Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1
Privacy Threshold Analysis (PTA)
and/or Privacy Impact Assessment (PIA)
for
Microsoft Office 365
Date Approved by Chief Privacy Officer (CPO)/Designee: 1/7/2019
PTA/PIA TEMPLATE VERSION 1.9 – August 2017
2
SECTION I – OUTSOURCED INFORMATION SERVICE DESCRIPTION
1. Describe the outsourced service and its purpose.
Microsoft (MS) Office 365 (O365) is an outsourced service provided by Microsoft, which has
been approved by FedRAMP. The MS O365 package includes Email to the Cloud, Exchange
Online, SharePoint Online, OneDrive, and MS Teams.
The SharePoint Online solution is similar to SharePoint 20131 except access is available via
Microsoft Azure Cloud technology, which provides a secure collaborative platform in which
FDIC employees and contractors can work with external stakeholders. Email to the Cloud and
Exchange Online is a solution where email is stored within a Microsoft Server and can be
accessed anywhere as long as the user has an active Internet connection. SharePoint Online is a
platform that is commonly used to share content and it can also be used to host a webpage.
OneDrive operates as a hard drive in the cloud similar to the email solution but where the user is
able to save and access files. MS Teams is a collaboration platform that provides a chat and
workspace environment tightly integrated with other MS O365 services, such as the cloud storage
(OneDrive) and document sharing services (SharePoint Online)
Currently, the FDIC works with external stakeholders, such as the Federal Reserve, Office of the
Comptroller of Currency (OCC), state and local bank exam groups, and others, to deliver on our
core mission of insuring deposits, providing for the safety and soundness of the financial system,
and protecting consumers.
MS O365 utilizes the Microsoft Azure environment, which provides an organized, intuitive and
searchable location where employees will find the systems, tools, information and collaboration
areas that they need. They will be able to realize greater efficiency accessing important business
processes, people, information, forms, news, calendars and other FDIC information. MS O365
will provide Enterprise Document Management (EDM) and workflow functionality that will
improve business processes, records management, and overall collaboration within the FDIC.
MS O365 can also be used for business analytics and reporting.
SECTION II – DATA TYPE, SOURCES, AND USE
2. Describe all information/data that will be collected, used, maintained or generated by the
Outsourced Provider (Vendor) as part of the services provided under the contract. If no
information/data is involved, select Not Applicable.
Within MS O365, in general, there are two primary categories of information:
1. User information (i.e., the information that is synchronized from FDIC’s on-
premises Active Directory to MS O365). This information is primarily the user's
full name, work e-mail address and other official contact information; and
2. MS O365 collaboration information (i.e., the actual data/documentation that will be
uploaded, generated, used or stored in various MS O365 services by internal and
1 The SharePoint 2013 PIA will be made available at https://www.fdic.gov/about/privacy/assessments.html
3
external users). MS O365 collaboration information may contain sensitive
personally identifiable information (PII). Some examples of the types of
collaboration sites and information that will be maintained in MS O365 include:
Email, calendar, contacts, and tasks in user mailboxes
Shared calendars and email in shared mailboxes
Document and other data in user file storage
Chat history, video and audio conference transcripts, and shared documents in MS
Teams
Division and team documentation in SharePoint Online
Training sites to share class materials with participants from other financial
regulatory agencies (federal, state and foreign agencies). These class materials do not
contain PII.
Research sites to facilitate the exchange of research and statistical information. The
FDIC Division of Insurance and Research (DIR) receives requests for information
from various external entities for research information that is publicly available (non-
sensitive, non-PII). This can range from commercial entities, members of the
academic community and other government agencies. Historically, these requests
were fulfilled via writing the information to removable media (DVD or hard drive)
and shipping it back to the requesting entity. With the adoption of FDIC’s policy
concerning removable media, this information will now be exchanged using MS
O365.
3. Describe the intended purpose and use of the above information/data. If no information/data is
involved, select Not Applicable.
