I’m just getting around to reading the memo issued largely in response to the VA laptop and harddrive incident by the Office of Management and Budget (OMB) on June 23, 2006, "Protection of Sensitive Agency Information." This is a good document to serve as a model for other agencies and organizations for protecting personally identifiable information (PII) and other sensitive information. The key to making this document effective will be good communication of the policies, procedures and requirements through ongoing awareness and training.
Let’s look at a few of the items within this memo, issued by Clay Johnson III, Deputy Director for Management:
"I am recommending all departments and agencies take the following actions:
- Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing;
- Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access;
- Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity; and
- Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required."
Why just make these recommendations? Why not make them requirements? This is weak wording and seems to allow for agencies to not follow these security requirements at their discretion.
Hopefully the OMB has documented what constitutes sensitive and non-sensitive information. Otherwise recommendation #1 is also subjective and a weak statement to make…open again to interpretation. They should provide a documented definition of what is considered sensitive and non-sensitive information…perhaps this is in their documented data classification policy, if they have one.
Requiring two-factor authentication from remote locations is a good security measure. All organizations would be wise to implement this if they allow remote users access into network information that is confidential, is PII, or they have PII and/or confidential information on their remote computer.
Requiring reauthentication after a short period of inactivity is a good idea for any computer with access to or containing your organization’s data. Less time than 30 minutes of inactivity would be better.
Logging data access is always a good idea also.
It will be good to see the agencies issue these recommendations, with stronger statements, as requirements within each of their agencies and offices.
"Please ensure these safeguards have been reviewed and are in place within the next 45 days."
Well, this is a stronger statement…it sounds more like a requirement. However, it’s likely the actual solutions (such as 2-factor authentication and encryption solutions) cannot be realistically implemented with 45 days…unless these initiatives are already in progress. This is optimistic, although with good intention, and probably being stated in this way to help address the backlash from recent incidents. All agencies should be able to have an implementation plan in place fairly quickly, though, showing an implementation timeline for each of the requirements.
The The National Institute of Standards and Technology (NIST) checklist for protection of remote information is attached to the memo. Again, this really is a great model to use for your own remote information asset protection plan. I really like that they included the flowchart showing the process; visually providing the flow of procedures always helps those responsible for implementing them better understanding of what is involved, and how to do it correctly.
There are many references to NIST documents within the memo attachment. I encourage organizations to visit the NIST special publications site to take advantage of this library of great information security guidance repository.
Technorati Tags
information security
IT compliance
NIST
awareness and training
government
laptop security
encryption
privacy