SlideShare a Scribd company logo

PTA and PIA for <Information System Name

Download as DOCX, PDF
GovCloud Network
GovCloud Network

This document has been released originally in template format and is meant to be modified upon first use. &lt;information> is a Cloud Service Provider (CSP) offering that has undergone either a Privacy Threshold Analysis (PTA) or Privacy Impact Assessment (PIA). This document includes a the PTA/PIA for &lt;information>.

TechnologyNews & Politics
1 of 17
PTA / PIA <Information System Name>, <Date> Privacy Threshold Analysis and Privacy Impact Assessment <Vendor Name> <Information System Name> Version 1.0 May 2, 2012 Company Sensitive and Proprietary For Authorized Use Only
PTA / PIA <Information System Name>, <Date> Executive Summary This document has been released originally in template format and is meant to be modified upon first use. <Information System Name> is a Cloud Service Provider (CSP) offering that has undergone either a Privacy Threshold Analysis (PTA) or Privacy Impact Assessment (PIA). This document includes a the PTA/PIA for <Information System Name>. Company Sensitive and Proprietary Page 2
PTA / PIA <Information System Name>, <Date> Document Revision History Date Description Version Author 05/02/2012 Document Publication 1.0 FedRAMP Office Company Sensitive and Proprietary Page 3
PTA and PIA for <Information System Name> Version 0.1 / Date Table of Contents 1. About This Document .......................................................................................................................................6 1.1. Who should use this document? ......................................................................................................................6 1.2. How This Document Is Organized .....................................................................................................................6 1.3. Conventions used in this document .................................................................................................................6 1.4. How to contact us .............................................................................................................................................7 2. Privacy Overview and POC ................................................................................................................................8 2.1. Privacy Laws, Regulations, and Guidance .........................................................................................................8 2.2. Personally Identifiable Information (PII) ...........................................................................................................9 3. Privacy Threshold Analysis..............................................................................................................................10 3.1. Qualifying Questions ......................................................................................................................................10 3.2. Designation .....................................................................................................................................................10 4. Privacy Impact Assessment ............................................................................................................................11 4.1. PII Mapping of Components ...........................................................................................................................11 4.2. PII In Use .........................................................................................................................................................11 4.3. Sources of PII and Purpose .............................................................................................................................12 4.4. Access to PII and Sharing ................................................................................................................................12 4.5. PII Safeguards and liabilities ...........................................................................................................................12 4.6. Contracts, agreements, and ownership ..........................................................................................................13 4.7. Attributes and accuracy of the PII ..................................................................................................................14 4.8. Maintenance and Administrative Controls .....................................................................................................14 4.9. Business Processes and Technology ...............................................................................................................15 4.10. Privacy Policy ..................................................................................................................................................15 4.11. Assessor and Signatures .................................................................................................................................16 4.12. Acronyms ........................................................................................................................................................17 Company Sensitive and Proprietary Page 4
PTA and PIA for <Information System Name> Version 0.1 / Date List of Tables Table 2-1. <Information System Name> Privacy POC ....................................................................................................8 Table 3-1. PII Mapped to Components ........................................................................................................................11 Company Sensitive and Proprietary Page 5
