References
Legislative Drivers (Public Laws):
Children's Online Privacy Protection Act (COPPA) of 1998 (Public Law 105-277), (15 U.S.C. Section 6501 et seq.), and implementing regulations (16 CFR, Part 312)
http://www.coppa.org/coppa.htm
Clinger-Cohen Act of 1996 (Public Law 104-106) (February 10, 1996) (also known as the Information Technology Management Reform Act)
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=104_cong_public_laws&docid=f:publ106.104
Computer Fraud and Abuse Act of 1986 (Public Law 99-474) (October 16,1986)
http://www.usdoj.gov/criminal/cybercrime/1030_new.html
Computer Matching and Privacy Protection Act of 1988 (Public Law 100-53) (October 18, 1988)
http://www.usdoj.gov/oip/1974compmatch.htm and
http://www.whitehouse.gov/omb/inforeg/final_guidance_pl100-503.pdf
Computer Security Act of 1987 (Public Law 100-235) (January 8, 1988)
http://csrc.nist.gov/groups/SMA/ispab/documents/csa_87.txt
E-Government Act of 2002 (Public Law 107-347) (December 17, 2002)
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ347.107.pdf
Federal Information Security Management Act (FISMA) of 2002 (Public Law 107-347, Title III) (December 17, 2002)
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ347.107.pdf
The Freedom of Information Act (FOIA) of 1966, 5 U.S.C 552, as amended (Public Law 104-231 ) (July 4, 1967)
http://www.nih.gov/icd/od/foia/efoia.htm
Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Public Law 104-191) (August 21, 1996) http://www.cms.hhs.gov/HIPAAGenInfo/Downloads/HIPAALaw.pdf
Paperwork Reduction Act (PRA) of 1995 (Public Law 104-13) (May 22, 1995)
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=104_cong_public_laws&docid=f:publ13.104.pdf
The Privacy Act of 1974, 5 U.S.C. 552a, as amended (Public Law 93-579) (December 31, 1974)
http://www.usdoj.gov/oip/privstat.htm
Presidential Directives:
Homeland Security Presidential Directive 12 (HSPD-12)
http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html
Federal Regulations:
Code of Federal Regulations (CFR) 45 CFR, Part 5b, HHS Privacy Act Regulations
http://www.access.gpo.gov/nara/cfr/waisidx_99/45cfr5b_99.html
Federal Acquisition Regulations (FAR)
FAR Part 1.602-1(b), Career Development, Contracting Authority, and Responsibilities http://www.acquisition.gov/FAR/current/html/Subpart%201_6.html#wp1050927
FAR Part 24, Protection of Privacy and Freedom of Information
http://www.acquisition.gov/far/current/html/Subpart%2024_1.html#wp1074189
FAR Part 39.105, Privacy
http://www.acquisition.gov/far/current/html/Subpart%2039_1.html#wp1096819
FAR Part 39.107, Contract Clause
http://www.acquisition.gov/far/current/html/Subpart%2039_1.html#wp1096819
FAR Part 52.224-1, Privacy Act Notification
http://www.acquisition.gov/FAR/current/html/52_223_226.html#wp1168976
FAR Part 52.224-2, Privacy Act
http://www.acquisition.gov/FAR/current/html/52_223_226.html#wp1168981
FAR Part 52.239-1, Privacy or Security Safeguards
http://www.acquisition.gov/FAR/current/html/52_233_240.html#wp1113650
Health and Human Services Acquisition Regulations (HHSAR)
HHSAR Part 324, Protection of Privacy and Freedom of Information
http://www.knownet.hhs.gov/acquisition/hhsar/Default.htm
HHSAR Part 352.224-70, Confidentiality of Information
http://www.knownet.hhs.gov/acquisition/hhsar/Default.htm
HHSAR Part 352.270-12, Privacy Act
http://www.knownet.hhs.gov/acquisition/hhsar/Default.htm
Federal Publications:
Federal Information Processing Standards (FIPS) Federal Information Processing Standards (FIPS) 200 Implementation http://intranet.hhs.gov/infosec/docs/policies_guides/FIM/FIPS_200_Implementation_Memo.htm
Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
National Institute of Standards and Technology (NIST)
National Institute of Standards and Technology (NIST) Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
NIST SP 800-30, Risk Management Guide for Information Technology Systems (July 2002)
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
NIST SP 800-53, Recommended Security Controls for Federal Information Systems, Revision 1 (December 2006). SP 800-53, Revision 2 is in draft form and will replace SP 800-53, Rev 1. SP 800-53a is also in draft form and will serve as a supplement to Rev 2, once finalized.
