DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration

PRIVACY IMPACT ASSESSMENT

Data Loss Prevention System
(DLPS)

July 2010

System Overview

The Federal Aviation Act of 1958 gives the Federal Aviation Administration (FAA) the responsibility to carry out safety programs to ensure the safest, most efficient aerospace system in the world. The FAA is responsible for:

Regulating civil aviation to promote safety;
Encouraging and developing civil aeronautics, including new aviation technology;
Developing and operating a system of air traffic control and navigation for both civil and military aircraft;
Developing and carrying out programs to control aircraft noise and other environmental effects of civil aviation; and
Regulating United States (U.S.) commercial space transportation.

One of the programs that help the FAA fulfill this mission is the Office of Financial Services’ Data Loss Prevention System (DLPS), which automates the management of internal controls and improves the efficiency of the FAA’s compliance processes. Symantec’s Data Loss Prevention software automates the scanning and monitoring of sensitive data use within the Office of Assistant Administrator for Financial Services (ABA) and improves FAA’s compliance with the handling of sensitive data. Symantec DLP monitors all ABA workstations, file shares and application/database servers. The scanning and monitoring focuses on these six subject areas:

Social Security Numbers – This policy detects patterns indicating Social Security numbers at risk of exposure.
Credit Card Numbers – This policy detects patterns indicating credit card numbers at risk of exposure.
Encrypted Data – This policy detects the use of encryption by a variety of methods including S/MIME, PGP, GPG, and file password protection.
Privacy Act / Sensitive Security Information / FOUO – This policy matches on the presence of sensitive data markings.
Password Files – This policy detects password file formats such as SAM, /etc/password, and /etc/shadow.
Network Security information – This policy detects evidence of hacking tools and attack planning.

Information, Including Personally Identifiable Information (PII) in the System

The DLPS tool captures PII surrounding each file it flags as violating a defined policy, which includes information identifying the File Owner and the his or her immediate supervisor and any PII in the flagged file, which could pertain to FAA personnel or a member of the public. This PII is captured in DLPS as follows:

DLPS reads the metadata associated with each file that appears to have violated a defined policy. This includes the File Owner name, access dates associated with the file (created, modified, and accessed), and the access rights associated with the file.
The DLPS tool maintains a connection with Active Directory and will use this connection to capture the current business contact information of the File Owner defined in the metadata of the violating file. Through the Active Directory connection, the tool will also capture the business contact information of the violating File Owner’s immediate supervisor.
The business contact information collected includes:

First and Last Name
Phone Number
LOB/SO
Email address

DLPS also captures a sample of text from within the file flagged as violating a defined policy. The sample text could contain PII about an individual FAA employee or contractor or an individual member of the public.

Why DLPS Collects Information

DLPS collects PII in the course of scanning FAA systems to determine if a file has violated a defined policy and to provide an appropriate means to identify the FAA personnel that owns the violating file. The system exists to reduce the data breach risk associated with the exposure of unencrypted sensitive data.

How DLPS Uses Information

FAA systems security personnel (and any contractors assisting them) use the data collected in the tool on a “need to know” basis to determine if the violating file is actually a false positive and to determine the appropriate file owner of the violating file. Determining the file owner is critical for properly remediating the violating file and following up with appropriate training. Information from the tool is used within DOT as follows:

DLPS Users – these individuals can directly access the system and can see specific files that have violated a policy
Reporting to file owner – these reports outline the location of the various violating files owned by that individual file owner.
Aggregate reporting – high-level reporting is reported from the tool. These reports do not contain any sort of PII.

Legal Authority for Information Collection

49 U.S.C. 322, 49 U.S.C. 40122(g), 49 U.S.C. 40101, 40 U.S.C. 1441, 5 U.S.C. 302.

How DLPS Shares Information

Information within DLPS is not shared with any downstream systems. DLPS can generate reporting noting the various incidents that are associated with each Line of Business (LOB), but these reports do not contain PII. The reporting generated from the tool contains detail surrounding the violating file, such as the location of the file and the policy it potentially violated.

How DLPS Provides Notice and Consent

A log-in banner notifies users of DOT IT systems (File Owners) that their log-in constitutes consent to monitoring of their system usage. DLPS does not notify or obtain consent from individuals whose PII is in sample text flagged by DLPS before including their PII in DLPS, because their PII is captured for purposes of securing the PII, not to use the PII.