PTA and PIA for <Information System Name> Version 0.1 / Date ABOUT THIS DOCUMENT This document has been developed for the FedRAMP program. WHO SHOULD USE THIS DOCUMENT? This document is intended to be used by Cloud Service Providers (CSPs) for assessing privacy concerns. HOW THIS DOCUMENT IS ORGANIZED This document is divided into <number>sections. Most sections include subsections. Section 1 describes how this document is organized and details documentation conventions. Section 2 contains a Privacy Threshold Analysis. Section 3 contains a Privacy Impact Assessment. Section 4 contains Acronyms. CONVENTIONS USED IN THIS DOCUMENT This document uses the following typographical conventions: Italic Italics are used for email addresses, security control assignments parameters, and formal document names. Italic blue in a box Italic blue text in a blue boxindicates instructions to the individual filling out the template. Instruction: This is an instruction to the individual filling out of the template. Bold Bold text indicates a parameter or an additional requirement. Constant width Constant width text is used for text that is representative of characters that would show up on a computer screen. <Brackets> Bold blue text in brackets indicates text that should be replaced with user-defined values. Once the text has been replaced, the brackets should be removed. Company Sensitive and Proprietary Page 6
PTA and PIA for <Information System Name> Version 0.1 / Date Notes Notes are found between parallel lines and include additional information that may be helpful to the users of this template. Note: This is a note. Sans Serif Sans Serif text is used for tables, table captions, figure captions, and table of contents. Sans Serif Gray Sans Serif gray text is used for examples. Tips Tips include information designed to help simplify the process. Tip: This is a tip. HOW TO CONTACT US If you have questions about FedRAMP or something in this document, please write to: info@fedramp.gov For more information about the FedRAMP project, please see the website at: http://www.fedramp.gov. Company Sensitive and Proprietary Page 7
PTA and PIA for <Information System Name> Version 0.1 / Date 1. PRIVACY OVERVIEW AND POC The following individual is identified as the <Information System Name> Privacy Officer andpoint of contact for privacy at <CSP>. Table 2-1.<Information System Name>Privacy POC Name Title CSP / Organization Address Phone Number Email Address 1.1. PRIVACY LAWS, REGULATIONS, AND GUIDANCE A summary of laws, regulations related to privacy include: 5 U.S.C. § 552a, Freedom of Information Act of 1996, As Amended By Public Law No. 104-231, 110 Stat. 3048 5 U.S.C. § 552a, Privacy Act of 1974, As Amended Public Law 100-503, Computer Matching and Privacy Act of 1988 E-Government Act of 2002 § 208 Federal Trade Commission Act § 5 44 U.S.C. Federal Records Act, Chapters 21, 29, 31, 33 Title 35, Code of Federal Regulations, Chapter XII, Subchapter B OMB Circular A-130, Management of Federal Information Resources, 1996 OMB Memo M-10-23, Guidance for Agency Use of Third-Party Websites OMB Memo M-99-18, Privacy Policies on Federal Web Sites OMB Memo M-03-22, OMB Guidance for Implementing the Privacy Provisions OMB Memo M-07-16, Safeguarding Against and Responding to the Breach of PII The Health Insurance Portability and Accountability Act of 1996 (HIPAA) State Privacy Laws Guidance on privacy issues can be found in the following publication: NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf Company Sensitive and Proprietary Page 8
PTA and PIA for <Information System Name> Version 0.1 / Date FTC Fair Information Practice Principles http://www.ftc.gov/reports/privacy3/fairinfo.shtm Guidance on Managing Records in Cloud Computing Environments (NARA Bulletin) http://www.archives.gov/records-mgmt/bulletins/2010/2010-05.html Privacy and Security Law Issues in Off-shore Outsourcing Transactions http://www.outsourcing.com/legal_corner/pdf/Outsourcing_Privacy.pdf 1.2. PERSONALLY IDENTIFIABLE INFORMATION (PII) Personally Identifiable Information (PII) as defined in OMB Memo M-07-16 refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Information that could be tied to more than one person (date of birth) is not considered PII unless it is made available with other types of information that together could render both values as PII (date of birth and street address). A non-exhaustive list of examples of PII include: Social Security numbers Passport numbers Driver’s license numbers Biometric information DNA information Bank account numbers PII does not refer to business information or government information that cannot be traced back to an individual person. Company Sensitive and Proprietary Page 9
PTA and PIA for <Information System Name> Version 0.1 / Date 2. PRIVACY THRESHOLD ANALYSIS <CSP> performs a Privacy Threshold Analysis annually to determine if PII is collected by any of the <Information System Name> components. If PII is discovered, a Privacy Impact Assessment is performed. The Privacy Impact Assessment template used by <CSP> can be found in Section 3. This section constitutes the Privacy Threshold Analysis and findings. 2.1. QUALIFYING QUESTIONS 1) Does the <Information System Name> collect, maintain, or share PII in any identifiable form? No Yes 2) Does the <Information System Name> collect, maintain, or share PII information from or about the public? No Yes 3) Has a Privacy Impact Assessment ever been performed for the <Information System Name>? No Yes 4) Is there a Privacy Act System of Records Notice (SORN) for this system? No Yes, the SORN identifier and name is: If answers to questions 1-4 are all “No” then a Privacy Impact Assessment may be omitted. If any of the answers to question 1-4 are “Yes” then complete a Privacy Impact Assessment. 2.2. DESIGNATION A Privacy Sensitive System Not a Privacy Sensitive System (in its current version) Company Sensitive and Proprietary Page 10
PTA and PIA for <Information System Name> Version 0.1 / Date 3. PRIVACY IMPACT ASSESSMENT A Privacy Impact Assessment has been conducted for the <Information System Name> on <date>. 3.1. PII MAPPING OF COMPONENTS <Information System Name> consists of <number> key components. Each component has been analyzed to determine if any elements of that component collect PII. The type of PII collected by <Information System Name>and the functions that collect it are recorded in Table 4-1. Table 4-1. PII Mapped to Components Does this function Reason for Components collect or store PII? Type of PII Safeguards Collection of PII (Yes/No) 3.2. PII IN USE 1) What PII (name, social security number, date of birth, address, etc.) is contained in the CSP service offering? Explain. 2) Can individuals “opt-out” by declining to provide PII or by consenting only to a particular use (e.g., allowing basic use of their personal information, but not sharing with other government agencies)? Explain. Yes. Explain the issues and circumstances of being able to opt-out (either for specific data elements or specific uses of the data): Company Sensitive and Proprietary Page 11
