45 CFR 310.15 - What are the safeguards and processes that comprehensive Tribal IV-D agencies must have in place to ensure the security and privacy of Computerized Tribal IV-D Systems and Office Automation?
(a)Information integrity and security. The comprehensive Tribal IV-D agency must have safeguards on the integrity, accuracy, completeness, access to, and use of data in the Computerized Tribal IV-D System and Office Automation. Computerized Tribal IV-D Systems and Office Automation should be compliant with the Federal Information Security Management Act, and the Privacy Act. The required safeguards must include written policies and procedures concerning the following:
(1) Periodic evaluations of the system for risk of security and privacy breaches;
(2) Procedures to allow Tribal IV-D personnel controlled access and use of IV-D data, including:
(i) Specifying the data which may be used for particular IV-D program purposes, and the personnel permitted access to such data;
(ii) Permitting access to and use of data for the purpose of exchanging information with State and Tribal agencies administering programs under titles IV-A, IV-E and XIX of the Act to the extent necessary to carry out the comprehensive Tribal IV-D agency's responsibilities with respect to such programs;
(3) Maintenance and control of application software program data;
(4) Mechanisms to back-up and otherwise protect hardware, software, documents, and other communications; and,
(5) Mechanisms to report breaches or suspected breaches of personally identifiable information to the Department of Homeland Security, and to respond to those breaches.
(b)Monitoring of access. The comprehensive Tribal IV-D agency must monitor routine access to and use of the Computerized Tribal IV-D System and Office Automation through methods such as audit trails and feedback mechanisms to guard against, and promptly identify, unauthorized access or use;
(c)Training and information. The comprehensive Tribal IV-D agency must have procedures to ensure that all personnel, including Tribal IV-D staff and contractors, who may have access to or be required to use confidential program data in the Computerized Tribal IV-D System and Office Automation are adequately trained in security procedures.
(d)Penalties. The comprehensive Tribal IV-D agency must have administrative penalties, including dismissal from employment, for unauthorized access to, disclosure or use of confidential information.