C
Information and Information Technology

C.1
THE INFORMATION LIFE CYCLE

As Chapter 1 points out, digital information in use typically goes through a seven-step life cycle. These steps include collection, correction and cleaning, storage, use or analysis, publication or sharing, monitoring and evaluation, and retention or deletion.

C.1.1
Information Collection

The information collected for a program must be appropriate to its purpose. Data minimization requires that only information critical to that purpose be collected, though minimization often conflicts with the temptation to gather more information “just in case” it might be useful later in easing the relevant analytical tasks or even for other possibly relevant purposes. Legislation, regulation, or other governance rules may require that internal or external authorization to collect the information be obtained, including from relevant third parties. The information source(s) and the information itself must be verified as reliable, objective, and compliant with relevant laws.

The government collects information for counterterrorism from many other sources, primarily as extracts from information systems. The government mandates or requests information from many industries: Customs and Border Protection obtains manifests for trucks entering the United States from trucking firms; the Department of Homeland Security (DHS), including the Transportation Security Administration, and



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 120
C Information and Information Technology C.1 THE INFORMATION LIFE CYCLE As Chapter 1 points out, digital information in use typically goes through a seven-step life cycle. These steps include collection, correction and cleaning, storage, use or analysis, publication or sharing, monitoring and evaluation, and retention or deletion. C.1.1 Information Collection The information collected for a program must be appropriate to its purpose. Data minimization requires that only information critical to that purpose be collected, though minimization often conflicts with the temptation to gather more information “just in case” it might be useful later in easing the relevant analytical tasks or even for other possibly rel- evant purposes. Legislation, regulation, or other governance rules may require that internal or external authorization to collect the information be obtained, including from relevant third parties. The information source(s) and the information itself must be verified as reliable, objective, and com- pliant with relevant laws. The government collects information for counterterrorism from many other sources, primarily as extracts from information systems. The gov- ernment mandates or requests information from many industries: Cus- toms and Border Protection obtains manifests for trucks entering the United States from trucking firms; the Department of Homeland Secu- rity (DHS), including the Transportation Security Administration, and 0

OCR for page 120
 APPENDIX C the National Aeronautics and Space Administration obtain passenger names and records from airlines; the Justice Department obtains Web search terms, URLs, and other records from the information technology (IT) and telecommunications industries; the National Security Agency obtains phone call records from communications providers; and the Trea- sury Department obtains suspicious activity reports from the financial community. In addition, employers, retailers, banks, and travel and telecommu- nications companies collect data directly from customers as well as from many other government and private sources. The largest databases in the world are click-streams collected from Web interactions, second only to retail and scientific databases. For example, it is conventional practice for companies to collect extensive information on prospective employ- ees from financial and educational institutions, law enforcement, former employers, and so forth. Information collection is a significant and grow- ing sector of the information economy. Finally, the government obtains a great deal of data from private data brokers, who aggregate data on individuals from all legally avail- able sources. Because the data are collected by private parties, much of the data are not subject to existing restrictions on government collection efforts. C.1.2 Information Correction and Cleaning A significant practical and research challenge is to ensure that the information is correct, accurate, and reliable. This is aided by ensuring reliable information provenance and the use of automated and human data validation techniques. For example, automated techniques could be used easily to recognize as anomalous an indicator of pregnancy in the medical records of a male. Moreover, in certain instances, laws govern the rights of an individual to correct information errors in commercial applications, for example in one’s credit report. If the individual finds what he or she believes to be an error, documentation of that error can be provided and the error cor- rected. If the party providing the data does not agree that it made an error, the individual has the right to insert into the record a statement of limited length providing his side of the story. To the best of the committee’s knowledge, individuals negatively affected by counterterrorism programs as the result of data errors have no comparable ability. Indeed, for national security reasons, individuals are not permitted to review the data on which adverse decisions are based, even though they may experience the negative consequences (e.g., by being denied boarding a plane).