PTA and PIA for <Information System Name> Version 0.1 / Date No. Explain: 3.3. SOURCES OF PII AND PURPOSE 3) Does the CSP have knowledge of federal agencies that provide PII to the system? Explain. 4) Has any agency that is providing PII to the system provided a stated purpose for populating the system with PII? Explain. 5) Does the CSP populate the system with PII? If yes, what is the purpose? Explain. 6) What other third party sources will be providing PIIto the system? Explain the PII that will be provided and the purpose for it. 3.4. ACCESS TO PII AND SHARING 7) What federal agencies have access to the PII, even if they are not the original provider? Who establishes the criteria for what PII can be shared? Explain. 8) What CSP personnel will have access to the system and the PII (e.g., users, managers, system administrators, developers, contractors, other)? Explain the need forCSP personnel to have access to the PII. 9) How is access to the PII determined? Are criteria, procedures, controls, and responsibilities regarding access documented? Does access require manager approval? Explain. 10) Do other systems share, transmit, or have access to the PII in the system? If yes, explain the purpose for system to system transmission, access, or sharing. 3.5. PII SAFEGUARDS AND LIABILITIES 11) What controls are in place to prevent the misuse (e.g., browsing) of data by those having access? Explain. Company Sensitive and Proprietary Page 12
PTA and PIA for <Information System Name> Version 0.1 / Date 12) Who will be responsible for protecting the privacy rights of the individuals whose PII is collected, maintained, or shared on the system? Have policiesand/or procedures been established for this responsibility and accountability? Explain. 13) Does the CSP annual security training include privacy training? Does the CSP require contractors to take the training? Explain. 14) Who is responsible for assuring safeguards for the PII? Explain. 15) What is the magnitude of harm if privacy related data is disclosed, intentionally or unintentionally? Would the reputation of the CSP or its customers be affected? Explain. 16) What is the magnitude of harm to the individuals if privacy related data is disclosed, intentionally orunintentionally? Explain. 17) What involvement will contractors have with the design and maintenance of the system? Has a contractor confidentiality agreement or a Non-Disclosure Agreement (NDA) been developed for contractors who work on the system? Explain. 18) Is the PII owner advised about whatfederal agencies or other organizations share or have access to the data? Explain. 3.6. CONTRACTS, AGREEMENTS, AND OWNERSHIP 19) NIST SP 800-144 states, “Organizations are ultimately accountable for the security and privacy of data held by a cloud provider on their behalf.” Is this principle described in contracts with customers? Why or why not? Explain. 20) Do contracts with customers establish who has ownership rights over data including PII? Explain. 21) Do contracts with customers require that customers notify the CSP if the customer intends to populate the service platform with PII? Why or why not? 22) Do CSP contracts with customers establish record retention responsibilities for both the Company Sensitive and Proprietary Page 13
PTA and PIA for <Information System Name> Version 0.1 / Date customer and the CSP? Explain. 23) Is the degree to which the CSP will accept liability for expose of PII clearly defined in agreements with customers? 3.7. ATTRIBUTES AND ACCURACY OF THE PII 24) Is the PII collected verified for accuracy? Why or why not? Explain. 25) Is the PII current? How is this determined? Explain. 3.8. MAINTENANCE AND ADMINISTRATIVE CONTROLS 26) If the system is operated in more than one site, how is consistent use of the system and PII maintained in all sites? Are the same controls be used? Explain. 27) What are the retention periods of PII for this system? Under what guidelines are the retention periods determined? Who establishes the retention guidelines? Explain. 28) What are the procedures for disposition of the PII at the end of the retention period? How long will any reports that contain PII be maintained? How is the information disposed (e.g., shredding, degaussing, overwriting, etc.)? Who establishes the decommissioning procedures? Explain. 29) Is the system using technologies that contain PII in ways that havenot previously deployed? (e.g., smart cards, caller-ID, biometrics, PIV cards, etc.)? Explain. 30) How does the use of this technology affect privacy? Does the use of this technology introduce compromise that did not exist prior to the deployment of this technology? Explain. 31) Is access to the PII being monitored, tracked, or recorded? Explain. 32) If the system is in the process of being modified and a SORN exists, will the SORN require amendment or revision? Explain. Company Sensitive and Proprietary Page 14
PTA and PIA for <Information System Name> Version 0.1 / Date 3.9. BUSINESS PROCESSES AND TECHNOLOGY 33) Does the conduct of this PIA result in circumstances that requires changes to business processes? Explain. 34) Does the completion of this PIA potentially result in technology changes? Explain. 3.10. PRIVACY POLICY 35) Is there a CSP privacy policy and is it provided to all individuals whose PII you collect, maintain or store? Explain. 36) Is the privacy policy publicly viewable? If yes, provide the URL: Company Sensitive and Proprietary Page 15
PTA and PIA for <Information System Name> Version 0.1 / Date 3.11. ASSESSOR AND SIGNATURES This Privacy Impact Assessment has been conducted by <name of organization> and has been reviewed by the <CSP> Chief Privacy Officer for accuracy. _________________________________ Assessor Name (Please Print) _________________________________ __________________ Assessor Signature Date _________________________________ __________________ Chief Privacy Officer Signature Date Company Sensitive and Proprietary Page 16
PTA and PIA for <Information System Name> Version 0.1 / Date 3.12. ACRONYMS CSP Cloud Service Provider HIPAA Health Insurance Portability and Accountability Act IT Information Technology NIST National Institute for Standards and Technology OMB Office of Management and Budget POC Point of Contact PII Personally Identifiable Information PTA Privacy Threshold Analysis SORN System of Records Notice Company Sensitive and Proprietary Page 17

