Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Red Cross Laptops Stolen: Finally, Laptops That Used Encryption! | Main | Risky Business: Using Production Data for Test Purposes »

OMB Issues Recommendations for Laptop and "Sensitive Agency Information" Security

I'm just getting around to reading the memo issued largely in response to the VA laptop and harddrive incident by the Office of Management and Budget (OMB) on June 23, 2006, "Protection of Sensitive Agency Information."  This is a good document to serve as a model for other agencies and organizations for protecting personally identifiable information (PII) and other sensitive information.  The key to making this document effective will be good communication of the policies, procedures and requirements through ongoing awareness and training.

Let's look at a few of the items within this memo, issued by Clay Johnson III, Deputy Director for Management:

"I am recommending all departments and agencies take the following actions:

  1. Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing;
  2. Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access;
  3. Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity; and
  4. Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required."

Why just make these recommendations?  Why not make them requirements?  This is weak wording and seems to allow for agencies to not follow these security requirements at their discretion.

Hopefully the OMB has documented what constitutes sensitive and non-sensitive information.  Otherwise recommendation #1 is also subjective and a weak statement to make...open again to interpretation.  They should provide a documented definition of what is considered sensitive and non-sensitive information...perhaps this is in their documented data classification policy, if they have one.

Requiring two-factor authentication from remote locations is a good security measure.  All organizations would be wise to implement this if they allow remote users access into network information that is confidential, is PII, or they have PII and/or confidential information on their remote computer.

Requiring reauthentication after a short period of inactivity is a good idea for any computer with access to or containing your organization's data.  Less time than 30 minutes of inactivity would be better.

Logging data access is always a good idea also.

It will be good to see the agencies issue these recommendations, with stronger statements, as requirements within each of their agencies and offices.

"Please ensure these safeguards have been reviewed and are in place within the next 45 days."

Well, this is a stronger statement...it sounds more like a requirement.  However, it's likely the actual solutions (such as 2-factor authentication and encryption solutions) cannot be realistically implemented with 45 days...unless these initiatives are already in progress.  This is optimistic, although with good intention, and probably being stated in this way to help address the backlash from recent incidents.  All agencies should be able to have an implementation plan in place fairly quickly, though, showing an implementation timeline for each of the requirements.

The The National Institute of Standards and Technology (NIST) checklist for protection of remote information is attached to the memo.  Again, this really is a great model to use for your own remote information asset protection plan.  I really like that they included the flowchart showing the process; visually providing the flow of procedures always helps those responsible for implementing them better understanding of what is involved, and how to do it correctly.

There are many references to NIST documents within the memo attachment.  I encourage organizations to visit the NIST special publications site to take advantage of this library of great information security guidance repository.

Technorati Tags







 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on July 3, 2006 7:45 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/122

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.