OCR for page 120
 PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS C.1.3 Information Storage To be used subsequent to collection, information must be stored in some information repository, often an electronic database. The storage mechanism must maintain the data quality, reliability, and accuracy while ensuring operational characteristics such as robustness to failure and scal- ability to accommodate both data and processing volumes. In addition, since information systems have vulnerabilities and are subject to threats, appropriate data stewardship must be enforced. Whereas banks and telecommunications companies rate highest in information protection, many industries and the government in particu- lar rate considerably lower. Increasingly, laws or regulations govern the storage and management of information both at rest (i.e., on a storage device) and in motion (i.e., as it traverses communications networks), thus mandating improvements in data stewardship. For example, regulations requiring the encryption of information on a detachable storage medium or transmitted through a communications channel can be used to protect information in transit and at rest. C.1.4 Information Analysis and Use The step of information analysis and use involves the use of the program during its operational lifetime to deliver the services defined in the purpose and the rational basis and tested in the experimental basis. As with information storage, information processing must meet opera- tional requirements such as robustness and scalability. As stated in the committee’s proposed framework (see Chapter 2) and others, a program must be used solely as defined in the approved purpose and rational basis (i.e., requirements). Additional uses must be reviewed and approved as an extension to the approved purpose. For example, if a law enforcement program were applied to counterterrorism, that new use should be reviewed under the relevant laws and regulations. Unfortunately, unless protected by a privacy policy, commercial information systems are often used for pur- poses unanticipated by customers, e.g., customers receiving marketing and promotional material unrelated to the ticket that they purchased from an airline. In approving additional uses of information, one need not specify the precise method of analysis, since that is often difficult to anticipate—only the general purpose to which the information will be directed needs to be specified. C.1.5 Information Sharing A major counterterrorism theme that has emerged since September 11 (9/11) is the notion of information sharing—that U.S. counterterrorist

OCR for page 120
 APPENDIX C efforts will be more effective when the relevant agencies can easily and effectively cooperate and share information.1 The National Counter-ter- rorism Center (NCTC) was established to serve as a multiagency center analyzing and integrating all intelligence pertaining to terrorism, includ- ing threats to U.S. interests at home and abroad. NCTC also is responsible for developing, implementing, and assessing the effectiveness of strategic operational planning efforts to achieve counterterrorism objectives. Compared to the relevant policy and practices, the technology for sharing information is relatively well developed. Today, modern infor- mation systems live in an ecosystem of other information systems and services, accessible enterprise-wide over an intranet or worldwide over the Internet, and it is increasingly common for both raw information and analytical results to be published electronically. A modern information system obtains information and services from many other information systems, in some cases thousands of information systems, and reciprocally provides information and services. Such ecosys- tems developed originally to increase automation by eliminating paper or electronic reports that were exchanged with humans or other systems by largely human means. Currently such ecosystems permit organizations to modify and enhance their businesses with great speed and agility. Cus- tomers have the convenience of reserving a trip with a travel agent and having all of the relevant hotels, car rental agencies, airlines, credit card companies, and banks handled transparently. While information systems’ interoperation and information sharing are a convenience for a customer, they are a business-critical requirement in almost every business. Clear civil liberties concerns arise when information is shared and repurposed without restriction. Hence, the committee’s framework lists the criteria and best practices that are required to protect civil liberties, including appropriateness, agency and external authorization, defined purpose, and assessment, as discussed below. C.1.6 Information Monitoring An information program must be continuously monitored and assessed to ensure that it is effective in achieving its purpose and that 1 Seefor example, National Security Council, National Strategy for Combating Terrorism, National Security Council, Washington, D.C., September 2006, available at http://www. whitehouse.gov/nsc/nsct/2006/; National Commission on Terrorist Attacks upon the United States, / Commission Report, U.S. Government Printing Office, Washington, D.C., July 2004; and three reports of the Markle Foundation Task Force on National Security in the Information Age, Markle Foundation, New York, N.Y., available at http://www. markletaskforce.org/: Protecting America’s Freedom in the Information Age (2002), Creating a Trusted Network for Homeland Security (2003), and Mobilizing Information to Preent Terrorism: Accelerating Deelopment of a Trusted Information Sharing Enironment (2006).