How DLPS Ensures Data Accuracy

The DLPS tool extracts metadata from each file that has violated a defined policy to determine the file owner. That data is then linked to the tool’s Active Directory connection to determine the business contact information of the file owner. The tool has no ability to update the contact data for the file owner, as that data comes from upstream sources. If the contact information of an individual file owner is not correct, then the person will need to contact the Active Directory team through the helpdesk to have their contact information updated.

How DLPS Provides Redress

Under the provisions of the Privacy Act, individuals may request searches of the DLPS file to determine if any records have been captured in DLPS that pertain to them.

Notification procedure: Individual FAA system users wishing to know if their records appear in this system may inquire in person or in writing to the system manager for DLPS:

Federal Aviation Administration
Privacy Office
800 Independence Ave. SW
Washington, D.C. 20591

The request must include the requester’s name, mailing address, telephone number and/or email address, a description and, if possible, the location of the records requested, and verification of identity (such as, a statement under penalty of perjury that the requester is the individual who he or she claims to be).

Contesting record procedures: Individuals wanting to contest information about themselves that is contained in the DLPS system should make their requests in writing, detailing the reasons for why the records should be corrected should be corrected. Requests should be submitted to the system manager identified above, under Notification Procedure.

For questions relating to privacy go to the FAA Privacy Policy: http://www.faa.gov/privacy/

How DLPS Secures Information

DLPS takes appropriate security measures to safeguard PII and other sensitive data. The DLPS application is hosted on the agency’s dedicated DLPS servers.

Individual users of the system must sign a Rules of Behavior before being granted a login to the tool. Access is not provided until that document is signed and has been handed over to the system administrator.

Because DLPS users can access the DLPS system through a Web browser, access is only possible via the FAA intranet and operates under the FIPS 140-2 compliant Secure Socket Layer (SSL) encryption technology. All transmissions within the DLPS system are encrypted. All users are required to complete and sign the DLPS Rules of Behavior and submit a DLPS user access form to the DLPS system administrator.

The following matrix describes the levels of access and safeguards around each of these roles as they pertain to PII.

ROLE	ACCESS	SAFEGUARDS
DLPS LOB Remediation Role	View and research LOB incidents	Requires all users to have a User ID and Password. Approval passwords are separate from login passwords. Assigned to LOB Head approved personnel Users automatically inactivated after a prescribed number of failed login attempts, and alerts sent to DLPS System Manager Passwords expired after a user-defined time period. Prescribed password parameters (e.g., length, character type). Password data is encrypted. Audit log of successful and failed login attempts; log includes the originating IP address. Views based on content root filtering
DLPS Executive LOB Role	Dashboard Views	Requires all users to have a User ID and Password. Approval passwords are separate from login passwords. Assigned to LOB Head approved personnel Users automatically inactivated after a prescribed number of failed login attempts, and alerts sent to DLPS System Manager Passwords expired after a user-defined time period. Prescribed password parameters (e.g., length, character type). Password data is encrypted. Audit log of successful and failed login attempts; log includes the originating IP address. Views based on content root filtering
DLPS System Manager	Search and view user names and profile information Create and delete scan policy Grant accounts, reset account passwords, disable accounts Delete profiles Setup dashboard views Received Incident reports and alerts Manages incident workflow	Cannot tamper with system logs

In addition the requirements of the Federal Information Security Management Act of 2002 (FISMA), a Security Certification and Accreditation (C&A) was completed for ABA DLPS. The C&A process is an audit of policies, procedures, controls, and contingency planning, required to be completed for all federal government IT systems every three years. All relevant policies, procedures and guidelines, including NIST Special Publication 800-53, have been followed to ensure the security of the system and the information it contains.

How Long DLPS Retains Information

Data in the ABA DLPS is maintained as outlined in the FAA Records Management Order 1350.15C. Cut off at the end of the Fiscal Year in which the record supports. Destroy seven years after cut off in accordance with applicable federal standards in accord with limitations on civil actions by or against the U.S. Government (28 U.S.C. 2401 and 2415) if no longer required for business purposes.

System of Records

DLPS is a system of records subject to the Privacy Act because records about individual File Owners are regularly retrieved by name. The System of Records Notice that cover DLPS is:

DOT/ALL 13, Internet/Intranet Activity and Access Reports.

FAA Privacy Act SORNs can be found at:

http://www.dot.gov/privacy/privacyactnotices/

For questions relating to privacy go to the FAA Privacy Policy:

http://www.faa.gov/privacy/