nasa.gov/secure/aces/PGP_passwords.pdf.

23

Proper Markings for SBU

All sensitive information must be labeled– Headers and footers as part of the document– Cover sheet for printed copies

• NF 1686 is the cover sheet for SBU information• NF 1534 is the cover sheet for Privacy Act information

– Labels for CDs, DVDs, external hard drives, etc.

Example text for front page or footer:WARNING: This document is SENSITIVE BUT UNCLASSIFIED (SBU). It contains

information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted,

distributed, and disposed of in accordance with NASA policy relating to SBU information and is not to be released to the public or other personnel who do not have

a valid "need-to-know" without prior approval of an authorized NASA official.

Example text for footer:

SENSITIVE BUT UNCLASSIFIED (SBU)

24

Storing Sensitive Data

Where can you store sensitive data?– Locked office or cabinet– Computer hard drive (if computer has working DAR encryption)

• Best practice is to encrypt individual files using Entrust.– Encrypted USB drive

• Must be FIPS 140-2 compliant• Encrypted USB drives are available from the ACES catalog:

How do I access the ACES Product Catalog?1. Go to https://esd.nasa.gov (NASA Only)2. Select Order Services3. Select Other ACES Services4. Select Request Now located next to APC - General Purchase 5. Click the ACES Product Catalog link.

How do I find USB drives in the ACES Product Catalog?Enter the following in the Shop by area:

Choose a Product Family: MemoryChoose a Product Category: Flash USB Drive & CardsEnter the keyword “encrypt”Click Search

25

Storing Sensitive Data

Where can you store sensitive data?– Shared drive? Only if encrypted.– Sharepoint? Only if encrypted.– Secured databases

REMOVE FILES WHEN NO LONGER NEEDED, in accordance with NASA Record Retention Schedules

26

Purging Data

Keep track of where you save files with sensitive information on your computer and remove when no longer needed.

Downloaded files– Users often download files from databases, servers, WebMail– The default setting at NASA is for downloaded files to be

stored in the ‘Downloads’ folder (accessible through ‘Computer’ in the start menu). Be sure to review downloaded files – delete or encrypt those with SBU!

OMB Memo M-07-16: “Log all computer-readable data extracts from databases holding sensitive information and verify … whether sensitive data has been erased within 90 days or its use is still required”

27

Disposing of Hard Copies

Shred it or put it in a burn bag or locked SBU container. Call the NASA Facilities Help Desk at 202-358-0233 or put in a Facilities Help Desk ticket to get discarded documents picked up at https://fhds.hq.nasa.gov.

During the HQ renovation, FASD is providing more frequent pickups of burn bags or containers on request.

28

Working from Anywhere

Bring your laptop only if– DAR encryption software is installed and active (computer is shut

down or in hibernate mode)– The laptop is on your person or locked in a car trunk during transit– No unauthorized persons access it

Don’t put NASA data on your home computer.– If accessing Web Mail from your home computer, don’t download

files with sensitive information. Ensure that your files and laptop are physically protected at

all times. Don’t plug NASA USB/flash drives into your home computer. Don’t plug personal USB/flash drives into your NASA

computer.

29

What to do in case of a Breach

Report all PII breaches, whether suspected or confirmed, immediately to:

NASA SOC (If your computer contains PII, be sure to inform the SOC technician who answers your call)

1-877-NASA-SEC (1-877-627-2732) soc@nasa.gov

Center Privacy Manager

Work with HQ Incident Response Team to determine what happened, extent of breach, impact, mitigation actions, etc.

Participate in Breach Response Team (BRT), if applicable.

30

Privacy Compliance Requirements

Collections

Privacy and CUI Assessment Tool (PCAT)

Privacy Act of 1974 (PA)

Children’s Online Privacy Protection Act (COPPA)

Paperwork Reduction Act (PRA)

Records Management

31

What are “Collections”?

From the privacy perspective, any holding of information is considered a collection

This includes:– Applications

– Websites

– Information systems

– Cloud systems

– Paper records

– Other electronic records

The NASA official responsible for any collection of such information is the “collection owner.”

32

What are the Requirements?