OCR for page 120
 PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS it complies with all relevant laws, regulations, and governance. The committee’s framework lists several relevant criteria for which there are best practices, including audit trails, auditing for compliance with exist- ing laws, ensuring reporting and redress of false positives and related impacts on individuals, and having in place a privacy officer, training, agency authorization, and external authorization. One of the most challenging aspects of information-intensive systems is evaluating their efficacy or their effectiveness relative to their purpose. The growth in data, transactions, and analytical volumes is a direct mea- sure of the value and the efficacy of data and information processing. The continued growing investment in these programs is a direct measure of their effectiveness in promoting economic competitiveness in the mar- ketplace.2 More specifically, each industry and application domain, such as telecommunications billing, has well-defined measures of efficacy or business effectiveness. For example, two of the many telecommunications billing metrics include time and cost to produce. An extreme example involves Wall Street arbitrageurs who search the entire history of stock market trades and simultaneous trades as they occur in all U.S. trading floors and find, on a regular basis, investment opportunities in 100ths of seconds. Typically there are best practices and defined standards for assessing effectiveness, as called for in the committee’s framework. Fol- lowing information system best practices, counterterrorism programs should have efficacy metrics defined for them against which they can be assessed. C.1.7 Information Retention The final step of the information life cycle involves the retention or deletion of information based on a defined retention period, data quality, data minimization, or other criteria.3 Data retention refers to the period of time during which an organization can or must retain data in its auto- mated and manual records. A data retention requirement may be that data 2 In2005, the information technology products sector accounted for $640 billion or 2.8 per- cent of the U.S. Gross Domestic Output, while the communications sector accounted for $514 billion or 2.25 percent. The IT sector has experienced a 2.7 percent compound annual growth rate (CAGR) since 1998, and the communications sector a 6.5 percent CAGR (U.S. Depart- ment of Commerce, Bureau of Economic Analysis, “Gross Domestic Product: Fourth Quar- ter 2006 (Advance),” available at http://www.bea.gov/newsreleases/national/gdp/2007/ gdp406a.htm; Andrew Bartels, U.S. IT Spending Summary: Q 00, Forrester Research, Inc., Cambridge, Mass., November 29, 2006). 3 Data Privacy and Integrity Advisory Committee, Framework for Priacy Analysis of Pro- grams, Technologies, and Applications, Report No. 2006-01, U.S. Department of Homeland Security, Washington, D.C., adopted March 7, 2006.

OCR for page 120
 APPENDIX C can be kept no longer than the defined period or that it must be kept at least until the defined period is over. When a data item is to be deleted, all copies of the item must be found and deleted from all automated and manual records. In the context of this report, data retention is a privacy and civil liberties issue when applied to personally identifiable informa- tion (PII) such as name plus Social Security number. The increased digitization of individuals’ personal and professional lives has led to dramatic increases in the amount of PII that is stored in automated and manual records. While this information provides sig- nificant value and convenience, it also exposes people to risks such as identity theft, one of the most frequent crimes in the United States, and to other digital crimes and loss of privacy. One report indicates that over 168 million data records have been compromised due to security breaches in the United States from January 2005 to October 2007.4 To protect the public from such crimes, state and federal governments have passed many laws and regulations5 and are continuing to draft new laws and regulations in response to the increased risks related to the growth of retained PII and the power of current technologies. These laws and regu- lations define data retention periods for specific types of data. Information retention poses complex and unresolved business, legal, and technical issues. In the normal course of business, data must be retained relative to the relevant business cycle, e.g., to monthly, quarterly, or annual billing cycles, and to the much longer, e.g., 10 years, statute of limitations periods during which legal disputes could arise and be pros- ecuted. At the same time organizations may want to delete data to reduce their exposure to compliance irregularities or potential legal discovery by data forensic techniques, data such as e-mail trials in the Enron case and voice mails in a case involving Hewlett Packard. Businesses must meet the requirements of relevant regulations; Sarbanes-Oxley is one of hundreds that are applicable to specific data types in specific business contexts. Legal issues include evolving and conflicting laws, regulations, and government requests. Within the United States, there are more than 45 different state data security and privacy laws and several evolving federal laws. Government agencies make conflicting requests. The Department of Justice (DOJ) and DHS requested lengthy retention periods to fight child pornography, e.g., 20 years, and terrorism, e.g., forever, respectively. At 4 Privacy Rights Clearing House, “A Chronology of Data Breaches,” posted April 20, 2005, available at http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP. 5 See, for example, U.S. Congressional Research Service, Data Security: Protecting the Priacy of Phone Records, RL33287, Congressional Research Service, Library of Congress, Washington, D.C., updated May 17, 2006.