http://csrc.nist.gov/publications/PubsSPs.html
NIST SP 800-61, Computer Security Incident Handling Guide (January 2004)
http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf
Office of Management and Budget Guidance:
OMB Circulars
Office of Management and Budget (OMB) Circular A-11, Exhibit 53, Information Technology and E-Government
http://www.whitehouse.gov/omb/circulars/a11/current_year/s53.pdf
OMB Circular A-130, Management of Federal Information Resources (November 28, 2000)
http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html
OMB Memoranda
Go to the OMB Website at http://www.whitehouse.gov/omb/ and in the search field, type the letter M, followed by the year and date the memo was released (i.e., M-07-19)
Calendar Year 2008
M-08-09, New FISMA Privacy Reporting Requirements for FY 2008 (January 18, 2008) http://www.whitehouse.gov/omb/memoranda/fy2008/m08-09.pdf
Calendar Year 2007 M-07-19, FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 25, 2007)
M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007)
Calendar Year 2006
M-06-26, Suspension and Debarment, Administrative Agreements, and Compelling Reason Determination (August 31, 2006)
M-06-25, FY 2006 E-Government Act Reporting Instructions (August 25, 2006)
M-06-20, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 17, 2006)
M-06-19, Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments (July 12, 2006)
M-06-16, Protection of Sensitive Agency Information (June 23, 2006)
M-06-15, Safeguarding Personally Identifiable Information (May 22, 2006)
M-06-06, Sample Privacy Documents for Agency Implementation of Homeland Security Presidential Directive (HSPD) 12 (February 17, 2006)
Calendar Year 2005
M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors (August 5, 2005)
M-05-15, FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (June 13, 2005)
M-05-08, Designation of Senior Agency Officials for Privacy (February 11, 2005)
Calendar Year 2004
M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management Act (August 23, 2004)
M-04-04, E-Authentication Guidance for Federal Agencies
Calendar Year 2003
M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 30, 2003)
M-03-19, Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting (August 6, 2003)
M-03-18, Implementation Guidance for the E-Government Act of 2002 (August 1, 2003)
Calendar Year 2002
M-02-09, Reporting Instructions for the Government Information Security Reform Act and Updated Guidance on Security Plans of Action and Milestones (July 2, 2002)
M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones (October 17, 2001)
Calendar Year 2001
M-01-24, Reporting Instructions for the Government Information Security Reform Act (June 22, 2001)
M-01-08, Guidance on Implementing the Government Information Security Reform Act (January 16, 2001)
M-01-05, Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy (December 20, 2000)
Calendar Year 2000
M-00-13, Privacy Policies and Data Collection on Federal Web Sites (June 22, 2000)
Calendar Year 1999
M-99-20, Security of Federal Automated Information Resources (June 23, 1999)
M-99-18, Privacy Policies on Federal Web Sites (June 2, 1999)
M-99-05, Instructions on Complying with President's Memorandum of May 14, 1998, “Privacy and Personal Information in Federal Records” (January 7, 1999) Calendar Year 1998
M-98-00, Privacy and Personal Information in Federal Records (May 14, 1998)
HHS Privacy Policy:
HHS General Administration Manual, Chapter 45-10, Privacy Act – Basic Requirements and Relationships http://www.hhs.gov/hhsmanuals/gam/chapters/45-10.pdf
HHS General Administration Manual, Chapter 45-13, Safeguarding Records Contained in Systems of Records http://www.hhs.gov/hhsmanuals/gam/chapters/45-13.pdf
Secure One HHS Privacy Documents
 HHS Information Security Program Policy (July 19, 2005) http://intranet.hhs.gov/infosec/docs/policies_guides/ISPP/Information_Security_Program_Policy.pdf
HHS Information Security Privacy Program Policy Memorandum (November 20, 2006) http://intranet.hhs.gov/infosec/docs/policies_guides/ISPPM/Infosec_Program_Privacy_Policy_memo.pdf
HHS Information Security Program Privacy Impact Assessment (PIA) Guide (January 10, 2007)
http://intranet.hhs.gov/infosec/docs/policies_guides/PIA/PIA_Guide.pdf
HHS Machine-Readable Privacy Policy Guide (August 10, 2006)
http://intranet.hhs.gov/infosec/docs/policies_guides/MRPPG/Machine-Readable_Privacy_Policy_Guide.pdf
HHS Machine-Readable Privacy Policy FAQs (May 17, 2005)
