Breach Response and Management
FRTIB has an obligation to protect the information TSP participants, beneficiaries, and others entrust to the Agency. The Privacy Division takes this obligation very seriously and has developed a policy and procedures to inform FRTIB employees and contractors of their obligation to protect PII and to instruct them specific steps they must take in the event there is an actual or potential compromise of PII. FRTIB’s process for responding to a breach of PII are detailed in the Agency’s Breach Response Policy and Procedures which are based on OMB Memorandum 17-12, Preparing for and Responding to a Breach of Personally Identifiable Information and requires:1
- All FRTIB employees and contractors to immediately report any potential or actual incidents to FRTIB’s Incident Response Team (IRT) as soon as they become aware that an incident may have occurred;
- The Privacy Division or BRT to investigate the facts and circumstances surrounding the potential breach and to investigate whether PII was actually compromised;
- The CPO or SAOP to assess the risk of the breach and determine which remediation methods should be used in the event of an actual compromise of PII based on the type of harm caused to the individual(s);
- The BRT to conduct after action reports for high- and moderate-risk breaches that document the details of the breaches and the steps taken to remediate the gaps that caused the breaches to occur; and
- To conduct an annual table-top exercise, which consists of a structured, readiness-testing activity that simulates an actual incident involving PII designed to prepare key stakeholders and decision-makers for an emergency situation involving a data breach.
- ITSMD maintains a separate Cyber Incident Response Policy and Procedures which details the Agency’s procedures for detecting, containing, responding to, and preventing incidents, in accordance with NIST SP 800-61, Rev. 2, Computer Security Incident Handling Guide. The Cyber Incident Response and Breach Response processes work together in the event of a cyber incident involving PII.