INSPECTION FOLLOW-UP

An inspection is of little use unless it is the basis for improvement, correction, and management follow-up. The responsibility for implementation of such activity normally resides with the commanding officer (CO) of the command. The CO must, in turn, assign responsibilities for corrective action. The best approach is to summarize each major deficiency on a control sheet, outlining requirements, problem definition, responsibility, action taken or required, and follow-up action. In addition, an indication should be made of the date that action should be completed, or if it is to continue. Some of the corrective action may require additional funds; this should be noted.

Corrective action, follow-up, and disposition of the deficiencies should follow a recurring reporting cycle to upper management. Quarterly reports are recommended for any inspection control items still open.

The final step is a frank and honest evaluation of the inspection itself by AIS facility management and the inspection team. A group discussion should be held with the expressed purpose of improving future inspection procedures and processes. The inspection plan may need to be amended or the team composition may need to be changed. The emphasis of the inspection should always be positive-one of helping AIS management at all levels to improve the security and control of the AIS facility.

DATA PRIVACY

The Privacy Act of 1974 (Public Law 93-579) imposes numerous requirements upon naval commands to prevent the misuse or compromise of data concerning individuals. Navy AIS facilities that process personal data must provide a reasonable degree of protection against unauthorized disclosure, destruction, or modification of personal data, whether it is intentional or results from an accident or carelessness.

Department of the Navy Information Systems Security (INFOSEC) Program, SECNAVINST 5239.3, provides guidelines for use by all Navy organizations in implementing any security safeguards that they must adopt to implement the Privacy Act. It describes risks and risk assessment, physical security measures, appropriate information management practices, and computer system/network security controls.

Department of the Navy Privacy Act (PA) Program, SECNAVINST 5211.5, implements the Privacy Act and personal privacy and rights of individuals regarding their personal records. It delineates and prescribes policies, conditions, and procedures for the following:

Any Department of the Navy system of records possessing a record on an individual must verify it has the record upon the request of the individual.

The identity of any individual requesting personal record information maintained on them must be confirmed before the information is released.

An individual must be granted access to his/her personal files on request.

Any request from an individual concerning the amendment of any record or information pertaining to the individual for the purpose of making a determination on the request or appealing an initial adverse determination must be reviewed.

Personal information is collected, safeguarded, and maintained, and decisions are made concerning its use and dissemination.

The disclosure of personal information, and decisions concerning which systems records are to be exempted from the Privacy Act.

Rules of conduct are established for the guidance of Department of the Navy personnel who are subject to criminal penalties for noncompliance with the Privacy Act.

The Chief of Naval Operations is responsible for administering and supervising the execution of the Privacy Act and SECNAVINST 5211.5 within the Department of the Navy. Additionally, the Chief of Naval Operations is designated as the principal Privacy Act coordinator for the Department of the Navy.

The major provisions of the Privacy Act that most directly involve computer security are found in the following parts of title 5, United States Code (U.S.C.), section 552a:

^1. Subsection (b)-limits disclosure of personal information to authorized persons and commands.

^2. Subsection (e)(5)-requires accuracy, relevance, timeliness, and completeness of records.

^3. Subsection (e)(10)-requires the use of safeguards to ensure the confidentiality and security of records.

The following terminology is used in discussing the treatment of personal data:

Confidentiality. A concept that applies to data. It is the status accorded to data that requires protection from unauthorized disclosure.

Data integrity. The state existing when data agrees with the source from which it is derived, and when it has not been either accidentally or maliciously altered, disclosed, or destroyed.

Data Security. The protection of data from accidental or intentional, but unauthorized, modification, destruction, or disclosure.

Safeguards that provide data protection are grouped into three categories: physical security measures, information management practices, and computer system/network security controls. Specifically, these are:

Physical security measures. Measures for protecting the physical assets of a system and related facilities against environmental hazards or deliberate actions as discussed earlier in this chapter.

Information management practices.

Procedures for collecting, validating, processing, controlling, and distributing data.

Computer system/network security controls.

Techniques available in the hardware and software of a computer system or network for controlling the processing of and access to data and other assets.

Technological safeguards for security risks are presented in figure 4-15. They may be viewed in relation to the control points within a computer

Figure 4-15.-Personal data security risks and technological safeguards.

system/network. This perspective shows the elements of a computer system/network, beginning with the offline storage of personal data in machine-readable media (for example, tapes and disks) and progressing through the many possible processing modes. It includes the use of interactive computer terminals at local and remote locations and the linking of local systems via communications networks. It stresses the value of physical security measures and information management practices, in relation to computer system/network controls.