About Us Our Work Employment News & Events
MITRE Remote Access for MITRE Staff and Partners Site Map
Our Work
Overview
Mission Areas
Systems Engineering
Information Technology
MITRE Research Program
MITRE Federal Employee Fellowship Program
Technology Transfer Office
Technical Papers

Follow Us:
Visit MITRE on Facebook
Visit MITRE on Twitter
Visit MITRE on Linkedin
Visit MITRE on YouTube
View MITRE's RSS Feeds
View MITRE's Mobile Apps
Home > Our Work > Information Technology > Privacy >

Privacy

Our Work

MITRE's privacy experience spans a number of areas. The work described below represents examples of work we have performed for organizations within federal government agencies.

Privacy Strategy

MITRE's Privacy Strategy capability supports the unique needs of each federal agency by applying a deep understanding of privacy issues and a broad knowledge of how civilian agencies operate. MITRE's approach involves integrating privacy into strategic planning and key information processes throughout the enterprise, establishing a strong privacy office and program, and formulating an implementation strategy. To learn more about this capability, see Privacy Strategy Capability.

Privacy Program Development

Government agencies are increasingly recognizing the need to implement robust programs to address the many important facets of privacy. Privacy protection is essential to engendering public trust. The federal government collects and uses significant amounts of PII. The willingness of the public to provide this information and to support the programs that need it is contingent on this trust. To the extent that this trust is absent, sponsors will find it more difficult to accomplish their missions. As agencies develop, implement, and maintain privacy programs, they must do so in a way appropriate to their needs, reflective of their different missions, and meeting the spirit and intent of the government privacy framework. Privacy programs must also continue to adapt, keeping pace with organizational needs, new requirements, emerging technologies, and evolving privacy dynamics.

MITRE's Privacy Community of Practice delivers solutions appropriate to the specific requirements of each agency by combining a unique knowledge of agencies' missions, the recognition of different privacy program needs, and an engineering focus. By understanding these factors as well as the nature of the information collected and used and the potential privacy harms that could result from a privacy failure, MITRE can establish the objectives for a sponsors privacy program.

In general, privacy programs are in one of three states:

  • Developing
  • Maturing
  • Leading

Developing programs focus on establishing basic program components and ensuring compliance with federal privacy-related laws, regulations, and guidance. MITRE has considerable experience assisting agencies with Developing programs. Our Privacy Professionals regularly help sponsors implement basic privacy programs that support compliance, including development of policies, procedures, training materials and particularly challenging privacy impact assessments (PIAs). MITRE's Privacy Staff also act as the principal faculty for the International Association of Privacy Professionals certification program for government privacy expertise.

Maturing programs move beyond compliance and think more expansively when evaluating privacy risk with respect to Fair Information Practice Principles. These programs work to achieve appropriately credentialed staff and to integrate privacy into system development life cycle processes. Maturing programs embed privacy in the Enterprise Architecture and proactively conduct audits and self-assessments. For agencies needing to reach a Maturing state, MITRE has significant experience in more expansive application of Fair Information Practice Principles to privacy risk analyses, as well as the integration of privacy into the system development life cycle. MITRE has developed a process for organizations to manage risk, including an initial web-based proof-of-concept tool that enables sponsors to complete PIAs and other types of privacy risk analyses with more consistency, accuracy and analytical substance.

Leading programs have significant executive sponsorship for privacy. They aim to achieve a higher level of sophistication, requiring development of deeper privacy risk models and integration of privacy into broader systems engineering life cycles. These programs actively consider and use enterprise privacy-enhancing technologies (ePETs). MITRE understands that not all programs need to invest in achieving a Leading state, but for those that do, MITRE's expertise and research capabilities uniquely position the sponsor to achieve that objective.

Program Challenges

Privacy programs are responsible for addressing many critical areas that extend beyond the day-to-day operations of the privacy program. These challenges are typically agency-wide initiatives that generally warrant a focused effort separate from privacy program development. The topics below are examples of initiatives that require embedding privacy into agency operations.