The MS O365 platform will provide Email to the Cloud, Exchange Online, SharePoint
Online, OneDrive, and MS Teams for all FDIC users. Some use cases are listed below:
FDIC user mailboxes to include email, calendar, contacts, and tasks
Training sites to share class materials with participants from other financial
regulatory agencies (federal, state and foreign)
Research sites to share publicly available non-sensitive, non-PII research information
with commercial entities, members of the academic community and other government
agencies
Divisional SharePoint sites
User data (documents, spreadsheets, etc.) stored in OneDrive
MS Teams collaboration files that may include audio and video conferencing, chat,
document sharing, and desktop sharing
4
4. What types of personally identifiable information (PII) are (or may be) included in the
information specified above? (This is not intended to be an all-inclusive list. Specify other
categories of PII, as needed.):
PII Element Yes No
Full Name
Date of Birth Place of Birth Social Security Number Employment Status, History or Information Mother’s Maiden Name Certificates (e.g., birth, death, naturalization, marriage, etc.) Medical Information (Medical Records Numbers, Medical Notes, or X-rays) Home Address Phone Number(s) (non-work) Email Address (non-work) Employee Identification Number (EIN) Financial Information (e.g., checking account #/PINs/passwords, credit report,
etc.)
Driver’s License/State Identification Number Vehicle Identifiers (e.g., license plates) Legal Documents, Records, or Notes (e.g., divorce decree, criminal records, etc.) Education Records Criminal Information Military Status and/or Records Investigation Report or Database Biometric Identifiers (e.g., fingerprint, voiceprint) Photographic Identifiers (e.g., image, x-ray, video) Other (Specify: Potential to include all PII elements necessary to conduct FDIC
business.)
5. If Social Security Number (SSN) is checked in question 4, please answer the following: a) Explain the business purpose requiring the collection of SSNs: MS O365 does not
collect SSNs. However SSNs may be stored by individual users as a part of documents or email.
b) Provide the legal authority which permits the collection of SSNs. (Legal Authority) MS O365 does not collect SSNs, however SSNs may be maintained within the system in the course of conducting FDIC business. 12 U.S.C. § 1819 provides the general authority for the Corporation to collect SSNs.
c) Identify whether the SSN is masked or otherwise truncated as part of the
outsourced service: SSNs may or may not be masked or truncated. The masking or truncation of data varies with the source and the method of collection.
5
6a. Please provide an estimate of the number of records maintained by the vendor for
this contract that contain PII:
Estimated Number of Records Containing PII
0
1-500
501-1,000
1,001 – 2,500
2,501 – 5,000
5,001 – 7,500
7,501 – 10,000
10,001 – 50,000
50,001 – 100,000
over 100,000
6b. If “0” was answered for 6a, please explain2: N/A
7. What are the sources of data (both PII and non-PII) for the outsourced service/project? How is
the data derived?
Data Source
3
(List all sources that the Outsourced
Provider collects, obtains or receives data from, as part of the services
provided under the contract.)
Type of Data Provided by Source & How It is Derived (Describe the type of PII and non-PII data provided by each source. If PII is included
in the data, list the specific PII elements, and explain how the PII is derived.)
Does Data
Include PII?
Manual Upload of Data by
Authorized FDIC
Staff/Contractors via email
communications
Authorized FDIC staff and contractors may collect or receive
business data from various sources, such as documents, reports,
training material created or provided by FDIC staff or contractors,
research information from various public and commercial sources,
and other applicable information obtained as part of their official
business functions and, as applicable, store this data in designated MS
O365 Online mailboxes.
Yes No
Manual or automatic upload of
data by authorized FDIC
staff/contractors via OneDrive
Authorized FDIC staff and contractors may collect or receive
business data from various sources, such as documents, reports,
training material created or provided by FDIC staff or contractors,
research information from various public and commercial sources,
and other applicable information obtained as part of their official
business functions and, as applicable, store this data in designated MS
O365 Online OneDrive folders.
Yes No
Manual or automatic upload of
data by authorized FDIC
staff/contractors via MS Teams
Authorized FDIC staff and contractors may collect or receive
business data from various sources, such as documents, reports,
training material created or provided by FDIC staff or contractors,
research information from various public and commercial sources,
and other applicable information obtained as part of their official
business functions and, as applicable, store this data in designated MS
O365 Online MS Teams sites/folders.
