Federal CIOs Issue Cloud Computing Privacy Framework - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud
News
8/25/2010
01:12 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Federal CIOs Issue Cloud Computing Privacy Framework

Poorly planned and executed cloud computing contracts could result in security disaster, warns CIO Council.




Slideshow: Cloud Security Pros And Cons
(click for larger image and for full photo gallery)
Although cloud computing represents a possible solution to the government's rapidly increasing on-premises storage needs, federal agencies need to be aware of "significant privacy concerns" associated with storing personally identifiable information in the cloud, the federal CIO Council says in a new document outlining a proposed policy framework on privacy and the cloud.

Federal privacy regulations control how and where federal agencies hold and process personally identifiable information, and the CIO Council warns that, without consulting their legal and privacy teams and putting a plan into place, federal agencies may run afoul of those regulations.

"Once an agency chooses a cloud computing provider to collect and store information, the individual is no longer providing information solely to the government, but also to a third party who is not necessarily bound by the same laws and regulations," the document says.

Federal agencies need to follow laws like the E-Government Act and the Privacy Act and regulations like the National Institute of Standards and Technology's Special Publication 800-53, but cloud providers are bound only so far as they don't stray so far from the regulations that they can't serve the federal government.

Among the risks include improperly setting the contractual terms of service in such a way that allows the provider to analyze or search the data; possibilities that the data could become an asset in bankruptcy, that foreign law enforcement may search the data pursuant to a court order or other request, or that the service provider doesn't inform the government of a breach; and the possible failure of the cloud provider to provide a full and accessible audit trail to the government.

Certain privacy laws may also make it harder for agencies to host data on the cloud. For example, the document notes, the Health Insurance Portability and Accountability Act (HIPAA) requires formal agreements before the government can share records with a cloud provider.

Despite the risks, however, the CIO Council notes that "a thoughtfully considered" cloud deployment can, contrary to its earlier warnings, actually enhance privacy and make agency information more secure.

The document recommends agencies maintain a focus on contract language that meets federal privacy needs and regulations, conduct what the CIO Council terms a Privacy Threshold Analysis to determine whether a new system creates privacy risks, and then carry out a Privacy Impact Assessment to assess and help mitigate those risks.

According to the document, Privacy Threshold Analyses should address things like changes in how data is managed, consolidation of data, and new public and inter-agency access and use, while Privacy Impact Assessments should address specifics about the data itself -- what it is, why it's being collected, with whom it will be shared, and so on.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Who Should Own RPA?
Lisa Morgan, Freelance Writer,  2/18/2020
Commentary
IT Salary Report 2020: Get Paid What You Are Worth
Jessica Davis, Senior Editor, Enterprise Apps,  2/12/2020
Slideshows
10 Analytics and AI Startups You Should Know About
Cynthia Harvey, Freelance Journalist, InformationWeek,  2/19/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Slideshows
Flash Poll