Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 07/24/06 issue

OMB sets one-hour data breach rule

Agencies must report incidents to U.S. CERT, detail security spending

By Mary Mosquera, GCN Staff

With the deluge of recent data breaches, the Office of Management and Budget is pushing agencies toward stricter IT security accountability.

Agencies now have a clear standard for reporting all incidents and a comprehensive definition of personally identifiable information.

Some chief information security officers said OMB’s effort clarifies the steps agencies must take when an incident occurs—report it to the U.S. Computer Emergency Readiness Team within one hour of discovery—and simplifies the explanation of which incidents need to be recorded immediately.

The new standards will help obtain executive buy-in for IT security programs they are implementing, CISOs said.

“People generally know what you mean when you say personal information. But it helps us develop our policies and procedures to make sure we’re on the same level as to what we mean when we say sensitive information,” said Patrick Howard, the Housing and Urban Development Department’s CISO.

Standard time

Previously, agencies worked on different reporting timetables, depending on the incident. But in a recent memo, OMB strengthened notification procedures by making the one-hour requirement standard for any compromise of sensitive personal data.

“You should report all incidents involving personally identifiable information in electronic or physical form and should not distinguish between suspected and confirmed breaches,” Karen Evans, OMB administrator for e-government and IT, wrote in the memo.

“That’s clear-cut. It’s stringent but certainly doable,” Howard said.

OMB issued the memo despite the fact that the Federal Information Security Management Act of 2002 already requires agencies to report security incidents within one hour to the U.S. CERT, which operates under the Homeland Security Department.

“Under prior reporting requirements, agency performance was mixed,” said an OMB official, who requested anonymity.

CISOs also have wanted OMB to clearly define personally identifiable information. That definition includes such information as someone’s name, Social Seciurity number, date and place of birth, mother’s maiden name and biometric records, as well as their educational, financial, medical, employment or criminal histories. The comprehensive definition makes it easier to include in glossaries of what CISOs are identifying.

OMB has increased its guidance to push agencies toward stronger information security accountability following recent reports of data breaches at several agencies, including the Energy and Agriculture departments, the IRS and Navy.

But it was the delayed report of the theft of sensitive information belonging to up to 26 million veterans, reservists and active-duty military—three weeks after the incident—that cast the spotlight not only on gaps in agencies’ security controls but also on notification procedures.

More news on related topics: Communications / Networks, IT Security, Business Process Management, Management, IT Management



GCN Popup