Tag Archives: department of justice

Today’s Acronym is PIA (Privacy Impact Assessment)

(Imagen 4)

(Part of the biometric product marketing expert series)

Do U.S. government agencies simply run roughshod over your privacy rights?

Not exactly.

Government agencies are required to issue Privacy Impact Assessments (PIAs) for their projects.

The Federal Bureau of Investigation alone has issued over 60 PIAs.

For example, here is the PIA for CODIS, the Combined National Deoxyribonucleic Acid (DNA) Index System (CODIS).

And if anything needs a PIA, it’s CODIS, since it potentially contains your personally identifiable information…and the personally identifiable information of your relatives.

The PIAs themselves are detailed. The CODIS PIA includes 8 sections with 19 pages of questions and responses. For example, here is the response in section 8 regarding privacy:

The type, quantity, and sources of information collected by FBI CODIS are necessary to identify crime scene offenders, missing persons, or unidentified human remains, or to link multiple crime scenes. Such information is only further disseminated for these purposes. Moreover, NDIS does not store State Identification Number/Universal Control Number or otherwise collect, handle, disseminate, or store contributors’ names. Therefore, CODIS DNA profiles and pedigrees can only be matched to a named individual by the submitting Criminal Justice Agency forensic laboratory, independent of NDIS.

  • The privacy risks associated with the collection and maintenance of FBI CODIS information are inaccurate information, unauthorized access, and unauthorized disclosures.
  • The privacy risks associated with the access and use of FBI CODIS information are unauthorized access, unauthorized (or overly broad) disclosures, and loss of data.
  • The privacy risks associated with the dissemination of FBI CODIS information are the risks of unauthorized disclosures and loss of data.

The risks of unauthorized access, unauthorized disclosures, loss of data and inaccurate information are mitigated by the quality assurance standards promulgated by the FBI pursuant to the Federal DNA Identification Act. These risks are further mitigated by the system, physical access, network-infrastructure, auditing and quality assurance controls, as described more specifically in Sections 6.1 and 6.2, which are in compliance with FIPS Publication 199, as applicable.

The risk of inaccurate information is also specifically mitigated through the identity verification process performed by participating Criminal Justice Agency forensic laboratories to confirm a potential match. The identity must be confirmed prior to the disclosure of any personally identifiable information to the law enforcement entity who submitted the DNA sample.

Lastly, notice is provided as described in Section 5.1.

OneTaste: Know Your (Convicted Forced Labor) Business

If I get my products from my vendor, why do I need to implement Know Your Business (KYB) or Third-Party Risk Management (TPRM)?

Perhaps Compliance Week has a good answer:

“About 27.6 million people around the globe are ensnared by modern slavery, which refers to people being forced to work and losing their freedom due to imprisonment, threats of violence, debt bondage, or retention of their identity papers, according to the United Nations’ International Labor Organization.”

Yeah, but who cares about Third World countries? 

Tell that to the former owners of OneTaste:

“As proven at trial, between 2006 and May 2018, [Nicole] Daedone and [Rachel] Cherwitz obtained the labor and services of multiple young women who had turned to OneTaste for healing and spirituality by coercing them to perform labor, including sexual labor, for the defendants’ benefit.”

Would you want to do business with THAT company?

Although it has undergone an ownership and name change:

“n 2017, Ms. Daedone sold OneTaste for $12 million, prosecutors said. The former OneTaste.us website now directs visitors to The Eros Platform, a community that still promotes it affiliation with Daedone, Cherwitz and and their Orgasmic Meditation practice. The Eros Coaching Collective still advertises a three-session OM training package for $525.”

Pay No Attention to That Man Behind the Curtain

H/T Donal Greene for this story of non-person entities that were really people.

“The nate app purported to take care of the remainder of the checkout process through AI: selecting the appropriate size, entering billing and shipping information, and confirming the purchase….In truth, nate relied heavily on teams of human workers—primarily located overseas—to manually process transactions in secret, mimicking what users believed was being done by automation.”

From https://www.justice.gov/usao-sdny/pr/tech-ceo-charged-artificial-intelligence-investment-fraud-scheme

Now the DOJ is indicting Albert Saniger for defrauding investors: https://www.justice.gov/usao-sdny/pr/tech-ceo-charged-artificial-intelligence-investment-fraud-scheme

(Picture from Imagen 3)

Why Do CPAs (the real ones) Manage SOC 2 Audits?

I’ve been around a ton of compliance frameworks during and after the years I worked at Motorola. 

  • The Capability Maturity Model (CMM), from the days before CMMI came into being.
  • The entire ISO 9000 family.
  • The General Data Protection Regulation (GDPR).
  • The California Consumer Privacy Act (CCPA) and the related California Privacy Rights Act (CPRA).
  • The Health Insurance Portability and Accountability Act (HIPAA).
  • The NIST Cybersecurity Framework (CSF).
  • I’d personally throw the FBI CJIS Security Requirements onto this list.

SOC it to me

There is one compliance framework that is a little different from CMM, ISO, GDPR, and all the others: the System and Organization Controls (SOC) suite of Services

The most widely known member of the suite is SOC 2® – SOC for Service Organizations: Trust Services Criteria. But you also have SOC 1, SOC 3, SOC for Cybersecurity, SOC for Supply Chain, SOC for Steak…whoops, I made that one up because I’m hungry as I write this. But the others are real.

Who runs the SOC suite

But the difference about the SOC suite is that it’s not governed by engineers or scientists or academics.

It’s governed by CPAs.

And for once I’m not talking about content-proposal-analysis experts.

I’m talking about the AICPA, or the Association of International Certified Professional Accountants.

Which begs the question: why are a bunch of bean counters defining compliance frameworks for cybersecurity?

Why CPAs run the SOC suite

Ask Schneider Downs. As an accounting firm, they may have an obvious bias regarding this question. But their answers are convincing.

  • “CPAs are subject matter experts in risk management.” You see, my reference above to “bean counters” was derogatory and simplistic. Accounts need to understand financial data and the underlying risks, including vulnerabilities in cash flow, debt, and revenue. For example, if you’ve ever talked to a CxO, you know that revenue is never guaranteed.
  • “It was a natural progression to go from auditing against financial risk to auditing against cybersecurity risk.” Now this may seem odd on the surface, because you wouldn’t think mad Excel skills will help you detect deepfakes. But ignore the tools for a moment and look at a higher levels. Because of their risk management expertise, they can apply that knowledge to other types of risk, including non-financial ones. As Schneider Downs goes on to say…
  • “CPAs understand internal control concepts and the appropriate evidence required to support the operating effectiveness of controls.” You need financial controls at your company. You aren’t going to let the summer intern sign multi-million dollar checks. In the same way you need to identify and evaluate the internal controls related to the Trust Services Criteria (TSC) associated with SOC 2: security, availability, processing integrity, confidentiality, and privacy.

So that’s why the accountants are running your SOC 2 audit.

And don’t try to cheat when you pay them for the audit.

And one more thing

A few of you may have detected that the phrase “SOC it to me” is derived from a popular catchphrase from the old TV show Rowan & Martin’s Laugh-In.

A phrase that EVERYBODY said.

(Wildebeest accountants from Imagen 3)