DRAFT - Conducting a P/CRCL Audit
Participating in (or conducting) an audit of privacy, civil rights, and civil liberties (P/CRCL) protections is one of the key responsibilities for a fusion center P/CRCL Officer. Each fusion center's P/CRCL Policy (62pp | 1.4mb | PDF) requires an annual policy audit to ensure the policy is at least as comprehensive as the guidelines to ensure that the information privacy and other legal rights of Americans are protected in the development and use of the Information Sharing Environment (ISE Privacy Guidelines) (9pp | 130kb | PDF).
In addition, the DHS Fusion Center Annual Assessment of fusion center capabilities includes several questions about conducting an audit on P/CRCL issues. It is a best practice to conduct a comprehensive audit that includes questions on P/CRCL policy implementation.
Below is a representation of the fusion center P/CRCL process from the development of a P/CRCL Policy to conducting an audit and a Civil Rights and Civil Liberties Impact Assessment.
Fusion Center Guidance: Compliance Verification vs. Audit
- P/CRCL Compliance Review – The first step for any fusion center is to assess whether the center has the capability to assess implementation of protections described in documentation, to identify areas for improvement, and to correct course if necessary. A compliance review is also a requirement under the Homeland Security Grant Program Requirements.
- P/CRCL Audits – An audit is an assessment of information for an organization, person, or project. Audits provide insight on the internal structure of an organization, root out any misconduct or misapplication of policy, and determine the accuracy of information that the organization, person, or project produces. The goal of an audit is to identify challenges and propose solutions.
Audits may be conducted by external entities and/or be initiated internally. There are numerous types of audits (e.g., financial audits, desk audits, self-audits, etc.) that can focus on specific issues. Organizations may also opt to roll several audits into one.
- Conducting Fusion Center Audits (19pp | 1.3mb | PPT) - This training PowerPoint, which was modeled after a presentation at a November 2012 National Workshop for P/CRCL Officers, offers a good overview of conducting an audit with examples questions and tips.
- Compliance Verification Checklist for Fusion Centers (51pp | 4.1kb | PDF). The Privacy, Civil Rights, and Civil Liberties Compliance Verification for the Intelligence Enterprise Tool, created by the Global Justice Information Sharing Initiative provides a detailed and helpful survey with a section on privacy, civil rights, and civil liberties protections. It has served as the basis for the peer-to-peer audit process now underway among many fusion centers (p. 29) (40pp | 2.4mb | PDF).
- Sample Federal Privacy Compliance Review reports — The DHS Privacy Office conducts privacy compliance reviews for the Department of Homeland Security (DHS), which may prove helpful as samples for fusion center P/CRCL Officers and their audit teams.
For additional guidance on how to get started, review our audit guidance page.