9. Biometrics IT Redacted Report
INTERNAL AUDIT Redacted Version of Security Sensitive Report to Remove Security Sensitive Language ........................................................................................................................................... 3 ....................................................................................................................................................... 4 .......................................................................................................................... 6 ................................................................................................................................... 7 .......................................................................... 8 Redacted Version of Security Sensitive Report to Remove Security Sensitive Language 2 Internal Audit (IA) completed an Information Technology (IT) audit of Biometric controls related to the Biometric Air Exit (BAX) project for the period January 2020 through May 2021. The audit was performed to evaluate the adequacy of internal controls related to secure data storage, privacy, and network security around the processes for creating, storing, and transmitting biometric data for the BAX project. In addition, we reviewed compliance with the 49 requirements of the Port of Seattle's (Port's) "EX-23 Biometric Air Exit Policy" and the U.S. Customs and Border Protection's "Biometric Air Exit Business Requirements (v2.0)." "U.S. Customs and Border Protection (CBP) is congressionallymandated to implement a biometric entry/exit system. CBP's Traveler Verification Service (TVS) offers a process for compliance with the pre-departure clearance of passengers under the Intelligence Reform and Terrorism Prevention Act. TVS uses facial comparison technology in a cloud environment to match live traveler photos with photos maintained in U.S. Government holdings. Stakeholder participation in biometric exit is voluntary and is not mandated by CBP."1 WhileCBP has the authority to conduct their own BAX events for departing international flights, this review focused only on the Port's BAX processes; CBP currently has no plans to continue its own BAX screening at Seattle-Tacoma International Airport given the Port's full implementation of the program. In reviewing the CBP requirements, Internal Audit noted that they included reasonable protections for data storage, privacy, and network security of the relevant biometric data, which consisted of images of departing international airline passengers. Our testing included reviewing the BAX processes for compliance with these requirements. Based on the work we performed, and the information gathered, Internal Audit concluded that the BAX program has achieved reasonable compliance with both CBP and Port policy requirements. There were a small number of non-compliant processes and several required processes which had not been implemented at the initial point of review in the audit. All the non-compliant items were corrected during the audit, and all the required processes were completed or were acceptably in-process to be completed. Appendix B is an abbreviated list of the issues identified and corrected during the audit. Additionally, it would be of value to include the BAX hardware/software in the annual Attack and Penetration Assessment that is conducted by the Information Security department. Internal Audit would like to thank the Port'sAviation Innovation, External Relations Communications, Government Relations, Information Security, Information and Communications Technology, and Aviation Maintenance departments for their cooperation and partnership during this audit. Glenn Fernandes, CPA Director, Internal Audit Responsible Management Team Matt Breed, Chief Information Officer Stuart Mathews, Director, Aviation Maintenance Nate Caminos, Director, Government Relations Kathy Roeder, Director, Public Affairs Communications Ron Jimerson, Director, Information Security David Wilson, Director, Aviation Innovation 1 U.S. Customs and Border Protection Biometric Air Exit Requirements Document, v2.0 Redacted Version of Security Sensitive Report to Remove Security Sensitive Language 3 The Port of Seattle (Port) is a public enterprise and employs approximately 2,000 employees. The Port owns and operates assets including Seattle-Tacoma International Airport (SEA), conference facilities, fishing and recreational boating marinas, industrial properties, and cruise ship terminals. This Information Technology audit included the following departments in its scope: Information & Communication Technology (ICT) delivers and supports a wide variety of technology solutions to enable Port objectives. The Government Relations Department is responsible for a wide variety of local, state, and federal policy advocacy, which not only includes engaging directly with elected officials and key agencies but also researching, developing and analyzing policies and policy positions that are in line with the Port's legislative priorities. External Relations Communications is responsible for sharing information about the Port to external audiences using mass communications channels, such as media relations, the Port of Seattle website, social media, and email newsletters. The Information Security Department is integrated with ICT, Maritime, and Aviation Maintenance. The department provides strategies, operations, and controls for protecting the Port's information systems and sensitive data while increasing business resiliency. Aviation Maintenance provides services to support the operations of Seattle Tacoma International Airport, its tenants, and its