Recommended

Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorialkriz5
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
Inside Microsoft's FPGA-Based Configurable Cloud
Inside Microsoft's FPGA-Based Configurable CloudInside Microsoft's FPGA-Based Configurable Cloud
Inside Microsoft's FPGA-Based Configurable Cloudinside-BigData.com
 
Deploying Foreman in Enterprise Environments
Deploying Foreman in Enterprise EnvironmentsDeploying Foreman in Enterprise Environments
Deploying Foreman in Enterprise Environmentsinovex GmbH
 
Optical Fiber link Design Complete guide by Aamir Saleem
Optical Fiber link Design Complete guide by Aamir SaleemOptical Fiber link Design Complete guide by Aamir Saleem
Optical Fiber link Design Complete guide by Aamir SaleemAamir Saleem
 
GEPON Presentation
GEPON PresentationGEPON Presentation
GEPON Presentationjuanhev
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...PECB
 
Settlement
SettlementSettlement
SettlementSHS Geog
 

Recommended

Cisco IPv6 Tutorial
Cisco IPv6 TutorialCisco IPv6 Tutorial
Cisco IPv6 Tutorialkriz5
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
Inside Microsoft's FPGA-Based Configurable Cloud
Inside Microsoft's FPGA-Based Configurable CloudInside Microsoft's FPGA-Based Configurable Cloud
Inside Microsoft's FPGA-Based Configurable Cloudinside-BigData.com
 
Deploying Foreman in Enterprise Environments
Deploying Foreman in Enterprise EnvironmentsDeploying Foreman in Enterprise Environments
Deploying Foreman in Enterprise Environmentsinovex GmbH
 
Optical Fiber link Design Complete guide by Aamir Saleem
Optical Fiber link Design Complete guide by Aamir SaleemOptical Fiber link Design Complete guide by Aamir Saleem
Optical Fiber link Design Complete guide by Aamir SaleemAamir Saleem
 
GEPON Presentation
GEPON PresentationGEPON Presentation
GEPON Presentationjuanhev
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...PECB
 
Settlement
SettlementSettlement
SettlementSHS Geog
 
Rules of Behavior
Rules of BehaviorRules of Behavior
Rules of BehaviorGovCloud Network
 
Security Assessment Plan (Template)
Security Assessment Plan (Template)Security Assessment Plan (Template)
Security Assessment Plan (Template)GovCloud Network
 
Sap template 050312
Sap template 050312Sap template 050312
Sap template 050312GovCloud Network
 
Data Protection Compliance In Economically Depressing Times
Data Protection Compliance In Economically Depressing TimesData Protection Compliance In Economically Depressing Times
Data Protection Compliance In Economically Depressing TimesBen Omoakin Oguntala, developingafrica(dot)net
 
Plan of Action and Milestones (POA&M)
Plan of Action and Milestones (POA&M)Plan of Action and Milestones (POA&M)
Plan of Action and Milestones (POA&M)GovCloud Network
 
Tài liệu giới thiệu phần mềm bằng tiếng anh
Tài liệu giới thiệu phần mềm bằng tiếng anhTài liệu giới thiệu phần mềm bằng tiếng anh
Tài liệu giới thiệu phần mềm bằng tiếng anhPhần mềm tính lương | phan mem tinh luong
 
SRS4.0.doc
SRS4.0.docSRS4.0.doc
SRS4.0.docrahamatullamondal
 
Trackment
TrackmentTrackment
Trackmentmeaannn
 
Enabling Big Data with IBM InfoSphere Optim
Enabling Big Data with IBM InfoSphere OptimEnabling Big Data with IBM InfoSphere Optim
Enabling Big Data with IBM InfoSphere OptimVineet
 
1 3Financial Service Security EngagementLearning Team .docx
1 3Financial Service Security EngagementLearning Team .docx1 3Financial Service Security EngagementLearning Team .docx
1 3Financial Service Security EngagementLearning Team .docxoswald1horne84988
 
Conference Paper: Enabling Privacy Mechanisms in Apache Storm
Conference Paper: Enabling Privacy Mechanisms in Apache StormConference Paper: Enabling Privacy Mechanisms in Apache Storm
Conference Paper: Enabling Privacy Mechanisms in Apache StormEricsson
 
Ocssco database policy document
Ocssco database policy documentOcssco database policy document
Ocssco database policy documentEndale Mintesinot
 
USG IT Handbook
USG IT HandbookUSG IT Handbook
USG IT Handbookkeyashaj
 
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3Bloombase
 
E authentication template 050212
E authentication template 050212E authentication template 050212
E authentication template 050212GovCloud Network
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresSamuel Loomis
 
GDPR - Context, Principles, Implementation, Operation, Data Governance, Data ...
GDPR - Context, Principles, Implementation, Operation, Data Governance, Data ...GDPR - Context, Principles, Implementation, Operation, Data Governance, Data ...
GDPR - Context, Principles, Implementation, Operation, Data Governance, Data ...Alan McSweeney
 
SRS for Online Medicine Ordering System
SRS for Online Medicine Ordering SystemSRS for Online Medicine Ordering System
SRS for Online Medicine Ordering SystemUmmeKalsoom11
 
WS-Privacy,
WS-Privacy,WS-Privacy,
WS-Privacy,webhostingguy
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPRPaul O'Carroll
 
IaaS Price performance-benchmark
IaaS Price performance-benchmarkIaaS Price performance-benchmark
IaaS Price performance-benchmarkGovCloud Network
 
Cloud computing training what's right for me
Cloud computing training what's right for meCloud computing training what's right for me
Cloud computing training what's right for meGovCloud Network
 

More Related Content

Similar to PTA and PIA for <Information System Name

Security Assessment Plan (Template)
Security Assessment Plan (Template)Security Assessment Plan (Template)
Security Assessment Plan (Template)GovCloud Network
 
Plan of Action and Milestones (POA&M)
Plan of Action and Milestones (POA&M)Plan of Action and Milestones (POA&M)
Plan of Action and Milestones (POA&M)GovCloud Network
 
