The Department of Housing and Urban Development (HUD) is not effectively protecting sensitive information exchanged with external entities, the Government Accountability Office found.
Of four leading practices for such oversight, HUD did not address one practice and only minimally addressed the other three in its security and privacy policies and procedures (see table). For example, HUD minimally addressed the first leading practice because its policy required federal agencies and contractors with which it exchanges information to implement risk-based security controls; however, the department did not, among other things, establish a process or mechanism to ensure all external entities complied with security and privacy requirements when processing, storing, or sharing information outside of HUD systems. HUD’s weaknesses in the four practices were due largely to a lack of priority given to updating its policies. Until HUD implements the leading practices, it is unlikely that the department will be able to mitigate risks to its programs and program participants.
HUD was not fully able to identify external entities that process, store, or share sensitive information with its systems used to support housing, community investment, or mortgage loan programs. HUD’s data were incomplete and did not provide reliable information about external entities with access to sensitive information from these systems. For example, GAO identified additional external entities in system documentation beyond what HUD reported for 23 of 32 systems. HUD was further limited in its ability to protect sensitive information because it did not track the types of personally identifiable information or other sensitive information shared with external entities that required protection. This occurred, in part, because the department did not have a comprehensive inventory of systems, to include information on external entities. Its policies and procedures also focused primarily on security and privacy for internal systems and lacked specificity about how to ensure that all types of external entities protected information collected, processed, or shared with the department. Until HUD develops sufficient, reliable information about external entities with which program information is shared and the extent to which each entity has access to personally identifiable information and other sensitive information, the department will be limited in its ability to safeguard information about its housing, community investment, and mortgage loan programs.
GAO is making five recommendations to HUD to fully implement the four leading practices and fully identify the extent to which sensitive information is shared with external entities.
HUD did not agree or disagree with the recommendations, but described actions intended to address them.