Chapter 4: On-Site Inspections

The license authorizes IES Security Officials to make unannounced and unscheduled inspections of the Licensee's facilities, including any associated computer center, to evaluate compliance with the terms the license and security procedures. HLA is the current Security Official representative for IES.

Chapter Contents

• 4.1 On-Site Inspection Procedures
• License Procedures
• Security Procedures and Security Plan Form
• 4.2 On-Site Inspection Guideline
• 4.3 Violations, Penalties, and Prosecution
• Violations
• List of Most Common Violations
• Prosecution and Penalties

---

4.1 On-Site Inspection Procedures

Under the provisions of the license, IES may conduct unannounced and unscheduled inspections of the license site to assess compliance with the terms of the license.

Specifically, Security Officials will visit the Licensee's facilities to evaluate compliance in the following two areas, which are explained in detail in this section:

• Operational Procedures
• Security Procedures and Security Plan

Appendix K contains an On-Site Inspection Interview Guideline.

License Procedures

IES Data Security Officials will review the project operations with the Principal Project Officer, or the Senior Official, at the Licensee's facility. This review will focus on the agreements set forth in the actual license, memorandum of understanding, or Department of Education contract. This includes an inspection of the current status of the project, as discussed below.

• Record of License. IES Security Officials will review the Licensee's file for a copy of the license, along with copies of all of the Affidavits of Nondisclosure, or a list of persons authorized to access the data.
• Affidavits of Nondisclosure. IES Security Officials will review the names and status of all project personnel. All project personnel must have an executed Affidavit of Nondisclosure or be authorized, and these original Affidavits must be on file at IES. This review is to confirm that IES has the most current information on file for those individuals who have the authority to access the subject data.
• The Project Staff. IES Security Officials will investigate whether a copy of the license and a copy of the Security Procedures have been reviewed by all members of the project staff. This is to ensure that all members of the project team are aware of the procedures required for accessing restricted-use data.

Security Procedures and Security Plan Form

IES Data Security Officials will review with the Licensee all aspects of the Licensee's security procedures for the restricted data. These procedures are documented in the Security Procedures.

IES Data Security Officials will also review the Licensee's submitted Security Plan Form, which is the on-site implementation document for the Security Procedures.

IES Data Security Officials will review these procedures for compliance. A basic outline of these procedures, in the form of the On-Site Inspection Guideline, is presented in the next section below.

Top

4.2 On-Site Inspection Guideline

The On-Site Inspection Guideline in appendix K presents a standard set of questions that will be asked by IES Data Security Officials when performing an on-site inspection. Since this is a guide, more license-specific questions may be asked on a case-by-case basis.

The On-Site Inspection Guideline is offered to ensure consistency among interviews and to ensure that all appropriate questions and topics are covered during the interview. A basic outline of the topics covered in the inspection guide follows.

• Introduction
• Risk Management
• General Security Requirements

  
  Assignment of Security Responsibilities
  Development and Implementation of Security Plan Form
  Restriction of Access to Data
  Use of Data at Licensed Site Only
  Return of Original Data to IES

• Physical Handling, Storage, and Transportation

  
  Protection of Machine-Readable Media and Printed Material
  Avoidance of Disclosure from Printed Material
  Restrictions on Copying of Data
  Restrictions on Methods of Transporting Data

• Computer Security Requirements
  
  Standalone Computer

The on-site inspection will include a tour of the Licensee's computer facilities.

Top

4.3 Violations, Penalties, and Prosecution

Violations

• Statement of Warning. If IES finds the Licensee to be in noncompliance in a manner that has not yet resulted in unauthorized disclosure, IES will send a Statement of Warning to the Senior Official within six weeks (30 working days) of the on-site inspection. (More serious violations may result in license revocation or criminal prosecution. See below.)
  
  The Licensee has one month (20 working days) from receipt of the Statement of Warning to provide IES a letter detailing what procedures have been implemented to restore compliance.

• Revocation of License. As stated in the license (Section IV, Penalties) any violation of the terms and conditions contained in the license may subject the Licensee to immediate revocation of the license by IES. If violations are discovered, IES will notify the Licensee, in writing, of the factual basis and grounds for revocation.
  
  The Licensee has six weeks (30 working days) to submit a written argument and evidence to IES indicating why the license should not be revoked. The IES Data Security Program shall provide written notice of a decision to the Licensee within nine weeks (45 working days) after receipt of the Licensee's written argument. IES may extend this time period for good cause.

List of Most Common Violations

• No three-minute shutdown when the computer is left on
• Lack of warning statement when restricted-use data are brought up on the screen
• Accessing restricted-use data from an off-site location
• The PPO not maintaining control over the restricted-use data
• The PPO neglecting to inform the IES Data Security Program of any project personnel changes
• Neglecting to return restricted-use data to the IES Data Security Program
• Neglecting to destroy all subsets of the data at the end of the project (the IES Data Security Program must be informed that this has taken place)
• Restricted-use data leaving the licensed site
• Making a copy of the restricted-use data and allowing it to leave the licensed site
• Removing the warning label with the expiration date from the restricted-use data
• Not labeling any copies or sub-sets of the data with the warning label

Prosecution and Penalties

Alleged violations of the Privacy Act of 1974 or IES-specific laws are subject to prosecution by the United States Attorney after first making reasonable efforts to achieve compliance.

Any violation of this license may also be a violation of Federal criminal law under the Privacy Act of 1974, 5 U.S.C. 552a, and may result in a misdemeanor and a penalty of up to $5,000.

Anyone violating the confidentiality provisions of section 183 of the Education Sciences Reform Act of 2002 (P.L. 107-279), or making an unauthorized disclosure, when using the data shall be found guilty of a class E felony and can be imprisoned up to five years, and/or fined up to $250,000.

Penalties, fines and imprisonment, may be enforced for each occurrence of a specific violation.

Top