This document discusses privacy compliance and oversight at the National Security Agency. It provides an overview of the NSA's compliance program, including external and internal oversight. It also covers key concepts like minimization procedures, the four phases of compliance, and different models for the interaction of compliance rules, technology, and operations. The document advocates for building conduits among legal, policy, operations, and technology teams. It also recommends taking a functional approach to compliance and utilizing tagged data and rules architecture to facilitate compliance even as technology changes.
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
Grc r33
1. Session ID:
Session Classification:
John DeLong
Director of Compliance
National Security Agency
GRC-R33
Intermediate
Privacy Compliance and Oversight
in the National Security Context
3. NATIONAL SECURITY AGENCY
External Oversight
Internal Oversight
Compliance
Organizationally
and structurally
independent
Structurally
(not organizationally)
independent
Verifiable consistency
with clearly
defined rules
Compliance and Oversight
4. NATIONAL SECURITY AGENCY
► Specific procedures
► Adopted externally
► Reasonably designed
► In light of the purpose or technique of the particular
surveillance
► To minimize the acquisition and retention and prohibit
the dissemination of U.S. persons information
► Consistent with need of U.S. to obtain, produce, and
disseminate foreign intelligence
Minimization Procedures (High Level)
5. NATIONAL SECURITY AGENCY
► Specific procedures
► Adopted externally
► Reasonably designed
► In light of the purpose or technique
of the particular surveillance
► To minimize the acquisition and
retention and prohibit the
dissemination of U.S. persons
information
► Consistent with need of U.S. to
obtain, produce, and disseminate
foreign intelligence
Authorization and Regulation
1. Describe
2. Authorize + Regulate
3. Operate
4. Evaluate
Authorization Acquire Process Retain Disseminate
Regulation
6. NATIONAL SECURITY AGENCY
The Mission Compliance Program must take into
account and tie together all four steps
1. Descriptions (often complex) must be accurate and at the
right level of granularity
2. Specific authorizations and regulation (specific
procedures) must be the“root”of all activities conducted
3. Operations and Technology must be consistent with
approved procedures, over time and through change
4. Evaluations done in light of each of the previous steps
Four Phases of Compliance
12. NATIONAL SECURITY AGENCY
Authorization
1
Acquire Process Retain Disseminate
Authorization
2
Acquire Process Retain Disseminate
Authorization
3
Acquire Process Retain Disseminate
… … … … …
Authorization
N
Acquire Process Retain Disseminate
Authorizations and Procedures
13. NATIONAL SECURITY AGENCY
Authorization
1
Acquire Process Retain Disseminate
Authorization
2
Acquire Process Retain Disseminate
Authorization
3
Acquire Process Retain Disseminate
… … … … …
Authorization
N
Acquire Process Retain Disseminate
Authorizations and Procedures
Common Function 1Common Function 1
14. NATIONAL SECURITY AGENCY
Authorization
1
Acquire Process Retain Disseminate
Authorization
2
Acquire Process Retain Disseminate
Authorization
3
Acquire Process Retain Disseminate
… … … … …
Authorization
N
Acquire Process Retain Disseminate
Authorizations and Procedures
Common Function 1Common Function 1
Common Function 2Common Function 2
20. NATIONAL SECURITY AGENCY
Documentation Authorizations Rule Automation
Primary Users People People, Systems Systems, People
Predominant
Work Roles
Legal, Policy,
Compliance,
Operations,
Technology
Operations,
Technology,
Compliance, Policy,
Legal
Technology,
Operations,
Compliance, Policy,
Legal
Loading Time Fast Fastest Faster
Transaction /
Access Time
Human speed Fast Very Fast
Interfaces GUI, System GUI, System System, GUI
Rules Architecture Comparison
21. NATIONAL SECURITY AGENCY
Against the backdrop of constant technology change:
1. Build Conduits: Prioritize controls that build and maintain direct
connections among legal, policy, operations, and technology.
► As a compliance professional, avoid becoming those conduits.
2. Consider a Functional Approach: Identify where systems and people fit
into the overall operations.
► Design, implement, and monitor controls more functionally, across multiple
regulatory slices.
3. Tag the Data Smartly: A rules architecture supports an efficient and
effective use of a tagged-data regime.
► This allows proper data-handling to be successful even with constant
technology change.
Summary