PII Definition

Personally Identifiable Information (PII) is information used to distinguish or trace an individual's identity, such as their name, Social Security Number, biometric records, alone or when combined with other personal or identifying information linked or linkable to a specific individual. An item such as date and place of birth, mother's maiden name, or father's surname is PII, regardless of whether combined with other data. SSA defines a PII loss as a circumstance when an employee, contractor or agent has reason to believe that information on hard copy or in electronic format, which contains PII provided by SSA, left the Agency's custody or the Agency disclosed it to an unauthorized individual or entity. PII loss is a reportable incident. 

General

• SSA provided information is sensitive data and as such must be protected and guarded with utmost care.
• SSA Provided information can not be shared with other agencies, states or entities.

Remote access and SSA-provided information

• Users with access to SSA provided information, whether working on-site or remotely, are forbidden from recording, taking pictures of, or capturing screenshots of any SSA-provided information, on any, but not limited to, of the following devices: cell phones, tablets, laptops, video cameras, security cameras, family members with access to workstations that can view PII, etc. 

Access management and administration

• Only the person(s) designated by the Agency Director for the purposes of SSA Ticket to Work Reimbursement program will have access to SSA provided information.  
• The Agency Director will authorize access to SSA provided information based on staff member’s position and duties, and will ensure that only the persons who need to have access will be granted it.
• For the purposes of the "Ticket to Work" reimbursement program, the agency director may nominate a backup person. All of the nominal delegation procedures will apply (background checks, security awareness training attestation, non-disclosure agreement signing, etc.)
• It is strictly prohibited for any official to issue credentials or access authority to themselves or other individuals within their job-function or category of access.
• Agency senior management, namely the agency director, will designate a specific official to issue PINs and passwords, for access to systems working with SSA provided information.
• Agency senior management is to request, from IT Staff, periodic access logs to review employee or contractor systems access, and random sampling of work activity to determine that the access and usage comply with SSA’s requirements.
• If a user is to be subjected to an adverse administrative action (reduction in pay, disciplinary action, termination of employment, temporary lay-off), his or her access to SSA-provided information is to be removed sufficiently in advance of the adverse action to preclude the employee from performing unauthorized activities that involve SSA-provided information (eg. Breach of SSA-provided information.)
• Upon employment separation any employee with access to SSA-provided information will be notified of legal reprecussions of unauthorized and improper distribution of sensitive and private information, including SSA-provided information. 

Safeguarding the SSA-provided PII information while in use, at rest, during transmission or after archiving

• It is prohibited to print out information digitally returned by SSA for ticket to work related purposes.
• When no longer needed for business purposes, the SSA-provided information, either in paper or electronic form, is to be destroyed in accordance to state, federal and program retention and secure destruction requirements.
• Any SSA-provided information in paper files is to be safeguarded in a locked cabinet, in an office locked when not in use, in order to prevent unauthorized personnel from accessing such materials. This includes hardcopy data which may be kept for evidentiary purposes, and is to be disposed, once not needed, as per above requirements.
• Any mail received from SSA will not be opened by a front desk receptionist and will be delivered unopened to the Ticket to Work Reimbursement program director.
• Electronically transmitted data will be transmitted using encrypted communication, and if stored, will be stored in encrypted state, with an encryption key length of at least nine characters.
• Nebraska VR cannot legally process, transmit, or store SSA-provided information in a cloud environment without explicit permission from SSA's Chief Information Officer.
• When no longer needed for business purposes, electronic media will be sanitized by overwriting utilities, or physical destruction in case of read only media. Hardcopy printouts will be shredded in accordance with the secure shredding protocols (placed in the padlocked shredding bin.)
• Information at rest will require department standard confidentiality and integrity protections, as outlined in System Integrity Policy.
• Cryptographic (mathematically encoded) measures will be implemented to ensure security of SSA-provided information, while information is being transmitted, or at rest. Only industry standard cryptographic protocols and mechanisms (eg. TLS, RSA) will be used.