guests. Aviation Innovation incubates and promotes employee innovation with the Shark Tank and Crowdsource Innovation Challenge processes. The team also provides support for airline and passenger technology solutions. In 2020, the Port continued its efforts to lead the development of biometric policies and procedures that emphasize travelers' privacy and civil liberties, while ensuring a safe, respectful, and efficient customer experience for those passengers departing SEA on international flights. Following months of engagement with the aviation industry, federal officials, and civil liberties groups, the Port Commission (Commission), on March 10, 2020, directed staff to implement new policies governing the implementation of "Biometric Air Exit" (BAX) at SEA. BAX is a federally regulated program that uses facial recognition to confirm the identities of departing international passengers at the boarding gate. All departing international passengers; U.S. citizen or foreign national, have the right to opt out of biometric processing and request manual screening to confirm their identity. Because of its voluntary and one-to-one nature, BAX complies with the Port's prohibition against mass surveillance using facial recognition technology. To assure the Port can enforce policies related to data privacy and traveler rights, the Commission also authorized a Request for Proposals (RFP) for up to 30 BAX systems for installation at SEA, so that the Port not the federal government could control the traveler engagement aspects of this process. The contract award for that RFP required full compliance with the Port's BAX policies, such as ensuring that data transmitted to CBP by the Port or received by the Port from CBP is not stored or used for commercial purposes and that cameras are appropriately positioned to avoid photographing other passengers. The initial SEA launch of BAX was implemented on December 17, 2020, at gate S16 (in the South Satellite) for EVA Air and is currently being used by EVA Air, Japan Airlines, Korean Air, Asiana Airlines, and Qatar Airways. The BAX system is comprised of 53 cameras installed at 15 S-gates in the South Satellite and 15 A-gates in the Main Terminal. Additionally, there is a separate on-going project to install Redacted Version of Security Sensitive Report to Remove Security Sensitive Language 4 cameras at two N-gates in the North Satellite. By implementing BAX, the Port was able to control the training of airline personnel and require that the training included sensitivity for dealing with passengers who may be concerned with facial recognition. Additionally, the Port was able to receive approval from CBP to develop and use its own signage at the departure gates to allow for considerably larger signs, with language that more clearly explains the passengers' rights for accepting or declining to use facial recognition. Redacted Version of Security Sensitive Report to Remove Security Sensitive Language 5 We conducted this Information Technology audit in accordance with Generally Accepted Government Auditing Standards and the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The period audited was January 2020 through May 2021 and included the following procedures: Policies and Requirements Obtained copies of Port's EX-23 Biometric Air Exit Policy and the CBP's Biometric Air Exit Business Requirements (v2.0) and assessed compliance. Privacy and Security Evaluated CBP's Biometric Air Exit Business Requirements (v2.0) to determine whether they adequately addressed sensitive data protection. Evaluated relevant encryption settings. Performed testing to determine whether encryption settings were operating effectively. Evaluated logon accounts for appropriate security configurations. Internal Audit also gained an understanding of the related internal controls by inquiring with the following Port management: 1) Director, ICT Technology Delivery 2) Director, ICT Infrastructure Services 3) Director, Public Affairs Communications 4) Senior Manager, Federal & International Government Relations 5) Director, Aviation Innovation 6) Manager, Information Security 7) Manager, Aviation Maintenance Redacted Version of Security Sensitive Report to Remove Security Sensitive Language 6 Findings identified during the audit are assigned a risk rating, as outlined in the table below. Only one of the criteria needs to be met for a finding to be rated High, Medium, or Low. Findings rated Low will be evaluated and may or may not be reflected in the final report. Financial Internal Commission/ Rating Compliance Public Stewardship Controls Management High probability Missing or not Non-compliance for external audit Requires followed with Laws, Port High Significant issues and / or immediate Policies, negative public attention Contracts perception Partial controls Partial Potential for compliance with external audit Requires Medium Moderate Laws, Port issues and / or attention Not functioning Policies negative public effectively Contracts perception Functioning as Mostly complies Low probability Does not intended but with Laws, Port for external audit require could be Low Minimal Policies, issues and/or immediate enhanced to Contracts negative public attention improve efficiency perception Redacted Version of Security Sensitive Report to Remove Security Sensitive Language 7 The contents of this appendix were redacted in order to create a non-security sensitive version of this report. Redacted Version of Security Sensitive Report to Remove Security Sensitive Language 8 Redacted Version of Security Sensitive Report to Remove Security Sensitive Language 9
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.