Stronger Access Controls and Further System Enhancements Are Needed to Effectively Support the Privacy Impact Assessment Program

The Director, Privacy, Governmental Liaison, and Disclosure (PGLD), should issue a communication to PGLD organization managers and employees reminding them to review user accounts on information technology resources that they manage, such as the PIAMS and shared drives, for compliance with account management requirements. These reviews should, at a minimum, be conducted annually and semiannually for elevated privilege accounts.

The Director, Privacy, Governmental Liaison, and Disclosure (PGLD), should require a negative response from the system owner regarding the review of the assessment for sensitive information.

The Director, Privacy, Governmental Liaison, and Disclosure (PGLD), should continue to assess, identify, and implement enhancements to improve the functionality of the Privacy Impact Assessment Management System (PIAMS).

The Director, Privacy, Governmental Liaison, and Disclosure (PGLD), should provide training, when needed, to stakeholders involved in the Privacy Impact Assessment (PIA) process to ensure that no sensitive information is included and documented in the assessments.

The Director, Privacy, Governmental Liaison, and Disclosure (PGLD), should notify the Associate Chief Financial Officer for Corporate Planning and Internal Control's office to change the planned corrective action status from closed to open on the Joint Audit Management Enterprise System for the corrective actions that TIGTA identified as not fully implemented. The statuses of these planned corrective actions should be reopened until they are fully implemented and fulfill the original audit recommendations as agreed to in TIGTA's Fiscal Year 2013 report.