The inspector general of the U.S. Agency for International Development has called on the agency to improve how it handles personally identifiable information.
In an audit, which was published earlier this month, the oversight body identified a range of failings, including the reliance on out-of-date data loss procedures and insufficient role-based privacy training.
The IG also identified the unnecessary retention of Social Security Numbers and failure to implement controls related to third-party websites as areas for concern. It also found multiple instances of staff handling sensitive personal information without first having completed the required training.
Guidance from the Office of Management and Budget published in 2007 states that agencies must establish a plan to eliminate the unnecessary collection and use of Social Security Numbers and provide annual updates on the progress of such plans.
USAID’s CIO is responsible for the agency’s privacy program and for the management of privacy-related risks at the organization.
The IG issued a number of concrete recommendations for improvement in its report. These include the suggestion that the agency’s CIO should develop and implement tools for the periodic testing of data loss prevention measures and also update its SSN storage reduction plan.
It recommends also that the director of web management at USAID’s Bureau of Legislative and Public Affairs take a complete inventory of the third-party websites being used by the agency.
The IG’s intervention comes three months after USAID was hit with a cybersecurity breach when Russian hackers accessed its Constant Contact email marketing service account.
Following the incident, which was revealed by Microsoft, USAID notified agencies including the U.S. Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency. When an agency has a privacy breach it is required to inform the U.S. Computer Emergency Readiness Team, which is part of CISA.