[ISN] Lawmakers ask agencies for data security update

From: InfoSec News (alerts@private)
Date: Tue Feb 26 2008 - 00:12:47 PST


http://www.fcw.com/online/news/151741-1.html

By Jason Miller
FCW.com
February 25, 2008

Two high-ranking senators want to know when agencies will fully 
implement the Bush administrations requirements to protect personally 
identifiable data.

Sens. Susan Collins (R-Maine), ranking member of the Homeland Security 
and Governmental Affairs Committee, and Norm Coleman (R-Minn.), ranking 
member of the Homeland Security and Governmental Affairs Committees 
Permanent Subcommittee on Investigations, sent letters to 24 Cabinet 
agencies Feb. 22 requesting a written timeline for when they will meet 
all four requirements laid out by the Office of Management and Budget in 
a June 2006 memo.

In the letter, the senators told the agency secretary which of the five 
requirements the department needs to implement. The lawmakers also asked 
for status updates or compliance timelines for five other OMB memos 
dating as far back as 2005 that deal with data security, including 
designating senior officials in charge of privacy.

As the federal government obtains and processes information about 
individuals in increasingly diverse ways, it is critically important 
that it ensure the privacy rights of individuals are respected and that 
personal information is properly secured and protected, the senators 
wrote.

The letter comes on the same day the Government Accountability Office 
found agency progress in meeting these June 2006 security requirements 
inconsistent.

Auditors said most agencies 22 of them -- have developed policies 
requiring personally identifiable information to be encrypted on mobile 
computers and devices, and 15 agencies have polices that require the 
hardware to time-out after more than 30 minutes of inactivity.

But GAO also found that only 11 agencies have established policies to 
log computer-readable data extracts and erase data after 90 days, while 
14 implemented two-factor authentication where one of the factors is 
provided by a device separate from the computer gaining access.

Auditors said many agencies are still researching the technology to use 
to log computer-readable data extracts and erase data.

GAO also found that only four agencies had policies requiring the use of 
the National Institute of Standards and Technologys security checklist 
in Special Publication 800-53. In addition, 20 agencies had written 
policies that require encryption software to comply with NIST Federal 
Information Processing Standard 140-2.

Gaps in their policies and procedures reduce agencies ability to protect 
personally identifiable information from improper disclosure, auditors 
wrote. We reiterate, however, as we have in the past, that although 
having specific policies and procedures in place is an important factor 
in helping agencies to secure their information systems and to protect 
personally identifiable information, proper implementation of these 
policies and procedures remains crucial.

Coleman and Collins expressed dismay about the reports findings.

The findings released in this report are very troubling indicating that 
agency after agency has failed to make securing citizens personal 
information a high priority, Coleman said in a statement. The clock is 
ticking and we need to know when the agencies are going to have the 
protections in place to stop the numerous data breaches we have seen 
over the past few years. The bottom line is the federal government has a 
responsibility to ensure the personal information it collects from its 
citizens is properly secured and protected.

Collins added that agencies need to act more quickly to protect 
sensitive data.

OMB officials agreed with the report and said they added these 
requirements as part of the agency scores under the e-government portion 
of the Presidents Management Agenda score card, GAO said.

OMB is working with the agencies and monitoring their progress in 
addressing the recommendations of the President's Identity Theft Task 
Force, said Karen Evans, OMBs administrator for e-government and 
information technology, in a statement. It's important to ensure that 
agencies have the proper security controls in place to minimize and 
prevent risks to the public's information.

?The GAO report has shown improvements have been made, but we are 
woefully short of where we should be 18 months after the OMB directives, 
said Rep. Tom Davis (R-Va.), ranking member of the Oversight and 
Government Reform Committee. Im particularly concerned about the pace of 
efforts to encrypt personal data kept on laptops and other mobile 
devices. Citizens most sensitive information should not be we walking 
around waiting to be lost or stolen. Too many laptops and hard drives 
still go missing, and too many peoples critical digital identities are 
put at risk when that happens.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Tue Feb 26 2008 - 00:21:54 PST