The National Academies Press

Currently Skimming:

Appendix C: Information and Information Technology
Pages 120-132

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 120... ... The government mandates or requests information from many industries: Customs and Border Protection obtains manifests for trucks entering the United States from trucking firms; the Department of Homeland Security (DHS) , including the Transportation Security Administration, and 0 Read the entire page →
From page 121... ... In addition, employers, retailers, banks, and travel and telecommunications companies collect data directly from customers as well as from many other government and private sources. The largest databases in the world are click-streams collected from Web interactions, second only to retail and scientific databases. Read the entire page →
From page 122... ... In addition, since information systems have vulnerabilities and are subject to threats, appropriate data stewardship must be enforced. Whereas banks and telecommunications companies rate highest in information protection, many industries and the government in particular rate considerably lower. Read the entire page →
From page 123... ... Hence, the committee's framework lists the criteria and best practices that are required to protect civil liberties, including appropriateness, agency and external authorization, defined purpose, and assessment, as discussed below. C.1.6 Information Monitoring An information program must be continuously monitored and assessed to ensure that it is effective in achieving its purpose and that 1 Seefor example, National Security Council, National Strategy for Combating Terrorism, National Security Council, Washington, D.C., September 2006, available at http://www. Read the entire page →
From page 124... ... C.1.7 Information Retention The final step of the information life cycle involves the retention or deletion of information based on a defined retention period, data quality, data minimization, or other criteria.3 Data retention refers to the period of time during which an organization can or must retain data in its automated and manual records. A data retention requirement may be that data 2 In2005, the information technology products sector accounted for $640 billion or 2.8 percent of the U.S. Read the entire page →
From page 125... ... At the same time organizations may want to delete data to reduce their exposure to compliance irregularities or potential legal discovery by data forensic techniques, data such as e-mail trials in the Enron case and voice mails in a case involving Hewlett Packard. Businesses must meet the requirements of relevant regulations; Sarbanes-Oxley is one of hundreds that are applicable to specific data types in specific business contexts. Read the entire page →
From page 126... ... C.1.9 Connecting the Information Life Cycle to the Framework The framework defined in Chapter 2 of this report provides guidance on information practices to achieve efficacy of counterterrorism programs while ensuring adequate civil liberties protections. All information practices related to information-based programs can be considered in the context of the typical information life cycle. Read the entire page →
From page 127... ... For example, most commercial enterprises publish a privacy policy that defines how they treat customer information in each step of the information life cycle. Privacy policies generally define what information is collected, indicate customer rights to correct the information, state that the information is stored and used by the enterprise (typically at their discretion) Read the entire page →
From page 128... ... Today, there are more than 5,600 telecommunications providers in the United States. Whereas in the past providers were distinguished by the technology of the communications medium involved, more recently deregulation and advances in technology have led to a convergence of technologies and companies, and today any company can become a telecommunications provider, thus expanding both the number of service providers and the types of communications services. Read the entire page →
From page 129... ... Access to CPNI is strictly governed by federal and other legislation and by telecommunications regulations with severe penalties for each violation. Due to the significant growth in the types of communications services and a continuing large growth in communications volumes, as well as significant advances in technology, the nature, management, and governance of CPNI must be constantly updated, and laws, regulations, and practices must be revised to reflect new and emerging opportunities and threats, including those related to counterterrorism and civil liberties. Read the entire page →
From page 130... ... for transactional databases and more than 100 TB with 3 trillion entries for data warehouses, which is equivalent in data volume to 10 times the contents of the Library of Congress. Growth rates over 2 years for these databases were between a factor of 2 for transactional databases and a factor of 3 for the largest data warehouse. Read the entire page →
From page 131... ... 13 U.S. Department of Health, Education, and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens, Code of Fair Information Practices, July 1973, available at http://aspe.hhs.gov/datacncl/1973privacy/ tocprefacemembers.htm. Read the entire page →
From page 132... ... While many have developed their own, there is increasing adoption of formal frameworks based on reports of their efficacy, such as a 30 percent increase in productivity over 2 years through a consistent application of formal frameworks.18 Failures with framework implementation are often related to inappropriate selection of criteria, as well as to formulaic implementations that emphasize process and checklists by those who do not understand the objectives or how to evaluate whether they have been achieved. 14 The IT Governance Institute (ITGI) Read the entire page →

From page 120...