Yes No
Manual or automatic upload of Authorized FDIC staff and contractors may collect or receive Yes No
2 If the vendor has not received work to date for this contract and “0” is checked in 6a, please explain approximately how many records may be maintained by the vendor if they are awarded work under this contract in the future. Additionally, the Division responsible for this vendor must update this PIA to reflect the accurate number of records containing PII that the vendor maintains if this changes in the future. 3 Examples of potential data sources include, but are not limited to: internal (FDIC) or external (non-FDIC) systems, websites, individual members of the public (e.g., customers, borrowers, etc.), FDIC employees, FDIC contractors, credit bureaus, commercial entities, public records, government agencies, etc.
6
data by authorized FDIC
staff/contractors via SharePoint
Online
business data from various sources, such as documents, reports,
training material created or provided by FDIC staff or contractors,
research information from various public and commercial sources,
and other applicable information obtained as part of their official
business functions and, as applicable, store this data in designated MS
O365 SharePoint Online sites/folders.
Manual upload of data by
authorized non-FDIC entities
via SharePoint Online and MS
Teams
Authorized non-FDIC individuals and entities may upload data
related to FDIC business functions. These may include other Federal
agencies, State Banking Regulators, Financial Institutions, vendors,
and non-FDIC Corporate University (CU) students. The data
uploaded may include bank examination information, failed bank
information, project management information, and CU coursework.
Data uploads occur through SharePoint Online and MS Teams.
Yes No
8. How will FDIC and/or the Outsourced Service Provider retrieve data or records as part of the outsourced service or project? Can data be retrieved using a personal identifier (e.g., name, address, SSN, EIN, or other unique identifier)?
Individual users may search and retrieve emails in their own mailboxes using the search functionality
within the FDIC’s email client. This functionality is intended to be used by individual users to search for
business emails in their own mailboxes based on keyword criteria, which could include any type of
personal identifier. In addition, the sorting functionality within the email client allows users to group and
retrieve business email messages in their mailboxes by date, size, sender, subject, address or other fields.
Authorized DIT administrators have access to a search utility that allows them to locate and extract email
messages from mailboxes in the FDIC’s email store using pre-defined criteria, such as date, time, subject
line, sender/recipient name, and attachment names. Administrators use this utility to (a) assist users with
recovering business email messages that users have deleted accidentally and (b) remediate viruses and
malware issues by extracting infected email messages.
The search functionality within SharePoint Online and OneDrive allows authorized users to search for
documents posted to the respective SharePoint sites to which they have been granted access. Users may
search by any term, including personal identifiers such as name, Social Security Number, address, etc.,
but they may only view documents to which they have been granted permission to access.
9. In the Federal Register, under which Privacy Act Systems of Record Notice (SORN) does this system operate? Provide number and name.
The FDIC MS O365 environment does not operate as a Privacy Act Systems of Records, nor does its use
require alteration to any existing system of records. The FDIC MS O365 environment may be used to
process and store Privacy Act Records from existing FDIC Privacy Act Systems of Records by authorized
contributors (FDIC staff and contractors) in connection with their various job responsibilities.
Contributors are responsible for ensuring there is coverage under an appropriate System of Records
Notice for the data collected/maintained and ensuring that appropriate procedures are followed. For a
listing of current FDIC Privacy Act Systems of Records, please visit:
http://www.fdic.gov/regulations/laws/rules/2000-4000.html.
7
10. In the table below, specify the systems/applications and parties (FDIC and non-FDIC) that will
access or receive PII data as part of the outsourced service/project. (Check “No” or “Yes” for each
category. For each category checked “Yes,” specify who will have access to, be provided with, or maintain the
PII, what PII elements will be accessed/shared/maintained by them, how the access or sharing will occur, and the
purpose and use of this PII.)
PII Will Be Accessed By
and/or Provided To:
Yes No If Yes, Explain How and Why the PII Will Be
Accessed/Shared
10a. FDIC Outsourced
Service Provider (OSP)
Staff; OSP
Subcontractors; and/or
OSP Systems
FDIC data, including PII, will be stored on Microsoft Cloud
servers. The data is encrypted in accord with FIPS 140-2 in transit
and at rest. Microsoft and its subcontractors will not have any
access to the stored data, encrypted or unencrypted.