OCR for page 120
 PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS the same time, the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) requested shortened retention periods, e.g., 90 days, to protect privacy and other civil liberties. Technical issues involve keeping up with evolving data retention requirements, mediating between conflicting requirements, and simply implementing data retention policies covering unimaginable volumes of data. Information sharing causes information to be copied and distrib- uted to other systems within an organization or via the Internet across the world. One form of information distribution is to publish it on paper or digital media, as reports, or for technical purposes such as backup and disaster recovery. Implementing a data retention policy requires that all copies be traced or identified so that they can be deleted compliant with the relevant policy. As the requirements change, so must techni- cal solutions for managing the data retention policy as it applies to all copies. Entirely new content and record management technologies are being developed to automate data retention policies. Positive impacts of data retention laws and regulations include data minimizatoin—eliminat- ing all data that are not essential to the relevant business purpose—and raising the previously low priority of data protection and security in all organizations. C.1.8 Issues Related to Data Linkage Additional issues arise when information is assembled or collected from a variety of sources for presentation to an application. Assembling such a collection generally entails linking records based on data fields such as unique identifiers (if present and available) or less perfect identi- fiers (such as combinations of name, address, and date of birth). In prac- tice, it is often the case that data may be linked with little or no control for accuracy or ability to correct errors in these fields, with the likely outcome that many records will be linked improperly and/or that many other records that should be linked are not linked. Without checks on the accuracy of such linkages, there is no way of understanding how errors resulting from linkage may affect the quality of the subsequent analysis. (For more on issues related to data linkage, see Appendix H.) C.1.9 Connecting the Information Life Cycle to the Framework The framework defined in Chapter 2 of this report provides guidance on information practices to achieve efficacy of counterterrorism programs while ensuring adequate civil liberties protections. All information prac- tices related to information-based programs can be considered in the context of the typical information life cycle. Each step of the life cycle is

