Audit Reports

-A A +A
skip-to-content

Quality Control Review of the Assessment of DOT’s Protection of Privacy Information

Mandated by the Fiscal Year 2005 Consolidated Appropriations Act for Transportation, Treasury, Independent Agencies, and General Government
Project ID: 
QC2018016

What We Looked At

This report summarizes the results of an audit of DOT’s protection of privacy information. DOT has determined that 168 of its 464 computer systems contain personally identifiable information (PII) about the public and/or DOT employees. The Fiscal Year 2005 Consolidated Appropriations Act for Transportation, Treasury, Independent Agencies, and General Government, as amended, requires agencies to enhance the protection of PII they collect and use, and inspectors general to periodically audit their agencies’ privacy programs or hire independent, third party organizations to conduct the reviews.

We contracted with KPMG LLP, an independent public accounting firm, to conduct this audit subject to our oversight. The audit objectives were to determine whether (1) DOT has established adequate procedures for the collection, use, and security of PII; (2) DOT ensures compliance with its own privacy and data protection policies and applicable laws and regulations to prevent unauthorized access to or unintended use of PII; and (3) DOT’s Operating Administrations properly evaluate the necessity of using PII to process system data.

What We Found

We performed this QCR of KPMG’s report and related documentation. Our QCR disclosed no instances in which KPMG did not comply, in all material respects, with generally accepted Government auditing standards.

Recommendations

DOT concurred with KPMG’s 12 recommendations.

Recommendations

Open

Closed

No. 1 to FAA

KPMG recommends that FAA Privacy Program conduct a review of its privacy program to identify changes needed to ensure that system's privacy plans are completed in accordance with the DOT Privacy Risk Management Policy.

No. 2 to FAA

KPMG recommends that FAA System Owner of System #2 ensure the system Privacy Plan includes all requirements established by the DOT Chief Privacy Officer in the privacy threshold assessment (PTA) and the adjudication statement is implemented.

No. 3 to FAA

KPMG recommends that FAA System Owner of System #5 ensure that the encryption protections for data at rest and during transit are implemented in accordance with the DOT Privacy Risk Management Policy.

No. 4 to FAA

KPMG recommends that FAA System Owner of System #5 confirm that the session time-out functionality has been implemented.

No. 5 to FAA

KPMG recommends that FAA System Owner of System #8 ensure that the encryption protections for data at rest are implemented in accordance with the DOT Privacy Risk Management Policy.

No. 6 to FAA

KPMG recommends that FAA System Owner of System #9 provide system specific and/or specialized/role based privacy job aides as needed to personnel who maintain and/or have access to PII data.

No. 7 to FAA

KPMG recommends that FAA System Owner of System #9 Ensure the Privacy Plan including all requirements established by the DOT Chief Privacy Officer in the PTA adjudication statement is implemented.

No. 8 to FAA

KPMG recommends that FAA System Owner of System #9 implement memoranda of understanding or similar agreements for internal sharing of PII.

No. 9 to FAA

KPMG recommends that FAA System Owner of System #9 ensure that encryption protections for data at rest is implemented in accordance with the DOT Privacy Risk Management Policy.

No. 10 to FAA

KPMG recommends that FAA System Owner of System #9 ensure that the Plan of Action and Milestones (POA&M) for encryption protections for data at rest is actively monitored and updated as changes occur prior to the estimated closure date of December 19, 2017.

No. 11 to OST

KPMG recommends that Office of the Secretary of Transportation Departmental Chief Privacy Officer establish a continuous monitoring (CM) program for privacy supportive security controls to ensure PII systems remain compliant with DOT Privacy Risk Management policy.

No. 12 to OST

KPMG recommends that Office of the Secretary of Transportation System Owner of System #15 ensure that the encryption protections for data at rest and during transit have been implemented in accordance with the DOT Privacy Risk Management Policy.