10b. FDIC Personnel
and/or FDIC Systems/
Applications
Response:
FDIC Corporate may have
access to PII Data.
All of FDIC employees and contractors will have access to the
data they are authorized to view. Access to MS O365 services is
contingent upon FDIC network access and falls under the
corporate network access requirements.
10c. Individual Members
of the Public (e.g., bidders,
investors, borrowers,
customers, etc.)
Non-FDIC CU Students: State and International non-FDIC
students who take courses at CU upload coursework using
SharePoint Online and receive feedback from instructors. PII
shared may include name, work email, and employment title.
10d. Other Non-FDIC
Entities/ Parties and/or
Non-FDIC
Systems/Applications
Vendors: FDIC employees may share information related to FDIC
business on MS Teams and SharePoint Online with vendors as
necessary. PII shared may include name, work email, and
employment title.
CU Effective Writers: FDIC employees and non-FDIC CU
students may share coursework on SharePoint Online with CU
contractors known as Effective Writers, who grade and provide
feedback on the coursework. PII shared may include name, work
email, and employment title.
Financial Institutions: FDIC employees and contractors may share
relevant information with FIs as needed as part of the bank
examination process through MS Teams. PII of bank employees
and/or bank customers may be included.
10e. Federal, State, and/or
Local Agencies
Federal Financial Institutions Examination Council (FFIEC)
Members: FDIC users involved with the Central Data Repository
(CDR) project may use SharePoint Online to share release
information, use case testing, project plans, and similar documents
with other Federal Banking agencies that are members of the
FFIEC. PII elements shared may include names, titles and work
contact information.
OCC, Federal Reserve, and State and Local Banking regulators:
SECTION III – DATA ACCESS AND SHARING
8
These agencies may be provided information relating to bank
examinations, which may include PII of bank employees and/or
bank customers, through MS Teams.
10f. Other If Yes, list any other destinations that the Outsourced Service
Provider (OSP) will share or provide data to as part of the
outsourced service/project. Specify the data destinations; what
PII will be shared; how the sharing will occur; and the purpose
for the sharing.
11. If data will be provided to, shared with, or maintained by non-FDIC entities (such as
government agencies, contractors, or Outsourced Information Service Providers), have any of the
following agreements been issued? N/A : authorized FDIC access and business use only.
Data Protection and/or Sharing Agreements Yes No
FDIC Confidentiality Agreement (Corporation)
FDIC Confidentiality Agreement (Individual)
Non-Disclosure Agreement (NDA)
Memoranda of Understanding (MOU)
Information Sharing Agreements (ISA)
Authentication Risk Assessment
Other Applicable Agreement(s)
(Specify: privacy and confidentiality contract clauses)
If you answered NO to any item above, please provide additional information if available:
The protection and sharing of information is addressed within the privacy and confidentiality
clauses incorporated within the contract between the vendor and FDIC.
9
SECTION IV – NOTICE AND CONSENT
12. Do individuals have the opportunity to decline to provide information or to consent to
particular uses of their information (other than required or authorized uses)?
No. Individuals do not have the opportunity to “opt out” of providing their data and/or
consenting to particular uses of their information. (Explain why individuals are not able to opt
out (either for specific data elements or specific uses of their data.): The individuals whose PII
is contained in MS O365 may or may not have been offered an opportunity to opt out of
providing this personal information. In general, the specific circumstances under which
individuals are offered an opt out is dependent on the source of the data and consistent with the
provisions outlined in the FDIC System of Records Notices (SORNs) and Privacy Act Notices
governing the original data collection.
Yes. Individuals have the opportunity to decline to provide their personal data or to consent
to particular uses of their information. (Explain how individuals may decline or consent to the
use of their information.):
13. If PII is being collected via a public-facing website and/or application as part of this outsourced
service, has the Outsourced Information Service Provider posted any of the following types of
privacy policies or Privacy Act notices?
