Board Report: June 2, 2008
Highly publicized incidents have drawn attention to the risks associated with the theft or loss of confidential information, including Personally Identifiable Information (PII). In response, the Office of Management and Budget issued guidance outlining agencies' responsibilities for safeguarding and protecting sensitive information that is processed on computers and related hardware.
In light of the enhanced government-wide attention on securing PII, the Staff Director for Management (Staff Director) expressed interest in an analysis of steps that other agencies were taking to mitigate the risk of theft or loss of laptops and confidential information while employees are traveling or working outside of their offices. Because we also saw value in obtaining insights into other agencies' processes, we performed an evaluation that involved compiling policies, procedures, and requirements for safeguarding electronic devices and confidential information for nine federal agencies, including four federal financial regulators. We then compared the other agencies' requirements to the Board's policies and procedures that address handling PII and other sensitive or confidential information.
We discussed the results of our evaluation (restricted because of the sensitivity associated with work related to safeguarding confidential information) during a briefing to the Staff Director and the Director of Information Technology. Overall, we found that the Board's policies address almost all of the other agencies' requirements for reducing the risk of theft or loss of confidential information while employees are traveling or working outside of their offices. Nevertheless, we made several suggestions to the Staff Director that we believe will further enhance the effectiveness of the Board's policies. In addition, we commended the Board's plans to develop a web page to build awareness of privacy issues, and suggested that the web page provide a central source of information and guidance that integrates Board policies, procedures, and practices related to safeguarding confidential information and PII.