  • Privacy in the Enterprise Architecture
    Incorporating privacy into the Enterprise Architecture is a key means to implementing agency privacy principles. As an emerging area, there are limited resources with practical experience for achieving this objective. MITRE has worked with sponsors to create agency-specific EA Privacy Requirements and to help them understand how to apply those requirements within the multiple layers of their target architecture. This aids our sponsors in better integrating privacy into strategic planning efforts and daily operations.
  • Privacy in the Systems Development Life Cycle (SDLC)
    Building privacy capabilities into systems requires integrating privacy-focused tasks into SDLC processes and documentation. MITRE has helped sponsors evaluate their SDLC processes and documentation for appropriate ways to incorporate privacy topics. These efforts have raised awareness of privacy within development teams, making an immediate impact by helping system developers consider privacy earlier in the development process and more effectively incorporate privacy requirements into systems design and documentation.
  • PII Minimization and SSN Elimination
    Minimizing data collection has long been recognized as an important privacy principle and is now a requirement for government agencies. With the Office of Management and Budget's direction to eliminate the unnecessary collection and use of Social Security Numbers (SSNs) and minimize collection of PII, agencies face one of their most complex privacy challenges. Agencies must address both the current state of the organization and ensuring appropriate mechanisms exist to prevent unnecessary new collections from being established. MITRE has worked with multiple sponsors to develop strategies for PII minimization and SSN elimination. Executing these plans allows agencies to better focus on the information they need to accomplish their mission and lower their risk of privacy incidents.
  • Privacy Incident Response
    As much as agencies work to prevent privacy incidents, an unfortunate reality is that they do occur. Responding often requires complex levels of coordination with internal and external partners. Having a strong incident response plan and associated policies and procedures is a critical part of handling incidents. MITRE has supported multiple sponsors in developing privacy incident response plans and processes. As a result, these agencies are better prepared to act swiftly and appropriately when addressing incidents. Additionally, MITRE has supported agencies responding to incidents real-time, providing guidance on how best to respond to the issues that result in the incident. MITRE brings value through a cross-government perspective and experience to address issues both unique to an agency's environment as well as issues experienced across multiple agencies.

Privacy Hot Spots

As technology changes and federal agencies adapt to implement new technological approaches, agencies must also successfully address the many privacy challenges that new technologies bring. The topics below are examples of areas where MITRE has helped agencies to face privacy issues associated with new and changing technologies.

  • Privacy and Social Networking
    Federal agencies increasingly rely upon social networking technologies to provide information to the public. MITRE has evaluated social networking technologies for federal agencies and provided recommendations on configuring and managing social networking sites to protect privacy. MITRE has also provided input to agencies on appropriate strategies for implementing the use of social networking by helping agencies to look at the consequences of not adopting social networking technologies and analyzing how to address privacy impacts. The assistance that MITRE provides enables agencies to actively engage with the public using the latest technologies while still minimizing privacy risk.
  • Privacy and Cloud Computing
    Cloud computing is defined by the National Institute of Standards and Technology as "a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Cloud computing can provide a number of advantages with respect to cost, reliability, scalability, and sustainability. However, a number of security and privacy risks are associated with the use of cloud computing. MITRE has analyzed cloud computing privacy and security risks for federal agencies and provided recommendations on how to mitigate those risks. MITRE's input has helped sponsors to develop effective strategies for using cloud computing while still protecting privacy and security.
  • Biometrics
    Biometrics are a type of personally identifiable information with unique privacy risks. Federal agencies are increasingly collecting and using biometrics as well as sharing biometrics and other PII with other federal agencies and local, state, and international governments. The privacy and biometrics experts at MITRE have worked together to engage with sponsors on addressing biometrics privacy risks in different environments. In particular, MITRE developed a risk-management strategy for a sponsor to address privacy considerations in biometrics information sharing and also provided privacy input for a biometrics roadmap for a federal agency. MITRE's support has provided sponsors with a privacy risk assessment process used to support informed decisions for biometrics information sharing.

For more information or discussion about this material, please Contact Us.

Page last updated: February 1, 2011   |   Top of page

Homeland Security Center Center for Enterprise Modernization Command, Control, Communications and Intelligence Center Center for Advanced Aviation System Development

 
 
 

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.
IDG's Computerworld Names MITRE a "Best Place to Work in IT" for Eighth Straight Year The Boston Globe Ranks MITRE Number 6 Top Place to Work Fast Company Names MITRE One of the "World's 50 Most Innovative Companies"
 

Privacy Policy | Contact Us