Government Computer News
Secure Measures
SPECIAL REPORT: The Next Steps for Security | Agencies work to catch up to OMB mandates for protecting mobile data.
Digg
De.licio.us
Slashdot
Technorati
OMB's Four Ways to Improve Data Security
In June, just weeks after the Veterans Affairs Department revealed an employee lost a notebook PC containing the personal information of 26 million veterans, the Office of Management and Budget directed agencies to meet four requirements.
- Encrypt all data on mobile computers/devices which carry agency data unless the data is determined, in writing, to be nonsensitive by your deputy secretary or an individual he or she may designate
- Allow remote access only with two-factor authentication, where one of the factors is provided by a device separate from the computer gaining access
- Log all computer-readable data extracts from databases holding sensitive information and verify whether each extract, including sensitive data, either has been erased within 90 days or its use is still required.
- Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes of inactivity. Most agencies have implemented this process.
Also in this report
IGs Depict Laggard Security Upgrade Progress
Karen Evans, Office of Management and Budget administrator for e-government and IT, last year commissioned a study of how well agencies are protecting sensitive personal information.
The results confirm the impressions of IT leaders contacted for this report, in that they reflect halting and uneven security upgrades.
John P. Higgins, Education Department inspector general, and his staff compiled results of the study from 49 unclassified inspector general office reports and sent them to Evans in October.
“For the 49 responses consolidated here, only 11 OIGs report that their agency has confirmed identification of [personal identifying information] protection needs, including verification of information categorization and existing risk assessments,” the study said.
The analysis, titled Federal Agencies’ Efforts to Protect Sensitive Information, is posted at the Web site of the President’s Council on Integrity and Efficiency (GCN.com, Quickfind 728).
The survey found, among other results, that:
- Three-quarters of agencies still were confirming their needs for protecting personal identifying information.
- Agencies had trouble developing detailed, enforceable and firm policies to limit physical removal, remote access, remote download and storage of sensitive personal information.
- Shielding personal information presents agencies with difficult technical, organizational and enforcement problems; some agencies planned to completely overhaul their encryption systems, while other used risk-based methods to rank their security priorities.
- Many agencies have implemented “time-out” functions, but most are behind in adopting encryption, two-factor authentication and erasure of database extracts after 90 days.
“Most federal agencies are still at risk for improper access and disclosure of personally identifiable information and other sensitive data, despite continued progress toward the establishment of appropriate safeguards,” the report concluded.
The authors of the aggregated statistical report judged that its detailed results were too sensitive for public disclosure, likely because they could pinpoint specific agencies’ security shortcomings.
Wilson P. Dizard III
Agencies’ widespread security shortcomings have been highlighted by their stumbling compliance with last summer’s Office of Management and Budget mandate to upgrade data protection on mobile systems.
OMB’s four required steps (see box) are built on long-standing federal law and policy, including the Federal Information Security Management Act and OMB Circular A-123, that most agencies have fallen short in meeting. That’s despite OMB’s claim in the June 23 memo that, “Most departments and agencies have these measures already in place.”
Survey data from inspectors general confirm the finding of a GCN survey of federal IT specialists that the security improvements are confused and halting.
IT leaders cite a matrix of policy, technical and cultural barriers that hobble security improvements:
- Funding shortfalls, which can amount to millions per agency to pay for mandated upgrades
- Technical barriers to adopting three of the four security measures
- Organizational obstacles to adopting tighter security procedures, such as the need to train data users on requirements embedded in the National Institute of Standards and Technology’s Special Publication 800-53 regarding the use of virtual private networks for remote access
- Difficulties in retrofitting upgraded IT security controls on legacy systems, many of which use custom code that can respond unpredictably to software upgrades
- User—and even management—resistance to taking the additional steps and time to carry out new security requirements.
Adoption of the new measures varies by agency and by the specific steps involved, officials said.
“Time-out was the easiest of the four. The other three require strong coordination and planning, along with, in some cases, money,” said Barry West, Commerce Department CIO. “We were fortunate to get the encryption software before the new fiscal year, so we weren’t affected by the continuing resolution because I had budgeted money for security.” Commerce officials allocated the cost of the new systems across bureaus based on the number of users in each office, West said.
 | |||
| Latest News |  WashingtonTechnology.com |
FCW.com |
|
GCN.com
The latest technology news from GCN.com
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
 |
![1105 Government Information Group [happiness]](/images/1105logo_website.gif "Government Computer News [happiness]")
© 1996-2008 1105 Media, Inc. All Rights Reserved.