Trackment
TrackmentTrackment
Trackmentmeaannn
 
Enabling Big Data with IBM InfoSphere Optim
Enabling Big Data with IBM InfoSphere OptimEnabling Big Data with IBM InfoSphere Optim
Enabling Big Data with IBM InfoSphere OptimVineet
 
1 3Financial Service Security EngagementLearning Team .docx
1 3Financial Service Security EngagementLearning Team .docx1 3Financial Service Security EngagementLearning Team .docx
1 3Financial Service Security EngagementLearning Team .docxoswald1horne84988
 
Conference Paper: Enabling Privacy Mechanisms in Apache Storm
Conference Paper: Enabling Privacy Mechanisms in Apache StormConference Paper: Enabling Privacy Mechanisms in Apache Storm
Conference Paper: Enabling Privacy Mechanisms in Apache StormEricsson
 
Ocssco database policy document
Ocssco database policy documentOcssco database policy document
Ocssco database policy documentEndale Mintesinot
 
USG IT Handbook
USG IT HandbookUSG IT Handbook
USG IT Handbookkeyashaj
 
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3Bloombase
 
E authentication template 050212
E authentication template 050212E authentication template 050212
E authentication template 050212GovCloud Network
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresSamuel Loomis
 
GDPR - Context, Principles, Implementation, Operation, Data Governance, Data ...
GDPR - Context, Principles, Implementation, Operation, Data Governance, Data ...GDPR - Context, Principles, Implementation, Operation, Data Governance, Data ...
GDPR - Context, Principles, Implementation, Operation, Data Governance, Data ...Alan McSweeney
 
SRS for Online Medicine Ordering System
SRS for Online Medicine Ordering SystemSRS for Online Medicine Ordering System
SRS for Online Medicine Ordering SystemUmmeKalsoom11
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPRPaul O'Carroll
 

Similar to PTA and PIA for <Information System Name (20)

Rules of Behavior
Rules of BehaviorRules of Behavior
Rules of Behavior
 
Security Assessment Plan (Template)
Security Assessment Plan (Template)Security Assessment Plan (Template)
Security Assessment Plan (Template)
 
Sap template 050312
Sap template 050312Sap template 050312
Sap template 050312
 
Data Protection Compliance In Economically Depressing Times
Data Protection Compliance In Economically Depressing TimesData Protection Compliance In Economically Depressing Times
Data Protection Compliance In Economically Depressing Times
 
Plan of Action and Milestones (POA&M)
Plan of Action and Milestones (POA&M)Plan of Action and Milestones (POA&M)
Plan of Action and Milestones (POA&M)
 
Tài liệu giới thiệu phần mềm bằng tiếng anh
Tài liệu giới thiệu phần mềm bằng tiếng anhTài liệu giới thiệu phần mềm bằng tiếng anh
Tài liệu giới thiệu phần mềm bằng tiếng anh
 
SRS4.0.doc
SRS4.0.docSRS4.0.doc
SRS4.0.doc
 
Trackment
TrackmentTrackment
Trackment
 
Enabling Big Data with IBM InfoSphere Optim
Enabling Big Data with IBM InfoSphere OptimEnabling Big Data with IBM InfoSphere Optim
Enabling Big Data with IBM InfoSphere Optim
 
1 3Financial Service Security EngagementLearning Team .docx
1 3Financial Service Security EngagementLearning Team .docx1 3Financial Service Security EngagementLearning Team .docx
1 3Financial Service Security EngagementLearning Team .docx
 
Conference Paper: Enabling Privacy Mechanisms in Apache Storm
Conference Paper: Enabling Privacy Mechanisms in Apache StormConference Paper: Enabling Privacy Mechanisms in Apache Storm
Conference Paper: Enabling Privacy Mechanisms in Apache Storm
 
Ocssco database policy document
Ocssco database policy documentOcssco database policy document
Ocssco database policy document
 
USG IT Handbook
USG IT HandbookUSG IT Handbook
USG IT Handbook
 
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
 
E authentication template 050212
E authentication template 050212E authentication template 050212
E authentication template 050212
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_Procedures
 
GDPR - Context, Principles, Implementation, Operation, Data Governance, Data ...
GDPR - Context, Principles, Implementation, Operation, Data Governance, Data ...GDPR - Context, Principles, Implementation, Operation, Data Governance, Data ...
GDPR - Context, Principles, Implementation, Operation, Data Governance, Data ...
 
SRS for Online Medicine Ordering System
SRS for Online Medicine Ordering SystemSRS for Online Medicine Ordering System
SRS for Online Medicine Ordering System
 
WS-Privacy,
WS-Privacy,WS-Privacy,
WS-Privacy,
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
 

More from GovCloud Network

IaaS Price performance-benchmark
IaaS Price performance-benchmarkIaaS Price performance-benchmark
IaaS Price performance-benchmarkGovCloud Network
 
Cloud computing training what's right for me
Cloud computing training what's right for meCloud computing training what's right for me
Cloud computing training what's right for meGovCloud Network
 
ViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeGovCloud Network
 
Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in CyberspaceGovCloud Network
 
Vets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessVets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessGovCloud Network
 
GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network
 
Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture GovCloud Network
 
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin JacksonICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin JacksonGovCloud Network
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAGovCloud Network
 
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher PageGovCloud Network
 
Agile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanAgile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanGovCloud Network
 
DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)GovCloud Network
 
GovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefGovCloud Network
 
Intrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonIntrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonGovCloud Network
 
A Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentA Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentGovCloud Network
 
NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013GovCloud Network
 
Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013GovCloud Network
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...GovCloud Network
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)GovCloud Network
 

More from GovCloud Network (20)

IaaS Price performance-benchmark
IaaS Price performance-benchmarkIaaS Price performance-benchmark
IaaS Price performance-benchmark
 
Cloud computing training what's right for me
Cloud computing training what's right for meCloud computing training what's right for me
Cloud computing training what's right for me
 
ViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT Change
 
Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in Cyberspace
 
Vets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessVets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate Success
 
GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014
 
Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture
 
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin JacksonICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
 
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
 
Agile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanAgile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John Brennan
 
DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)
 
GovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network Overview Presentation
GovCloud Network Overview Presentation
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing brief
 
Intrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonIntrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. Jackson
 
A Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentA Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African Government
 
NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013
 
Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013Tech gate kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)
 

Recently uploaded

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

Recently uploaded (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 

PTA and PIA for <Information System Name

  • 1. PTA / PIA <Information System Name>, <Date> Privacy Threshold Analysis and Privacy Impact Assessment <Vendor Name> <Information System Name> Version 1.0 May 2, 2012 Company Sensitive and Proprietary For Authorized Use Only
  • 2. PTA / PIA <Information System Name>, <Date> Executive Summary This document has been released originally in template format and is meant to be modified upon first use. <Information System Name> is a Cloud Service Provider (CSP) offering that has undergone either a Privacy Threshold Analysis (PTA) or Privacy Impact Assessment (PIA). This document includes a the PTA/PIA for <Information System Name>. Company Sensitive and Proprietary Page 2
  • 3. PTA / PIA <Information System Name>, <Date> Document Revision History Date Description Version Author 05/02/2012 Document Publication 1.0 FedRAMP Office Company Sensitive and Proprietary Page 3
  • 4. PTA and PIA for <Information System Name> Version 0.1 / Date Table of Contents 1. About This Document .......................................................................................................................................6 1.1. Who should use this document? ......................................................................................................................6 1.2. How This Document Is Organized .....................................................................................................................6 1.3. Conventions used in this document .................................................................................................................6 1.4. How to contact us .............................................................................................................................................7 2. Privacy Overview and POC ................................................................................................................................8 2.1. Privacy Laws, Regulations, and Guidance .........................................................................................................8 2.2. Personally Identifiable Information (PII) ...........................................................................................................9 3. Privacy Threshold Analysis..............................................................................................................................10 3.1. Qualifying Questions ......................................................................................................................................10 3.2. Designation .....................................................................................................................................................10 4. Privacy Impact Assessment ............................................................................................................................11 4.1. PII Mapping of Components ...........................................................................................................................11 4.2. PII In Use .........................................................................................................................................................11 4.3. Sources of PII and Purpose .............................................................................................................................12 4.4. Access to PII and Sharing ................................................................................................................................12 4.5. PII Safeguards and liabilities ...........................................................................................................................12 4.6. Contracts, agreements, and ownership ..........................................................................................................13 4.7. Attributes and accuracy of the PII ..................................................................................................................14 4.8. Maintenance and Administrative Controls .....................................................................................................14 4.9. Business Processes and Technology ...............................................................................................................15 4.10. Privacy Policy ..................................................................................................................................................15 4.11. Assessor and Signatures .................................................................................................................................16 4.12. Acronyms ........................................................................................................................................................17 Company Sensitive and Proprietary Page 4