No
Yes (If yes, check applicable box(es) below.)
Link to FDIC Privacy Policy
FDIC Privacy Act Statement
Contractor Privacy Policy or Statement
No Privacy Policy has been posted
Not applicable
SECTION V – DATA SECURITY AND ACCURACY
14. Please assert what administrative procedures and technical safeguards are in place to protect
sensitive PII data in the Outsourced Information Service Provider’s care. [Provide the name of the
Outsourced Service Provider and check all applicable box(es).]
MS O365 has undergone a Cloud Security Assessment through the FDIC’s Independent
Verification and Validation agent to determine whether the FDIC has adequately implemented the
controls for which it is responsible in order to protect the information to be stored within the
system. Control weaknesses were identified during the assessment, and the project team is in the
process of developing appropriate mitigation strategies.
If it has gone through an assessment, has it been approved? NO YES N/A
The FDIC conducts background investigations (BIs) on key Microsoft personnel and other
applicable personnel prior to their beginning work on the contract.
10
The [Microsoft, the Vendor] is subject to periodic compliance reviews by FDIC. Per the
contract, scheduled and unannounced inspections and assessments of the Outsource Service
Provider’s facilities, personnel, hardware, software and its security and privacy practices by either
the FDIC information technology staff, the FDIC Inspector General, or the U.S. General
Accountability Office (GAO). These inspections may be conducted either by phone,
electronically or in-person, on both a pre-award basis and throughout the term of the contract or
task order, to ensure and verify compliance with FDIC IT security and privacy requirements.
Other (Explain any other administrative and/or technical safeguards in place to protect PII
data in the Outsourced Information Service Provider’s care.) Attach the Contract Clause
Verification Checklist to the back of this form.
15. What are the procedure(s) for ensuring that the information maintained is accurate, complete
and up-to-date? [Check all applicable box(es) and insert the appropriate response and System/Project
name.]
Data is collected directly from individuals and/or from the failed financial institutions. As
such, the FDIC and its vendors rely on the individuals and/or financial institutions to provide
accurate data.
The vendor/contractor works with FDIC to verify the integrity of the data [before, in
conjunction with, and/or after] inputting it into the system or using it to support the project.
As necessary, an [authorized user or administrator] of the [System/Project Name] checks the
data for completeness by reviewing the information, verifying whether or not certain documents
or data is missing, and as feasible, updating this data when required.
Other (Please explain.)
16. In terms of assuring proper use of the data, please assert whether the following statements are
true for the Outsourced Information Service Provider. (Check all applicable box(es) and insert the
name of the Outsourced Information Service Provider and title of the firm’s senior management
official.)
Within FDIC, the MS O365 Program Manager/Data Owner, Technical Monitors, Oversight
Manager, and Information Security Manager are collectively responsible for assuring proper use
of the data. In addition, it is every FDIC user’s responsibility to abide by FDIC data protection
rules which are outlined in the FDIC’s Information Security and Privacy Awareness training
course which all employees/contractors are required to take annually and certify that they will
abide by the corporation’s Rules of Behavior for data protection. In addition, MS O365
administrators are required to take additional server administrator role based training annually.
Additionally, the Outsourced Information Service Provider is responsible for assuring proper
use of the data. Policies and procedures have been established to delineate this responsibility, and
the vendor has designated [title of senior management official] to have overall accountability for
ensuring the proper handling of data by vendor personnel who have access to the data. All
vendor personnel with access to the data are responsible for protecting privacy and abiding by the
terms of their FDIC Confidentiality and Non-Disclosure Agreements, as well as the vendor’s
corporate policies for data protection. Access to certain data may be limited, depending on the
11
nature and type of data. (Refer to Section III of this Privacy Impact Assessment for more
information on data access criteria.)
The Outsourced Provider must comply with the Incident Response and Incident Monitoring
contractual requirement.
None of the above. (Explain why no FDIC staff or Outsourced Information Service Provider
personnel have been designated responsibility for assuring proper use of the data.)
SECTION VI – DATA RETENTION AND DISPOSAL
17. Where will the Outsourced Service Provider store or maintain the PII data identified in
question 5? Describe both electronic and physical storage repositories, as applicable.