OCR for page 120
 APPENDIX C governed by prevailing laws, regulations, and governance rules intended to protect confidentiality, intellectual property, and, for example, in the intelligence community, classified information. Efficacy and civil liberties issues arise in each step of the information life cycle. Hence, the effective and appropriate use of information pro- grams involves the use of relevant best practices in each step.6 The term “best practice” refers to a practice or solution that was known to have worked well according to the requirements. The name “best practice” is misleading, since a best practice is seldom proven to be best nor to work in all circumstances. Even if best practices were effective, they are used in less than 30 percent of applicable cases. These issues and practices also arise in and pose challenges for information-intensive programs in the private sector. For example, most commercial enterprises publish a privacy policy that defines how they treat customer information in each step of the information life cycle. Privacy policies generally define what information is collected, indicate customer rights to correct the information, state that the information is stored and used by the enterprise (typically at their discretion), describe what information will be shared under specific cir- cumstances, pledge to monitor its appropriate use, and finally, say how long the information will be retained. Hence, the committee’s framework calls for a privacy officer to oversee these issues for each counterterror- ism program. The main criterion on which a program is evaluated is its purpose or objective. All other evaluation criteria are based on the program’s stated purpose or objective. Due to the investment in resources and the impact programs can have, programs require a sound rational and experimental basis. In information systems terminology, the rational basis is expressed in terms of systems requirements that define precisely what the informa- tion system is to do and how it is to operate. The purpose and rational basis must be evaluated relative to the relevant real-world requirements and the prevailing laws and regulations. Once approved, this acts as the approved basis for the program. It is the nature of programs that their requirements evolve constantly. When they do, they must be evaluated and approved, as were the original requirements. The experimental basis is proven, objectively, during various testing and user acceptances tests in which the information system is tested in all possible environments against the outcomes defined in the systems requirements. The purpose, 6 D. Aron and A. Rowsell-Jones, Success with Standards, Gartner EXP, Stamford, Conn., May 2006; IT Governance Institute (ITGI), IT Goernance Global Status Report—00, ITGI, Rolling Meadows, Ill., 2006.

OCR for page 120
 PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS along with the rational and experimental bases, must cover all steps of the information life cycle and be fully documented. C.2 THE UNDERLYING COMMUNICATIONS AND INFORMATION TECHNOLOGY C.2.1 Communications Technology Twenty-first century communications technology is in a continu- ing phase of rapid growth, evolution, and transformation. Today, there are more than 5,600 telecommunications providers in the United States. Whereas in the past providers were distinguished by the technology of the communications medium involved, more recently deregulation and advances in technology have led to a convergence of technologies and companies, and today any company can become a telecommunications provider, thus expanding both the number of service providers and the types of communications services. For example, the Shell Oil Company is treated for certain purposes as a communications service provider because it provides its customers Internet-based services with which to check or modify heating or other electrical appliances in their home. The scale of communications network usage is almost beyond imagi- nation and growing rapidly. In the United States, the average annual growth rate in wireless calls, VoIP calls, and e-mail has been around 50 percent. In addition to these conventional forms of communication there is a wide range of new services such as instant messaging, small mes- saging service, video messaging, and a plethora of new business services communicated over the Internet. These communications are also enor- mous in data volume. A 2003 rough estimate7 of annual data volumes claimed over 9 exabytes of wireline calls and over 2 exabytes of wireless calls, with over 1.5 petabytes of Internet traffic. A rough approximation of an exabyte is 100,000 times the data volume that corresponds to the more than 19 million books in the Library of Congress. The data associated with telecommunications fall into three cat- egories: • The actual communication or content of the communication. In general but depending on the nature of the service, communications providers are generally precluded from examining content except for technical reasons such as improving quality of service. 7 P.Lyman and H.R. Varian, How Much Information, 00, retrieved from http://www.sims. berkeley.edu/how-much-info-2003 on May 13, 2008.

OCR for page 120
 APPENDIX C • The information required to manage and process the call, e.g., the source number, the destination number, the start time, and the end time, called call data records (CDR). (Such information is generally known as cus- tomer proprietary network information (CPNI).) Communications pro- viders retain the management data for billing and other technical and business purposes, such as detection and prevention of telecommunica- tions fraud, and thus maintain vast data repositories of CDRs (in the peta- byte range). For example, in 2001 AT&T reported generating more than 300 million CDRs per day for 100 million long-distance accounts. • Subscriber information, such as address, credit and billing informa- tion, and descriptions of services provided. As services become more sophisticated, the need for additional subscriber information grows to further define services and increase ease of use. For example, customer profiles kept by service providers on the Internet often include detailed preferences so that the automated service can meet customer needs with- out having to request that information on each use. Telecommunications companies collect data in all three categories. Access to CPNI is strictly governed by federal and other legislation and by telecommunications regulations with severe penalties for each vio- lation. Due to the significant growth in the types of communications services and a continuing large growth in communications volumes, as well as significant advances in technology, the nature, management, and governance of CPNI must be constantly updated, and laws, regulations, and practices must be revised to reflect new and emerging opportunities and threats, including those related to counterterrorism and civil liberties. One illustration of the need for rebalancing is an ongoing tension between the FCC, the FTC, and civil liberties interests (who have argued for reduc- ing the time that service providers retain CPNI) and DHS and DOJ (which have argued to increase retention time in case it is required for terrorist, legal, or other security purposes). Access to data in the other categories provides a more highly reveal- ing portrait of personal behavior and is covered by law (although not telecommunications law). C.2.2 Information Technology For most citizens in daily life, the world is increasingly digital. Citi- zens apply electronically for government services, such as passports and licenses. In an increasingly cashless society, consumers engage in numer- ous financial transactions that are precisely recorded, often including the location and time. Whether for entertainment, personal, or professional purposes, clicks on the Internet are recorded for future use. Every trip is

