45 CFR 310.15 - What are the safeguards and processes that comprehensive Tribal IV-D agencies must have in place to ensure the security and privacy of Computerized Tribal IV-D Systems and Office Automation?
(a) Information integrity and security. The comprehensive Tribal IV-D agency must have safeguards on the integrity, accuracy, completeness, access to, and use of data in the Computerized Tribal IV-D System and Office Automation. Computerized Tribal IV-D Systems and Office Automation should be compliant with the Federal Information Security Management Act, and the Privacy Act. The required safeguards must include written policies and procedures concerning the following:
(1) Periodic evaluations of the system for risk of security and privacy breaches;
(2) Procedures to allow Tribal IV-D personnel controlled access and use of IV-D data, including:
(i) Specifying the data which may be used for particular IV-D program purposes, and the personnel permitted access to such data;
(ii) Permitting access to and use of data for the purpose of exchanging information with State and Tribal agencies administering programs under titles IV-A, IV-E and XIX of the Act to the extent necessary to carry out the comprehensive Tribal IV-D agency's responsibilities with respect to such programs;
(3) Maintenance and control of application software program data;
(4) Mechanisms to back-up and otherwise protect hardware, software, documents, and other communications; and,
(5) Mechanisms to report breaches or suspected breaches of personally identifiable information to the Department of Homeland Security, and to respond to those breaches.
(b) Monitoring of access. The comprehensive Tribal IV-D agency must monitor routine access to and use of the Computerized Tribal IV-D System and Office Automation through methods such as audit trails and feedback mechanisms to guard against, and promptly identify, unauthorized access or use;
(c) Training and information. The comprehensive Tribal IV-D agency must have procedures to ensure that all personnel, including Tribal IV-D staff and contractors, who may have access to or be required to use confidential program data in the Computerized Tribal IV-D System and Office Automation are adequately trained in security procedures.
(d) Penalties. The comprehensive Tribal IV-D agency must have administrative penalties, including dismissal from employment, for unauthorized access to, disclosure or use of confidential information.