The FDIC’s MS O365 is comprised of the following key components where PII data may be stored
or maintained:
a. Directory Services – The Directory Services portion for MS O365 provides a
Corporation-wide Global Address List (GAL). The GAL is an electronic directory of the
official, business contact information for authorized users with active FDIC email
accounts. Users, at their option, may include their personal cell phone numbers within
the Directory/GAL.
b. Calendar and Collaboration Services – The Calendar and Collaboration Services
component of MS O365 provides a calendar that is fully integrated with a user’s email
and contacts, and offers a variety of scheduling and collaboration functionalities. The
Calendar and Collaboration Services component allows users to create appointments and
events, organize meetings, view group schedules, and manage other user’s calendars. It
also allows users to create shared mailboxes and public folders4 to collect, organize, and
share business information with other users.
c. MS Exchange Online – Exchange online refers to an email-based collaborative
communications service hosted on the MS cloud. Exchange online facilitates electronic
mail communications, calendaring, contacts and tasks; supports mobile and web-based
access to information; and supports mailbox data storage. Inbound and outbound emails
are stored by the MS O365 cloud. A user is able to read and delete their sent and received
emails by logging into the Exchange client (i.e., Microsoft Outlook Email Exchange)
which connects to the service.
d. Email Cache/Archive Repositories – MS O365 features the following repositories
where electronic messages may be cached or archived for business purposes:
Cached Exchange Mode (Offline Storage Folder/.OST) – A copy of a user’s
mailbox is stored in an encrypted file on his/her local computer. This copy
4 Public folders can contain any Outlook item type, such as business messages, appointments, contacts, tasks, journal entries, notes, forms, files,
and posts. Security permissions are associated with each public folder, allowing only specific groups or people to have access. The owner of a public folder can grant user permissions, assign rules, and set default views.
12
provides quick access to business data and is frequently synchronized with the
mail server.
AutoArchive/online archive mailbox – Access is online only. There is no local
cache.
e. SharePoint Online - SharePoint Online is a cloud-based service that helps FDIC users
share and collaborate with each other. With SharePoint, FDIC users can have a central
repository for information and documents that need to be shared within or across
divisions.
f. OneDrive – OneDrive is a cloud-based service that provides FDIC users with secure
storage space for personal files, documents and data.
g. MS Teams – MS Teams is a cloud-based collaboration platform and central hub for
teamwork in MS O365 that integrates FDIC’s content, and tools such as emails,
calendaring, SharePoint, chat, and video conferencing, as needed, to be more engaged
and effective.
18. Specify the period of time that data is retained by the Outsourced Service Provider and the
specific procedures for disposing of or returning the data at the end of the retention period or
contract, whichever is first.
Microsoft has a Data Handling Standard policy for MS O365 that specifies how long customer
data will be retained after being deleted. There are generally two scenarios in which customer
data is deleted:
Active Deletion - The tenant (FDIC) has an active subscription and a user deletes data, or
data provided by a user is deleted by the administrator.
Passive Deletion - The tenant (FDIC) subscription ends.
For each deletion scenario (Active or Passive), the following table shows the maximum data
retention period, by data category and classification:
At all times during the term of an active subscription, a subscriber (FDIC) can access, extract, or
delete customer data stored in MS O365. If a paid subscription ends or is terminated, Microsoft will
retain customer data stored in MS O365 in a limited-function account for 90 days to enable the
subscriber (FDIC) to extract the data. After the 90-day retention period ends, Microsoft will disable
13
the account and delete the customer data. No more than 180 days after expiration or termination of a
subscription to MS O365, Microsoft will disable the account and delete all customer data from the
account. Once the maximum retention period for any data has elapsed, the data is rendered
commercially unrecoverable.
At all times during the term of any subscription, a subscriber (FDIC) can contact Microsoft Support
and request expedited subscription de-provisioning. In this process, all user data, including data in
SharePoint Online, Exchange Online that may be under hold or stored in inactive mailboxes, is
deleted three days after the administrator enters the lockout code provided by Microsoft.