In a report by the Government Accountability Office (GAO), the Department of Housing and Urban Development (HUD) was found to not be taking enough action to protect information exchanged with affiliated agencies, contractors, and state, local, and tribal groups.
HUD is responsible to collecting sensitive personal information for its housing, community investment, and mortgage loan programs. While HUD “expects external entities to have security and privacy controls for processing, storing, or sharing information outside of HUD systems,” it hasn’t established policies to ensure they protect data.
Of the four leading practices for overseeing the protection and sensitive information by HUD, only three were minimally addressed, while one was not addressed at all. Those practices include:
- Requiring risk-based security and privacy controls;
- Independently assessing implementation of controls;
- Identifying and tracking corrective actions needed; and
- Monitoring progress implementing controls.
“HUD was further limited in its ability to protect sensitive information because it did not track the types of personally identifiable information or other sensitive information shared with external entities that required protection,” the report said. “This occurred, in part, because the department did not have a comprehensive inventory of systems, to include information on external entities.”
The report goes on to state that HUD’s focused its security and privacy on internal systems and that until HUD develops reliable information about external entities’ security and privacy controls, HUD will be “limited in its ability to safeguard information about its housing, community investment, and mortgage loan programs.”