OCR for page 120
0 PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS recorded, from the airline, hotel, and car rental reservations to the actual events of the trip. Increasingly people and organizations publish detailed aspects of themselves, including electronic calendars, photographs, vid- eos, music, and aspects of their personal lives. Increasingly activities in public places, stores, and enterprises are recorded and stored by surveil- lance systems. Educational institutions, e.g., flight schools, record their members’ activities. Employers record and retain extensive information on employees. With the increasing use of technologies such as RFID (radio frequency identification) tags, objects that people own and use provide personal information that can be read at a distance; for example, automo- bile and appliance parts, articles of clothing, retail products, and electronic devices such as telephones, personal data assistants, and computers can communicate information such as location, status, and temperatures. Moreover, the very types of personal information that can be col- lected are proliferating. For most of the 20th century, digital informa- tion referred to structured information such as name, address, telephone number, purchase order number, and the like. In the 21st century, digital information has expanded to include anything that can be represented digitally such as graphics, music, and video. There is a dramatic growth in unstructured information, captured, for example, by the 4.2 million closed-circuit television (CCTV) cameras in Britain—about one for every 14 people and other surveillance cameras in the United States, much of it stored for future processing. The scale of information processing undertaken in the United States is unimaginably large. Fortune 500 companies and large federal agencies are likely to have more than 5,000 information systems each with one or more databases. It would be rare to find any business of any size in the United States that did not have a significant investment in information systems and databases. The largest databases in the world, according to the 2005 bi-ennual Winter Corporation survey,8 exceeded 23 terabytes (TB) for transactional databases and more than 100 TB with 3 trillion entries for data warehouses, which is equivalent in data volume to 10 times the contents of the Library of Congress. Growth rates over 2 years for these databases were between a factor of 2 for transactional databases and a fac- tor of 3 for the largest data warehouse. Over the past 4 years the average database size rose 243 percent, while the maximum size rose 578 percent. The use of these databases, or workloads, is equally staggering. The larg- est transactional workload was 1 billion SQL statements (e.g., a database query) per hour, with an average of 35 million and 30 million for the largest data warehouse (query only) workload, at an average of 2 million 8 K. Auerbach, 00 TopTen Program Summary: Select Findings from the TopTen Program , Win- ter Corporation, Waltham, Mass., May 2006.

