Privacy Compliance and Oversight in the National Security Context

Transcription

1 Privacy Compliance and Oversight in the National Security Context John DeLong Director of Compliance National Security Agency Session ID: GRC-R33 Session Classification: Intermediate

2 High-Level Privacy Compliance Taxonomy Focus Areas Define Roles Privacy Compliance Privacy Compliance Specific Procedures Compliance Program What We Comply With Externally Approved How We Stay Compliant Director of Compliance

3 Compliance and Oversight External Oversight Internal Oversight Compliance Organizationally and structurally independent Structurally (not organizationally) independent Verifiable consistency with clearly defined rules

4 Minimization Procedures (High Level) Specific procedures Adopted externally Reasonably designed In light of the purpose or technique of the particular surveillance To minimize the acquisition and retention and prohibit the dissemination of U.S. persons information Consistent with need of U.S. to obtain, produce, and disseminate foreign intelligence

5 and Regulation 1. Describe 2. Authorize + Regulate 3. Operate 4. Evaluate Specific procedures Adopted externally Reasonably designed In light of the purpose or technique of the particular surveillance To minimize the acquisition and retention and prohibit the dissemination of U.S. persons information Consistent with need of U.S. to obtain, produce, and disseminate foreign intelligence Regulation

6 Four Phases of Compliance The Mission Compliance Program must take into account and tie together all four steps 1. Descriptions (often complex) must be accurate and at the right level of granularity 2. Specific authorizations and regulation (specific procedures) must be the root of all activities conducted 3. Operations and Technology must be consistent with approved procedures, over time and through change 4. Evaluations done in light of each of the previous steps

7 Documentation Accuracy (Governance)

8 Two Models of Interaction Rules Rules Compliance Compliance Operations Technology Operations Technology

9 Documentation Accuracy (In Practice) ABCD A B B and C C and D CCO AB A B L,P CD C D

10 Documentation Accuracy (In Practice) ABCD A CCO L,P B 1 B and C AB 3 CD 3 C and D A B C 2 2 D 2 2

11 Functional Approach (Risk Management)

12 s and Procedures N

13 s and Procedures N Common Function 1

14 s and Procedures N Common Function 1 Common Function 2

15 Rules Architecture (Compliance++)

16 Rules Architecture (High Level) s Documentation Rules Automation

17 Rules Architecture (More Detail) {auth1, duration1, tags1, } {auth2, duration2, tags2, } Documentation if ( ) then Rules Automation

18 s Link to Documents {auth1, duration1, tags1, } {auth2, duration2, tags2, } Documentation if ( ) then Rules Automation

19 Automation Connects Documentation and {auth1, duration1, tags1, } {auth2, duration2, tags2, } 1 Acquire Process Retain Disseminate Documentation if ( ) then Rules Automation

20 Rules Architecture Comparison Documentation s Rule Automation Primary Users People People, Systems Systems, People Predominant Work Roles Legal, Policy, Compliance, Operations, Technology Operations, Technology, Compliance, Policy, Legal Technology, Operations, Compliance, Policy, Legal Loading Time Fast Fastest Faster Transaction / Access Time Human speed Fast Very Fast Interfaces GUI, System GUI, System System, GUI

21 Summary Against the backdrop of constant technology change: 1. Build Conduits: Prioritize controls that build and maintain direct connections among legal, policy, operations, and technology. As a compliance professional, avoid becoming those conduits. 2. Consider a Functional Approach: Identify where systems and people fit into the overall operations. Design, implement, and monitor controls more functionally, across multiple regulatory slices. 3. Tag the Data Smartly: A rules architecture supports an efficient and effective use of a tagged-data regime. This allows proper data-handling to be successful even with constant technology change.