2.4. Security and Privacy Security and privacy considerations apply to all three of the DRM’s standardization areas. Security defines the methods of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability, whether in storage or in transit. Privacy addresses the acceptable collection, creation, use, disclosure, transmission, and storage of information, its accuracy, and the minimum necessary use of information. The DRM allows for the integration of existing federal information security and privacy policies within each of its standardization areas. Figure 2-6 describes several sets of security/privacy policies and legislation that are applicable to the DRM. (3X00)
A Security and Privacy Profile (SPP) has been created for the FEA. The FEA SPP provides guidance to agencies to integrate security and privacy requirements across their enterprise architecture, and to ensure security and privacy requirements are addressed in IT programs from their inception. The FEA SPP is currently in the Validation stage. During this stage, the FEA SPP approach and methodology will be validated against Federal experience and insight. An institutional process that includes roles and responsibilities for data stewardship for each project or program in the agency needs to be defined as part of a policy that governs data Quality, Security, Privacy and Confidentiality. There are a number of areas that should be addressed in building a Security, Privacy and Confidentiality Policy for an agency. These include: (3X02)
- Constructing a policy that is compliant with legislation, Executive Orders and Standards (3X03)
- Addressing sensitivity of information that eliminates possible compromise of sources and methods of information collection and analysis (3X04)
- Establishing the practices of data stewardship (3X05)
- Addressing specific data access policies defined by the responsible steward; for example: (3X06)
- Data is available for open, unrestricted access (3X07)
- Data is accessible only to a group (3X08)
- Data access is a function of the person (his or her identity), data about that person (e.g., current position), and data about the environment (e.g., physical location) (3X09)
- Data is self protecting through digital rights management or similar technologies (3YOY)
The successful categorization, describing and sharing of data are dependent on the implementation of security regarding the data being exchanged. Security requirements must be considered at each level of the DRM and, in particular, regarding the sharing of data. The DRM is designed to allow for the integration of existing federal information security and privacy policies within each of its standardization areas. (3YOZ)
Future versions of the DRM will relate the DRM to the FEA SPP, and will apply the results of the FEA SPP validation in expanding on the security and privacy considerations for the DRM. (3X0A)