  • 5. PTA and PIA for <Information System Name> Version 0.1 / Date List of Tables Table 2-1. <Information System Name> Privacy POC ....................................................................................................8 Table 3-1. PII Mapped to Components ........................................................................................................................11 Company Sensitive and Proprietary Page 5
  • 6. PTA and PIA for <Information System Name> Version 0.1 / Date ABOUT THIS DOCUMENT This document has been developed for the FedRAMP program. WHO SHOULD USE THIS DOCUMENT? This document is intended to be used by Cloud Service Providers (CSPs) for assessing privacy concerns. HOW THIS DOCUMENT IS ORGANIZED This document is divided into <number>sections. Most sections include subsections. Section 1 describes how this document is organized and details documentation conventions. Section 2 contains a Privacy Threshold Analysis. Section 3 contains a Privacy Impact Assessment. Section 4 contains Acronyms. CONVENTIONS USED IN THIS DOCUMENT This document uses the following typographical conventions: Italic Italics are used for email addresses, security control assignments parameters, and formal document names. Italic blue in a box Italic blue text in a blue boxindicates instructions to the individual filling out the template. Instruction: This is an instruction to the individual filling out of the template. Bold Bold text indicates a parameter or an additional requirement. Constant width Constant width text is used for text that is representative of characters that would show up on a computer screen. <Brackets> Bold blue text in brackets indicates text that should be replaced with user-defined values. Once the text has been replaced, the brackets should be removed. Company Sensitive and Proprietary Page 6
  • 7. PTA and PIA for <Information System Name> Version 0.1 / Date Notes Notes are found between parallel lines and include additional information that may be helpful to the users of this template. Note: This is a note. Sans Serif Sans Serif text is used for tables, table captions, figure captions, and table of contents. Sans Serif Gray Sans Serif gray text is used for examples. Tips Tips include information designed to help simplify the process. Tip: This is a tip. HOW TO CONTACT US If you have questions about FedRAMP or something in this document, please write to: info@fedramp.gov For more information about the FedRAMP project, please see the website at: http://www.fedramp.gov. Company Sensitive and Proprietary Page 7
  • 8. PTA and PIA for <Information System Name> Version 0.1 / Date 1. PRIVACY OVERVIEW AND POC The following individual is identified as the <Information System Name> Privacy Officer andpoint of contact for privacy at <CSP>. Table 2-1.<Information System Name>Privacy POC Name Title CSP / Organization Address Phone Number Email Address 1.1. PRIVACY LAWS, REGULATIONS, AND GUIDANCE A summary of laws, regulations related to privacy include: 5 U.S.C. § 552a, Freedom of Information Act of 1996, As Amended By Public Law No. 104-231, 110 Stat. 3048 5 U.S.C. § 552a, Privacy Act of 1974, As Amended Public Law 100-503, Computer Matching and Privacy Act of 1988 E-Government Act of 2002 § 208 Federal Trade Commission Act § 5 44 U.S.C. Federal Records Act, Chapters 21, 29, 31, 33 Title 35, Code of Federal Regulations, Chapter XII, Subchapter B OMB Circular A-130, Management of Federal Information Resources, 1996 OMB Memo M-10-23, Guidance for Agency Use of Third-Party Websites OMB Memo M-99-18, Privacy Policies on Federal Web Sites OMB Memo M-03-22, OMB Guidance for Implementing the Privacy Provisions OMB Memo M-07-16, Safeguarding Against and Responding to the Breach of PII The Health Insurance Portability and Accountability Act of 1996 (HIPAA) State Privacy Laws Guidance on privacy issues can be found in the following publication: NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf Company Sensitive and Proprietary Page 8
  • 9. PTA and PIA for <Information System Name> Version 0.1 / Date FTC Fair Information Practice Principles http://www.ftc.gov/reports/privacy3/fairinfo.shtm Guidance on Managing Records in Cloud Computing Environments (NARA Bulletin) http://www.archives.gov/records-mgmt/bulletins/2010/2010-05.html Privacy and Security Law Issues in Off-shore Outsourcing Transactions http://www.outsourcing.com/legal_corner/pdf/Outsourcing_Privacy.pdf 1.2. PERSONALLY IDENTIFIABLE INFORMATION (PII) Personally Identifiable Information (PII) as defined in OMB Memo M-07-16 refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Information that could be tied to more than one person (date of birth) is not considered PII unless it is made available with other types of information that together could render both values as PII (date of birth and street address). A non-exhaustive list of examples of PII include: Social Security numbers Passport numbers Driver’s license numbers Biometric information DNA information Bank account numbers PII does not refer to business information or government information that cannot be traced back to an individual person. Company Sensitive and Proprietary Page 9
  • 10. PTA and PIA for <Information System Name> Version 0.1 / Date 2. PRIVACY THRESHOLD ANALYSIS <CSP> performs a Privacy Threshold Analysis annually to determine if PII is collected by any of the <Information System Name> components. If PII is discovered, a Privacy Impact Assessment is performed. The Privacy Impact Assessment template used by <CSP> can be found in Section 3. This section constitutes the Privacy Threshold Analysis and findings. 2.1. QUALIFYING QUESTIONS 1) Does the <Information System Name> collect, maintain, or share PII in any identifiable form? No Yes 2) Does the <Information System Name> collect, maintain, or share PII information from or about the public? No Yes 3) Has a Privacy Impact Assessment ever been performed for the <Information System Name>? No Yes 4) Is there a Privacy Act System of Records Notice (SORN) for this system? No Yes, the SORN identifier and name is: If answers to questions 1-4 are all “No” then a Privacy Impact Assessment may be omitted. If any of the answers to question 1-4 are “Yes” then complete a Privacy Impact Assessment. 2.2. DESIGNATION A Privacy Sensitive System Not a Privacy Sensitive System (in its current version) Company Sensitive and Proprietary Page 10
