DoD

February 20, 2014

Think before sending: Protecting PII

Leslie Finstein
502nd Air Base Wing Public Affairs

JOINT BASE SAN ANTONIO-LACKLAND, Texas — Network security is more than just a buzzword. It is an important tool used to secure not just information related to national security but also personal security. The Air Force, Army and the entire Department of Defense take information assurance and the protection of personal information seriously.

As of October 2013, individuals who inappropriately store and transmit personally identifiable information over the Air Force network will have their accounts locked in response to the violation.

“We are taking several steps to improve notification and reporting of PII incidents,” said Gen. William L. Shelton, Air Force Space Command commander. “My intent is to increase awareness within the Air Force as part of my responsibility to ensure the security and defense of the AFNET and its users. PII violations create both

personal and operational risks for all of us.”

Air Force Space Command is the major command responsible for Air Force space and cyber operations. Cyber operations are organized under 24th Air Force, headquartered at Joint Base San Antonio-Lackland.

PII is any information about an individual that can be used directly, or in connection with other data, to identify, contact or locate that person and can include such information as: full name, address, Social Security number, medical, educational, financial, legal and employment records.

This information can come in any form such as hard copy or electronic records stored within data bases or accessible from applications on computers, laptops and electronic devices (government or private) such as Blackberries, smartphones’, etc.

The 68th Network Warfare Squadron and 352nd Network Warfare Squadron on JBSA-Lackland, as the Cyberspace Defense Analysis Weapon System, actively monitors the AFNET for PII breaches and violations. When a PII breach is identified, it is reported to the 624th Operations Center, also on JBSA-Lackland, and the formal reporting process is initiated.

The 624th OC, as the Cyber Command and Control Mission System Weapon System, then reports the AFNET PII breach to the 24th Air Force commander, which will result in locking the violator’s AFNET account and notification to the individual’s wing commander.

“Beginning Oct. 24, [2013] we began locking out the AFNET account of individuals who were found to be inappropriately transmitting PII data via the AFNET,” explained Maj. Gen. J. Kevin McLaughlin, 24th Air Force and Air Force Cyber commander. “A violator’s account will only be unlocked once the fi rst O-6 in their chain of command certifies that the individual has accomplished all necessary actions, to include remedial training.”

These new actions are in addition to, and do not circumvent or replace, the normal Privacy Act notification process which is already in place throughout the Air Force. Air Force Instruction 33-332 governs the PII breach reporting process as well as the consequences for PII violations.

A PII breach is defined as a loss of control,  compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access or any similar term referring to situations where persons other than authorized users, and for an other than authorized purpose, have access or potential access to PII, whether physical or electronic.

For those on the AFNET, JBSA follows the Air Force protocols for PII breaches, requiring individuals who lose network access as the result of a breach to receive authorization from a colonel in their chain of command to reactivate their account and to contact their local information assurance office and customer or client support technician, said Karen Frey, JBSA Freedom of Information Act and Privacy Act officer.

For JBSA personnel operating on the Army network, an individual’s unit leadership determines whether their user account is disabled based on the initial assessment of the U.S. Army Signal Network Enterprise Center, said Jesus Rosa Velez, NEC director for JBSA.

Further punitive actions against individuals responsible for a breach, Rosa Velez continued, are based on the finalized report and seriousness of the incident.

The majority of PII breaches are directly the result of human error either by the individual directly or by second or third parties, said Rosa Velez.

Since his arrival at JBSA in May 2012, Rosa Velez knows of two reported official incidents on the Army network here.

There was a unit that failed to set proper permissions on folder access on a storage drive which could have potentially compromised PII data saved in those folders.

An individual on the Army network here also once accidentally forwarded a series of unencrypted emails containing social security numbers to unit distribution list email address.

Rosa Velez stressed that just because these are the only two he knows of that does not mean other incidents have not occurred. Other units may not have reported incidents to the NEC which is in violation of PII policy.

Units must report all suspected breaches.