http://intranet.hhs.gov/infosec/docs/privacy/MRFAQ/Machine-Readable_Privacy_Policy_FAQs.pdf
HHS Privacy in the System Development Lifecycle (SDLC) (January 16, 2007) http://intranet.hhs.gov/infosec/docs/privacy/PSDLC/Privacy_in_SDLC.pdf
HHS Privacy Tri-Fold Brochure
http://intranet.hhs.gov/infosec/docs/privacy/Trifold/Privacy_Tri-fold.pdf
NIH Policy, Provisions & Guidelines:
NIH Manual 1130, Delegations of Authority: Program, General 4B, Privacy Act Appeals, at: http://delegations.od.nih.gov/DOADetails.aspx?id=1640
NIH Manual Chapter 1743, NIH Records Control Schedule “Keeping and Destroying Records” http://www1.od.nih.gov/oma/manualchapters/management/1743/
NIH Manual Chapter 1744, NIH Vital Records Program
http://www1.od.nih.gov/oma/manualchapters/management/1744/
NIH Manual Chapter 1745, NIH Information Technology (IT) Privacy Program
http://www3.od.nih.gov/oma/manualchapters/management/1745/
NIH Manual Chapter 1745-1, NIH Privacy Impact Assessments
http://www3.od.nih.gov/oma/manualchapters/management/1745-1/
NIH Privacy Impact Assessment Guide
http://oma.od.nih.gov/ms/privacy/NIHPIAGuide.doc
NIH Manual Chapter 2805, NIH Web Page Privacy Policy
http://www3.od.nih.gov/oma/manualchapters/management/2805/
NIH Information Technology General Rules of Behavior
http://irm.cit.nih.gov/security/nihitrob.html
NIH Security Policies, Guidelines, and Regulations
http://irm.cit.nih.gov/security/sec_policy.html
NIH Privacy Tri-Fold Brochure
http://oma.od.nih.gov/ms/privacy/NIH_Privacy_Trifold_IC.pdf
Training:
HHS Privacy Awareness Training
http://hhsu.learning.hhs.gov/PrivacyAwareness/
NIH Information Privacy Awareness Training
http://irtsectraining.nih.gov/
NIH Security Awareness Training
http://irtsectraining.nih.gov/
Websites:
Health and Human Services (HHS)
Secure One HHS Online Web Page
http://intranet.hhs.gov/infosec
HHS FISMA Privacy Impact Assessment (PIA) Database
https://prosight-fisma.hhs.gov/prosight
HHS FISMA Privacy Impact Assessment (PIA) Form
http://irm.cit.nih.gov/nihsecurity/HHS-PIA-Form.doc
HHS Office of Civil Rights Web Page
http://www.hhs.gov/ocr/hipaa/
National Institutes of Health (NIH) NIH Office of the Senior Official for Privacy Web Page
http://oma.od.nih.gov/ms/privacy/
NIH IC Privacy Coordinators Web Page
http://oma.od.nih.gov/about/contact/browse.asp?fa_id=3
NIH Records Management Web Page
http://oma.od.nih.gov/ms/records/
NIH FOIA Web Page
http://www.nih.gov/icd/od/foia/
NIH HIPAA Web Page
http://privacyruleandresearch.nih.gov/
NIH Information Security Web Page
http://www.cit.nih.gov/security.html
NIH OMB Project Clearance Web Page
http://odoerdb2.od.nih.gov/oer/policies/project_clearance/pcb.htm
NIH Personally Identifiable Information (PII) Protection Web Page
http://irm.cit.nih.gov/security/PIIProtection.html
NIH Privacy Act Systems of Records (SOR) Notices
http://oma.od.nih.gov/ms/privacy/pa-files/read02systems.htm
NIH FISMA Privacy Impact Assessment (PIA) Web Page
http://irm.cit.nih.gov/nihsecurity/ProSight-FISMA-info.htm
NIH Website Privacy Policy Statement
http://www.nih.gov/about/privacy.htm
Other Useful Websites
U.S. Postal Inspection & FBI Funded Website - Looks Too Good To Be True
http://www.lookstoogoodtobetrue.com/index.aspx
OnGuard Online – Your Safety Net
http://onguardonline.gov
MailFrontier Field Guide to Phishing – For all NIH staff who use e-mail
http://irm.cit.nih.gov/security/field_guide.pdf
Federal Trade Commission Website - Fighting Back Against Identity Theft
http://www.ftc.gov/idtheft
An Awareness Guide to Social Engineering – For all NIH staff http://irm.cit.nih.gov/nihsecurity/GuidSocEngine.htm
Practical Computer Security Advice for Users – For all NIH staff with access to a computer
http://securitynews.nih.gov/security_advice.html
Protecting the Security of Grant Applications – For all NIH staff who review grant applications and are involved in the peer-review process
http://irm.cit.nih.gov/security/SecAwareGuid-Review.htm
Security Advice for Managers – For all NIH managers
http://irm.cit.nih.gov/security/adv_manag.html
Security Advice for Scientists – For all NIH scientists
http://irm.cit.nih.gov/security/adv_scient.html
Security Advice for Clinicians – For all NIH staff and clinicians who work in a clinical environment
http://irm.cit.nih.gov/security/adv_clinic.html
Security Advice for System Administrators – For all NIH system administrators and other privileged users
http://irm.cit.nih.gov/security/adv_sysadmin.html
|