... The government mandates or requests information from many industries: Customs and Border Protection obtains manifests for trucks entering the United States from trucking firms; the Department of Homeland Security (DHS) , including the Transportation Security Administration, and 0

Read the entire page →

From page 121...

... In addition, employers, retailers, banks, and travel and telecommunications companies collect data directly from customers as well as from many other government and private sources. The largest databases in the world are click-streams collected from Web interactions, second only to retail and scientific databases.

Read the entire page →

From page 122...

... In addition, since information systems have vulnerabilities and are subject to threats, appropriate data stewardship must be enforced. Whereas banks and telecommunications companies rate highest in information protection, many industries and the government in particular rate considerably lower.

Read the entire page →

From page 123...

... Hence, the committee's framework lists the criteria and best practices that are required to protect civil liberties, including appropriateness, agency and external authorization, defined purpose, and assessment, as discussed below. C.1.6 Information Monitoring An information program must be continuously monitored and assessed to ensure that it is effective in achieving its purpose and that 1 Seefor example, National Security Council, National Strategy for Combating Terrorism, National Security Council, Washington, D.C., September 2006, available at http://www.

Read the entire page →

From page 124...

... C.1.7 Information Retention The final step of the information life cycle involves the retention or deletion of information based on a defined retention period, data quality, data minimization, or other criteria.3 Data retention refers to the period of time during which an organization can or must retain data in its automated and manual records. A data retention requirement may be that data 2 In2005, the information technology products sector accounted for $640 billion or 2.8 percent of the U.S.

Read the entire page →

From page 125...

... At the same time organizations may want to delete data to reduce their exposure to compliance irregularities or potential legal discovery by data forensic techniques, data such as e-mail trials in the Enron case and voice mails in a case involving Hewlett Packard. Businesses must meet the requirements of relevant regulations; Sarbanes-Oxley is one of hundreds that are applicable to specific data types in specific business contexts.

Read the entire page →

From page 126...

... C.1.9 Connecting the Information Life Cycle to the Framework The framework defined in Chapter 2 of this report provides guidance on information practices to achieve efficacy of counterterrorism programs while ensuring adequate civil liberties protections. All information practices related to information-based programs can be considered in the context of the typical information life cycle.

Read the entire page →

From page 127...

... For example, most commercial enterprises publish a privacy policy that defines how they treat customer information in each step of the information life cycle. Privacy policies generally define what information is collected, indicate customer rights to correct the information, state that the information is stored and used by the enterprise (typically at their discretion)

Read the entire page →

From page 128...

... Today, there are more than 5,600 telecommunications providers in the United States. Whereas in the past providers were distinguished by the technology of the communications medium involved, more recently deregulation and advances in technology have led to a convergence of technologies and companies, and today any company can become a telecommunications provider, thus expanding both the number of service providers and the types of communications services.

Read the entire page →

From page 129...

... Access to CPNI is strictly governed by federal and other legislation and by telecommunications regulations with severe penalties for each violation. Due to the significant growth in the types of communications services and a continuing large growth in communications volumes, as well as significant advances in technology, the nature, management, and governance of CPNI must be constantly updated, and laws, regulations, and practices must be revised to reflect new and emerging opportunities and threats, including those related to counterterrorism and civil liberties.

Read the entire page →

From page 130...

... for transactional databases and more than 100 TB with 3 trillion entries for data warehouses, which is equivalent in data volume to 10 times the contents of the Library of Congress. Growth rates over 2 years for these databases were between a factor of 2 for transactional databases and a factor of 3 for the largest data warehouse.

Read the entire page →

From page 131...

... 13 U.S. Department of Health, Education, and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens, Code of Fair Information Practices, July 1973, available at http://aspe.hhs.gov/datacncl/1973privacy/ tocprefacemembers.htm.

Read the entire page →

From page 132...

... While many have developed their own, there is increasing adoption of formal frameworks based on reports of their efficacy, such as a 30 percent increase in productivity over 2 years through a consistent application of formal frameworks.18 Failures with framework implementation are often related to inappropriate selection of criteria, as well as to formulaic implementations that emphasize process and checklists by those who do not understand the objectives or how to evaluate whether they have been achieved. 14 The IT Governance Institute (ITGI)

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

Appendix C: Information and Information Technology Pages 120-132

Appendix C: Information and Information Technology
Pages 120-132