Regardless of whether or not PII is collected, an Initial Privacy Threshold Analysis (IPTA) must be conducted in PCAT for each application, website, information system or collection of information to determine what, if any, privacy requirements are applicable.

– IPTAs require approval from the collection owner and Center Privacy Manager

Generally, information collections on members of the public require a Privacy Impact Assessment (PIA)

– PIAs require approval from the collection owner, Center Privacy Manager, Agency Privacy Program Manager, and Agency Chief Information Officer

– PIAs will be published online – available to the public

As outlined in NPR 1382.1, NASA may only collect/maintain the minimum necessary information about individuals which is relevant and necessary to accomplish a NASA purpose

33

PCAT

NASA requires an Initial Privacy Threshold Analysis (IPTA) to be conducted on all applications, Websites and information collections. The IPTA is a brief pre-assessment done to determine if each collection will require a full

Privacy Impact Assessment (PIA) or not. This initial assessment and the overall PIA (if required) are both accomplished through the NASA Privacy and CUI Assessment Tool (PCAT) at pcat.nasa.gov.

34

Privacy Act of 1974 (PA)

The Privacy Act of 1974 governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by Federal Agencies.

System of Records (SOR)– A group of any records under the control of any agency from which

information is routinely retrieved by

• The name of the individual

• Some identifying number, symbol, or other assigned individual identifier

Requirement: SOR must be covered by a System of Records Notice (SORN) published in the Federal Register

– Published NASA SORNs are listed at http://www.nasa.gov/privacy/nasa_sorn_index.html

35

Children’s Online Privacy Protection Act (COPPA)

The primary goal of COPPA is to place parents in control over what information is collected from their young children online. COPPA was designed to protect children under age 13 while accounting for the dynamic nature of the Internet.

COPPA applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13.

Requirement: COPPA requires websites that target or solicit information from children and collect PII to provide conspicuous notice of the information collection practices, verifiable parental consent, and access.

36

Paperwork Reduction Act (PRA)

The purpose of the PRA is to ensure that federal agencies do not overburden the public with federally sponsored data collections.

PRA is triggered when information is collected in a standard way from 10 or more persons who are members of the public, NASA contractors, grantees, or other non-NASA personnel.

– This applies regardless of whether the information collection is voluntary or mandatory

Requirement: OMB clearance is required for any collections that fall under PRA. Collection owner should work with the Agency PRA Officer to obtain an OMB approval number.

37

Records Management

A collection contains federal records if:– It contains word-processing files, databases, photographs, maps,

drawings, sound recordings, or materials in other forms that contain information regarding the conduct of NASA business; or,

– It contains data in any of the above formats that constitutes information created by NASA activities and that is of value in and of itself to the engineering, scientific, academic and business communities within and outside of NASA.

If a collection contains federal records, there may be specific retention and disposal guidelines that must be followed.

Requirement: Work with Center Records Manager to identify specific retention schedule and ensure all records are maintained in accordance with it.

38

Next Steps

All collections owners should initiate an IPTA in PCAT for each collection of information– This will determine which additional privacy requirements are

applicable

Additional organization-specific training for PCAT is available– Contact HQ CPM or CPM Support

39

SBU Protection Summary

DO– Encrypt SBU data prior to or

upon any transmission electronically

– Store SBU data encrypted on any mobile devices or media

– Store SBU data in locked containers when not attended

– Destroy SBU data according to current guidelines when no longer required to ensure non-recoverability

– Start an IPTA for any “collection” of which you are the owner

DO NOT– Leave SBU data unattended on desktops– Leave SBU data visible on commonly

viewable computer screens– Relay SBU data via phone where you can

be easily overheard– Leave SBU data on back seats, floorboards

or otherwise visible locations in your Government or privately owned vehicle

– Leave SBU data unattended at airports, bus or train stations

– Dispose of SBU data in common trash or recycling receptacles.