  • 11. PTA and PIA for <Information System Name> Version 0.1 / Date 3. PRIVACY IMPACT ASSESSMENT A Privacy Impact Assessment has been conducted for the <Information System Name> on <date>. 3.1. PII MAPPING OF COMPONENTS <Information System Name> consists of <number> key components. Each component has been analyzed to determine if any elements of that component collect PII. The type of PII collected by <Information System Name>and the functions that collect it are recorded in Table 4-1. Table 4-1. PII Mapped to Components Does this function Reason for Components collect or store PII? Type of PII Safeguards Collection of PII (Yes/No) 3.2. PII IN USE 1) What PII (name, social security number, date of birth, address, etc.) is contained in the CSP service offering? Explain. 2) Can individuals “opt-out” by declining to provide PII or by consenting only to a particular use (e.g., allowing basic use of their personal information, but not sharing with other government agencies)? Explain. Yes. Explain the issues and circumstances of being able to opt-out (either for specific data elements or specific uses of the data): Company Sensitive and Proprietary Page 11
  • 12. PTA and PIA for <Information System Name> Version 0.1 / Date No. Explain: 3.3. SOURCES OF PII AND PURPOSE 3) Does the CSP have knowledge of federal agencies that provide PII to the system? Explain. 4) Has any agency that is providing PII to the system provided a stated purpose for populating the system with PII? Explain. 5) Does the CSP populate the system with PII? If yes, what is the purpose? Explain. 6) What other third party sources will be providing PIIto the system? Explain the PII that will be provided and the purpose for it. 3.4. ACCESS TO PII AND SHARING 7) What federal agencies have access to the PII, even if they are not the original provider? Who establishes the criteria for what PII can be shared? Explain. 8) What CSP personnel will have access to the system and the PII (e.g., users, managers, system administrators, developers, contractors, other)? Explain the need forCSP personnel to have access to the PII. 9) How is access to the PII determined? Are criteria, procedures, controls, and responsibilities regarding access documented? Does access require manager approval? Explain. 10) Do other systems share, transmit, or have access to the PII in the system? If yes, explain the purpose for system to system transmission, access, or sharing. 3.5. PII SAFEGUARDS AND LIABILITIES 11) What controls are in place to prevent the misuse (e.g., browsing) of data by those having access? Explain. Company Sensitive and Proprietary Page 12
  • 13. PTA and PIA for <Information System Name> Version 0.1 / Date 12) Who will be responsible for protecting the privacy rights of the individuals whose PII is collected, maintained, or shared on the system? Have policiesand/or procedures been established for this responsibility and accountability? Explain. 13) Does the CSP annual security training include privacy training? Does the CSP require contractors to take the training? Explain. 14) Who is responsible for assuring safeguards for the PII? Explain. 15) What is the magnitude of harm if privacy related data is disclosed, intentionally or unintentionally? Would the reputation of the CSP or its customers be affected? Explain. 16) What is the magnitude of harm to the individuals if privacy related data is disclosed, intentionally orunintentionally? Explain. 17) What involvement will contractors have with the design and maintenance of the system? Has a contractor confidentiality agreement or a Non-Disclosure Agreement (NDA) been developed for contractors who work on the system? Explain. 18) Is the PII owner advised about whatfederal agencies or other organizations share or have access to the data? Explain. 3.6. CONTRACTS, AGREEMENTS, AND OWNERSHIP 19) NIST SP 800-144 states, “Organizations are ultimately accountable for the security and privacy of data held by a cloud provider on their behalf.” Is this principle described in contracts with customers? Why or why not? Explain. 20) Do contracts with customers establish who has ownership rights over data including PII? Explain. 21) Do contracts with customers require that customers notify the CSP if the customer intends to populate the service platform with PII? Why or why not? 22) Do CSP contracts with customers establish record retention responsibilities for both the Company Sensitive and Proprietary Page 13
  • 14. PTA and PIA for <Information System Name> Version 0.1 / Date customer and the CSP? Explain. 23) Is the degree to which the CSP will accept liability for expose of PII clearly defined in agreements with customers? 3.7. ATTRIBUTES AND ACCURACY OF THE PII 24) Is the PII collected verified for accuracy? Why or why not? Explain. 25) Is the PII current? How is this determined? Explain. 3.8. MAINTENANCE AND ADMINISTRATIVE CONTROLS 26) If the system is operated in more than one site, how is consistent use of the system and PII maintained in all sites? Are the same controls be used? Explain. 27) What are the retention periods of PII for this system? Under what guidelines are the retention periods determined? Who establishes the retention guidelines? Explain. 28) What are the procedures for disposition of the PII at the end of the retention period? How long will any reports that contain PII be maintained? How is the information disposed (e.g., shredding, degaussing, overwriting, etc.)? Who establishes the decommissioning procedures? Explain. 29) Is the system using technologies that contain PII in ways that havenot previously deployed? (e.g., smart cards, caller-ID, biometrics, PIV cards, etc.)? Explain. 30) How does the use of this technology affect privacy? Does the use of this technology introduce compromise that did not exist prior to the deployment of this technology? Explain. 31) Is access to the PII being monitored, tracked, or recorded? Explain. 32) If the system is in the process of being modified and a SORN exists, will the SORN require amendment or revision? Explain. Company Sensitive and Proprietary Page 14
  • 15. PTA and PIA for <Information System Name> Version 0.1 / Date 3.9. BUSINESS PROCESSES AND TECHNOLOGY 33) Does the conduct of this PIA result in circumstances that requires changes to business processes? Explain. 34) Does the completion of this PIA potentially result in technology changes? Explain. 3.10. PRIVACY POLICY 35) Is there a CSP privacy policy and is it provided to all individuals whose PII you collect, maintain or store? Explain. 36) Is the privacy policy publicly viewable? If yes, provide the URL: Company Sensitive and Proprietary Page 15
  • 16. PTA and PIA for <Information System Name> Version 0.1 / Date 3.11. ASSESSOR AND SIGNATURES This Privacy Impact Assessment has been conducted by <name of organization> and has been reviewed by the <CSP> Chief Privacy Officer for accuracy. _________________________________ Assessor Name (Please Print) _________________________________ __________________ Assessor Signature Date _________________________________ __________________ Chief Privacy Officer Signature Date Company Sensitive and Proprietary Page 16
  • 17. PTA and PIA for <Information System Name> Version 0.1 / Date 3.12. ACRONYMS CSP Cloud Service Provider HIPAA Health Insurance Portability and Accountability Act IT Information Technology NIST National Institute for Standards and Technology OMB Office of Management and Budget POC Point of Contact PII Personally Identifiable Information PTA Privacy Threshold Analysis SORN System of Records Notice Company Sensitive and Proprietary Page 17