Footnote 1:  Responses to Security-Related Questions in FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (FDIC-OIG Report No. 06-019), dated September 2006; and Independent Evaluation of the FDIC’s Information Security Program – 2006 (FDIC-OIG Report No. 06-022), dated September 2006.

Footnote 2:  OMB defines IIF as information in a system or on-line collection that directly identifies an individual (e.g., name, address, Social Security number (SSN) or other identifying code, telephone number, e-mail address, etc.) or by which an agency intends to identify specific individuals in conjunction with other data elements.

Footnote 3:  A PIA is an analysis of how information is handled to: (1) ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (2) determine the risks and effects of collecting, maintaining, and disseminating IIF; and (3) examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. A PIA is required by the E-Government Act of 2002 (as implemented by OMB Memorandum M-03-22) to ensure privacy protections, and Privacy Act requirements are considered when developing or procuring new or modified information technology that contains IIF.

Footnote 4:  Response to Privacy Program Information Request in OMB’s Fiscal Year 2005 Reporting Instructions for FISMA and Agency Privacy Management (FDIC-OIG Report No. 05-033), dated September 16, 2005.

Footnote 5:  The FDIC previously used the Sensitivity Assessment Questionnaire to determine the overall sensitivity of an FDIC system or application. Certain responses generate specific security control recommendations, including the necessity to complete a PIA.

Footnote 6:  A waiver from the public posting requirement was requested for one system due to the sensitivity of the data in the system, as well as business needs to ensure confidentiality of the system. Such a waiver was consistent with the E-Government Act and OMB’s implementing guidance.

Footnote 7:  The privacy training was announced by global e-mail on October 11, 2005 and included a mandatory completion date of October 28, 2005.

Footnote 8:  OMB Circular A-130, Appendix I, requires agencies to conduct reviews of the following topics, at the indicated frequency: Section (m) Contract, Recordkeeping Practices, Privacy Act Training, Violations, and System of Records Notices every 2 years; Routine Use Disclosures and Exemption of System of Records reviews every 4 years; and Matching Programs annually.

Footnote 9:  The Privacy Act of 1974 states, “The term system of records means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”

Footnote 10:  The Web site contains only the name of the system and indicates that it is to be revised at a later time.

Footnote 11:  OMB Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, dated September 26, 2003, indicates that where there is a compelling need to use persistent tracking technology, the agency must post clear notice of its privacy policy.

Footnote 12:  In the FY 2006 Independent Evaluation of the FDIC’s Information Security Program, (FDIC-OIG Report No. 06 22), dated September 2006, the OIG suggested that the FDIC complete its security risk management methodology to define procedures for performing continuous monitoring of system security controls after system accreditation.