40

Contacts

HQ Chief Information Security Officers (CISO)Marion Meissner (also HQ Center Privacy Manager)202-358-0585, marion.meissner@nasa.gov

Aaron Goad (also HQ Incident Response Manager)202-358-1014, aaron.m.goad@nasa.gov

HQ Center Privacy Manager SupportAngela Craig 202-358-2218, angela.craig@nasa.gov

NASA Privacy Programs ManagerBryan McCall 202-358-1767, bryan.d.mccall@nasa.gov

41

Contacts (cont’d)

NASA Privacy Act OfficerPatti Stockman 202-358-4787, patti.stockman@nasa.gov

NASA PRA OfficerFran Teel 202-358-2225, frances.c.teel@nasa.gov

HQ Records ManagerPat Southerland 202-358-0621, patricia.a.southerland@nasa.gov

42

Privacy information is officially a subset of information which falls under SBU. NASA collects, stores, maintains and/or transmits Privacy information from various sources (government and private sector), resulting in our being obligated by law to comply with numerous privacy-specific Federal laws, policies and government-wide regulations.

Privacy Related Federal Laws, Policies and Guidelines: NASA privacy policy and procedures (NPD 1382.17H and NPR 1382.1) are developed from privacy-specific Federal laws, statutes, government-wide policy and Office of Management and Budget (OMB) memoranda. Examples are listed below, though this is not an all inclusive list:

– Privacy Act of 1974– Freedom of Information Act (FOIA) – 1974– Section 208 of the E-Government Act of 2002– National Institute of Standards and Technology (NIST) Special Publication 800-53, Rev. 4, Appendix J, Privacy Control

Catalog (Appendix J.a. is under development and coming soon!)– Federal OCIO Council Privacy Best Practices: from the Elements of a Federal Privacy Program– A multitude of Office of Management and Budget (White House) Memoranda:

M-99-05 M-03-22 M-06-15 M-08-09 M-10-22 Circular A-130M-99-18 M-05-04 M-06-16 M-09-12 M-10-23 Circular A-11M-00-13 M-05-08 M-06-19 M-10-06 M-11-33M-01-05 M-05-24 M-07-16 M-10-15

Governance for Privacy

43

Useful Links

PCAT (https://pcat.nasa.gov/pcat/index.php/)

Privacy requirements are further described in ITS HBK‐ ‐1382.03 0: Privacy Risk Management and Compliance – ‐Collections, PIAs, and SORNs (https://nodis-dms.gsfc.nasa.gov/NASA_Wide/restricted_directives/OCIO_Docs/ITS-HBK_1382_03-01_.pdf)

NPR 1441.1D: NASA Records Retention Schedule (http://nodis3.gsfc.nasa.gov/displayDir.cfm?t=NPR&c=1441&s=1D)

44

NASA Policy Reference

ITS-HBKs (1382 Series Handbooks) have been developed to provide a logical breakdown and focused subject matter reference material all derived from NPR 1382.1A. They individually address the various aspects of the aforementioned policy and procedures in a much more focused, digestible and easily updated document, available through PCAT or NODIS.

NITR 1382.0002: NASA Rules and Consequences to Safeguarding PII (Will be cancelled by ITS-HBK 1382.09-01 upon release of NPR 1372.1A) ITS-HBK 1382.04-01: Privacy and Information Security: Overview ITS-HBK 1382.08-01: Privacy Accountability: Overview ITS-HBK 1382.06-01: Privacy Notice and Redress: Web Privacy & Written Notice, Complaints, Access and Redress ITS-HBK 1382.07-01: Privacy Awareness and Training: Overview ITS-HBK 1382.09-01: Privacy Rules of Behavior and Consequences: Overview ITS-HBK 1382.03-01: Privacy Risk Management and Compliance: Collections, PIAs and SORNs ITS-HBK 1382.05-01: Privacy Incident Response and Management: Breach Response Team Checklist ITS-HBK 1382.02-01: Privacy Goals and Objectives ITS-HBK 1382.03-02: Pr

ivacy Risk Management and Compliance: Annual Reporting Procedures for Reviewing and Reducing PII and Eliminating the Unnecessary Use of SSN

Additional Policy documents: ITS-NITR-1382.2, NASA Rules and Consequences to Safeguarding PII, with Change 1, dated 02/04/2008 NID 5.24 Sensitive but Unclassified (SBU) Controlled Information, NID 1600-55 NPR 2810.1A, Security of Information Technology (Revalidated with Change 1, dated May 19, 2011) NASA Administrator’s Memo on “Protection of Sensitive Agency Information, “ dated 4/3/12

45

Questions…