Management oversight and Quality Assurance

• Any employoyee who uses SSA-provided information is prohibited from processing programmatic workloads to make benefit or entitlement determinations from participation in management or quality assurance functions.
• Senior management will periodically initiate a self-review to monitor agency’s ongoing usage of SSA-provided information.
• Senior management will perform random sampling of work activity that involves SSA-provided information to determine if the access and usage comply with NIST’s guidelines.
• Senior management will use “least privilege”, “separation of duties”, and “need-to-know” principles when assigning users access to SSA-provided information.
• IT management will be included in quality assurance functions, to provide subject matter expertise on subjects such as security awareness training, sensitivity of SSA-provided information, safeguarding requirements, operating procedures, and the potential civil and criminal consequences and penalties for misuse and improper disclosure of such information.
• Quality assurance personnel will not be allowed to request or use SSA-provided information.
• Agency management will ensure that the oversight and quality assurance functions perform periodic self-reviews to monitor ongoing usage of SSA-provided information.
• Agency will ensure that management oversight and quality assurance functions perform random sampling of work activity that involves SSA-provided information to determine if the access and usage comply with the terms of the information exchange agreement.
• In lieu of automatic reporting, access logs for both Morrow Tracker and SFTP site will be reviewed weekly by IT management. Any access anomaly will be brought to and discussed with the agency management.
• The FTP site will be checked on a regular basis for software and firmware security updates, as per our usual periodic maintenance policy.
• To ensure that no residual data is left on drives when a user deletes it, Network Recycle Bin will be disabled on the FTP folder.

Annual Certification (NDA, Security Awareness Training Attestation, proper use and securty of systems) for Staff or Contractors with access to systems with SSA-provided data

• Annually, any employee or contractor who has access to SSA-provided data will receive and sign their attestation of receipt for the following:
  • NDA - Non-disclosure agreement
  • Security Awareness Training
  • Proper use and security of systems with access to SSA-provided data
• Staff with access to SSA-provided data will be re-screened annually (document in annual attestation form), and a background screening will be performed every 3 years, with documentation kept in their personnel file.
• Staff with access to SSA-provided data will need to review security awareness training annually.
• Security Awareness Training Attestation form should be kept for a minimum of 3 years.

Penalties

Privacy Act of 1974, 5 U.S.C. 552a imposes penalties for improper access and/or improper disclosure of confidential information. Specifically, 5 U.S.C. 552a (i)(1) provides that any employee of a contractor who by virtue of his/her employment or official position with access to confidential information, who knowingly discloses such information to any person or entity not entitled to receive it shall be guilty of a misdemeanor and a fine not more than $5,000. 

Incident reporting

• If the organization experiences or suspects a breach or loss of PII or a security incident, which includes SSA-provided information, they must notify the State official responsible for Systems Security designated in the agreement. That State official or delegate must then notify the SSA Regional Office Contact or the SSA Systems Security Contact identified in the agreement. If, for any reason, the responsible State official or delegate is unable to notify the SSA Regional Office or the SSA Systems Security Contact within one hour, the responsible State organization official or delegate must report the incident by contacting SSA’s National Network Service Center (NNSC) toll free at 1-877-697-4889 (select “Security and PII Reporting” from the options list). As the final option, in the event SSA contacts and NNSC both cannot be reached, the organization is to contact SSA’s Office of Information Security, Security Operations Center at 1-866-718-6425 The organization will provide updates as they become available to SSA contact, as appropriate. Refer to the worksheet provided in the agreement to facilitate gathering and organizing information about an incident
• VR’s Systems Security Contact responsible for contacting SSA in the event of a data loss or breach:
  • Tibor Moldovan, NDE Tech. Services Administrator
  • Patrick Wright, Nebraska SISO

Dissemination and Review

This policy and procedures outlined within will be reviewed annually, and date and reviewers documented.
This policy and procedures outlined within will be shared with pertinent program and information security staff.

To be included in NDE COOP document:

5. Data Security in case of a disastrous event

a. Business Impact Analysis and Security of SSA-provided information

- In case of a complete power or network outage during a disaster event:

BIA: VR would not be able to accept the SSA provided data, as the transfer service (FTP) relies on a working network connection. This would cause VR to miss the scheduled quarterly transfer, but this service could be resumed once the network is operational.

Security of SSA-provided information: Not Applicable, VR would not possess any SSA-provided information in this case.

- In case of working network but physical inaccessibility to the building:

BIA: There should be limited to no impact to business. Transfer and purging operations can be performed off-site.

Security of SSA-provided information: Security would be enforced by existing processes, namely that the data would be co-mingled with existing VR data, and original files securely deleted.

- In case of building destruction:

BIA: Signifcant impact/inability to process ticket to work reimbursement payments. VR would also be dependent on STC re-enabling their process, after which point VR would need to provide a secure and encrypted FTP storage space.

Security of SSA-provided information: Security would be enforced by the locked server cabinet. Furthermore, the FTP storage is encrypted, so in case SSA-provided data resided on the hard drive, after a power shutdown, it would be in an encrypted state, and only VR authorized administrators would have the ability to unencrypt it.