OCR for page 120
 APPENDIX C per hour. (SQL is a computer language for accessing and querying data- bases.) Winter estimated in 2005 that by 2008 transactional workloads would have grown 174 percent while data warehouse workloads would have quadrupled. While individual databases and their use are growing dramatically, so is the total number of databases. C.2.3 Managing Information Technology Systems and Programs There are many formally defined private-sector9 and government10 IT assessment frameworks, i.e., guidelines and best practices, for improv- ing IT governance, transparency, and performance management, as well as improving specific areas, such as security,11 privacy,12 and informa- tion fairness.13 These frameworks are intended to quantify difficult-to- evaluate information systems objectives such as information systems effectiveness, quality, availability, agility, reliability, accuracy, complete- ness, efficiency, compliance with applicable regulations, and confidential- ity. Although these criteria are difficult to define and evaluate, they are common requirements that the IT industry must evaluate for all critical systems on a regular basis. While there is never a simple or discrete answer, the IT industry must make its best approximation. Three of the 30 most widely followed frameworks are Control Objec- tives for Information and Related Technologies (COBIT), IT Infrastructure Library (ITIL), and International Organization for Standardization (ISO) 9 D. Aron and A. Rowsell-Jones, Success with Standards, Gartner EXP, Stamford, Conn., May 2006; The IT Governance Institute (ITGI), IT Goernance Global Status Report—00, ITGI, Rolling Meadows, Ill., 2006. 10 U.S. General Accounting Office (GAO), Information Technology Inestment Management: A Framework for Assessing and Improing Process Maturity, GAO-04-394G, Version 1.1, GAO, Washington, D.C., March 2004. 11 U.S. Office of Management and Budget, “Security of Federal Automated Information Resources,” OMB Circular A-130, Appendix III, available at http://www.whitehouse.gov/ omb/circulars/a130/a130appendix_iii.html, revises procedures formerly contained in Ap- pendix III to OMB Circular No. A-130 (50 FR 52730; December 24, 1985) and incorporates re- quirements of the Computer Security Act of 1987 (P.L. 100-235) and responsibilities assigned in applicable national security directives; W.H. Ware, ed., Security Controls for Computer Sys- tems: Report of Defense Science Board Task Force on Computer Security, AD # A076617/0, Rand Corporation, Santa Monica, Calif., February 1970, reissued October 1979; Federal Informa- tion Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541, et seq.). 12 Data Privacy and Integrity Advisory Committee, Framework for Priacy Analysis of Pro- grams, Technologies, and Applications, Report No. 2006-01, U.S. Department of Homeland Security, Washington, D.C., adopted March 7, 2006. 13 U.S. Department of Health, Education, and Welfare, Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens, Code of Fair Information Practices, July 1973, available at http://aspe.hhs.gov/datacncl/1973privacy/ tocprefacemembers.htm.

OCR for page 120
 PROTECTING INDIVIDUAL PRIVACY IN THE STRUGGLE AGAINST TERRORISTS 17799.14 In comparison with COBIT, which has 34 high-level objectives that cover 215 control objectives, the committee’s framework has two high-level objectives (i.e., effectiveness, and consistency with U.S. laws and values) that cover 30 control objectives. Although no one framework has the same high-level and control objectives as the committee’s frame- work, they nevertheless provide guidance for achieving all of the com- mittee’s information and communications technologies criteria. Analysts advise that organizations judiciously select specific frameworks or criteria based on their relevance to well-defined objectives and the readiness of the organization to apply them.15 This method applies also to implement- ing the committee’s framework. Most IT organizations surveyed worldwide16 and in the United States17 have adopted a framework. While many have developed their own, there is increasing adoption of formal frameworks based on reports of their efficacy, such as a 30 percent increase in productivity over 2 years through a consistent application of formal frameworks.18 Failures with framework implementation are often related to inappropriate selection of criteria, as well as to formulaic implementations that emphasize process and checklists by those who do not understand the objectives or how to evaluate whether they have been achieved. 14 The IT Governance Institute (ITGI), IT Goernance Global Status Report—00, ITGI, Roll- ing Meadows, Ill., 2006. 15 D. Aron and A. Rowsell-Jones, Success with Standards, Gartner EXP, Stamford, Conn., May 2006. 16 The IT Governance Institute (ITGI), IT Goernance Global Status Report—00, ITGI, Roll- ing Meadows, Ill., 2006. 17 C. Symons, IT Goernance Surey Results: More Work to Be Done, Forrester Research, Cambridge, Mass., April 14, 2005. 18 D. Aron and A. Rowsell-Jones, Success with Standards, Gartner EXP, Stamford, Conn., May 2006.