“The loss of PII can erode confidence in the ability to protect information, impact business practices and can lead to major legal action,” Rosa Velez said.

Frey recommends personnel kicked off the network for PII violations complete the online training course, the ‘Cyber Awareness Challenge.’ It is an annual requirement for all federal, Department of Defense and intelligence community personnel.

According to the Information Assurance Education, Training and Awareness online training catalog, the ‘Cyber Awareness Challenge’ course is a serious game that simulates key decision points that employees make every day in the course of their duties that could either protect or compromise PII.

The training can be found online at http://iase.disa.mil/eta/online-catalog.html#iaatraining

“One breach is too many,” said Maj. Gen. John Shanahan, Air Force Intelligence, Surveillance and Reconnaissance Agency commander. “A PII breach is neither acceptable nor excusable. It comes down to adhering to well-established guidelines, rules and procedures.”

If you see a PII breach, immediately notify your chain of command or organization privacy act manager/monitor. Commanders, managers, supervisors should ensure that everyone within their units are familiar with “personally identifiable information incident reporting and notification procedures.”

“The report of PII incidents involving actual or suspected breaches/compromises should be reported immediately; preferably within one hour of discovery,” said Rosa Velez.

“Accountability is the word of the day,” Shanahan said. “I expect everyone in the enterprise to be accountable for protecting PII. We need maximum emphasis on this because the downsides of a breach are obvious.”

Adapted from articles by Major Brooke Brander, Air Force Space Command Public Affairs and Wayne Amann, Air Force Intelligence Surveillance and Reconnaissance Agency Public Affairs




All of this week's top headlines to your email every Friday.


 
 

 
(U.S. Air Force photo by Staff Sgt. Courtney Richardson)

Thunderbolt bounces back after belly landingThunderbolt bounces back after belly landing

On the evening of Sept. 30, an A-10 stationed at Davis-Monthan Air Force Base was coming back to base for a routine landing after completing a standard sortie. Just when everything seemed to be going as planned, disaster struck...
 
 
Richardson_pict

Down and out at Dyess: Air Force Assistance Fund to the rescue

It was scary, leaving home and joining an organization such as the United States Air Force. The people, job, and location were all brand new. When I joined the military, I came from a less than honorable home life.  I come fro...
 
 

SrA and below EPR static closeout date to be March 31

JOINT BASE SAN ANTONIO-RANDOLPH, Texas (AFNS) — Enlisted evaluation and promotion changes, announced in July, continue with establishment of a March 31 enlisted performance report static closeout date (SCOD) for Regular Air Force (RegAF) senior airmen and below, Air Force Personnel Center officials said Dec. 5. Additionally, change of reporting official evaluations (CRO) have been...
 

 

Keep holiday sweet tooth in check

LUKE AIR FORCE BASE, Ariz. — Assorted sweets are a big attraction on display in stores and are advertised in television commercials. Despite the effort to escape purchasing them and knowing they’re not healthy, people still tend to crave, buy and gobble them up. On top of the negative impact these treats have on health...
 
 

Master sergeant evaluation board, SNCO promotion changes coming

WASHINGTON (AFNS) — The Air Force continues the phased implementation of its Enlisted Evaluation System and Weighted Airman Promotion System (WAPS) changes with the convening of a master sergeant evaluation board scheduled for May 2015. Evaluation and promotion system changes, scheduled for implementation over the next 16 months for active-duty Airmen, are focused on ensuring job perfor...
 
 

Davis-Monthan EOD detonates WW-II era mortar at Fort Huachuca

An explosive ordnance disposal team from Davis-Monthan Air Force Base, Tucson, safely detonated a World War II-era 81mm mortar on Tuesday at 10:43 a.m. in Area H, Slaughterhouse Wash, at the end of the Libby Army Airfield runway on Fort Huachuca. A rider on horseback reported a sighting of the unexploded ordnance to fort personnel...
 




0 Comments


Be the first to comment!


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


Directory powered by Business Directory Plugin