On November 6 there was a an interesting hearing held by the U.S. Subcommittee on Federal Workforce, Postal Service, and the District of Columbia about teleworking in the federal agencies.
Considering large numbers of privacy breaches occurring within government agences involving mobile computing devices and storage devices, this caught my eye.
Read through the testimonies and you’ll find that overall, the numbers of federal teleworks dropped in 2006 compared to 2005 because of information security concerns. This would seem to indicate security is becoming more of a concern. However, as you dig into the testimony you’ll find this is a bit misleading.
According to the testimony of Daniel A. Green, deputy associate director at the Office of Personnel Management’s (OPM) Center for Employee and Family Support Policy, there were 119,248 teleworkers in 2005 compared to 111,549 in 2006; 7,699 fewer teleworkers. To quote Green:
“Agencies have justifiably become increasingly concerned with the security of information systems overall and may perceive remote access of any kind as particularly problematic.”
Green reported the OPM is working to improve data security measures in many ways, including working with intelligence agencies to determine how the federal telework centers can be updated to create a more secure environment.
Well, that is good!
It is interesting to note that, even though Green did not name any specific agencies, the Veterans Affairs (VA) agency stopped allowing Veterans Benefits Administration employees from working from their homes in June 2006, soon after their widely publicized privacy breach with the laptop theft. This contributed to some of the dropping numbers.
However, there has not been a decline in teleworking in all agencies. In fact, Green reported a large increase within the U.S. Department of Labor (DOL):
“The U.S. Department of Labor is a good example of the positive impact of COOP/pandemic influenze planning preparedness on telework program participation. From 2005 to 2006 the agency had a 43% increase in the total number of of teleworkers.”
and also within the U.S. International Trade Commission:
“The use of telework at the U.S. International Trade Commission more than quadrupled from 2005 to 2006, which Commission officials attribute to the ease of administration of their telework program.”
There have been privacy breaches reported in the state DOL offices, but I did not find, in my very quick check, any reports of breaches in the U.S. DOL.
The Federal Trade Commission had a breach reported on June 22, 2006 that involved around 110 individuals, but through a very quick check I did not find any reported breaches for the International Trade Commission.
So, it appears, perhaps, that as privacy breaches occur involving mobile computing devices and storage devices, the remote working capabilities are discontinued in the impacted aggencies, but the remote working continues to expand greatly within the other agencies that have not yet had reported breaches.
Hopefully those expanding teleworking have first implemented strong and effective safeguards. The U.S. DOL site provides information about their E-Government Security and Privacy Framework.
However, as expected, no details about teleworking are found within it. They did indicate that the U.S. DOL received the “second highest overall grade and the highest of any cabinet department in a report on Federal computer security by the House Government Reform Committee’s Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations” so that is encouraging.
The executive report for the 2007 information security program audit is posted U.S. International Trade Commission site and shows some significant concerns; namely:
“In addition to the ten open prior-year recommendations, this report identifies five new weaknesses. These weaknesses relate to:
1. Administration of the Plans of Action and Milestones
2. Compliance with E-Authentication risk assessment requirements
3. Annual security controls testing and evaluating
4. Security awareness training for new employees and contractors
5. Implementation of required minimum security controls”
Lack of security awareness training, and lack of minimum security controls worries me that all these increased numbers of teleworkers is exposing a large amount of PII to vulnerabilities that will result in privacy breaches.
I’m a big proponent of the benefits of teleworking. However, strong and effective safeguards, and ongoing information security and privacy training and awareness, must be implemented to make teleworking a secure practice, in addition to being a time-saving and fuel-saving practice.
Tags: awareness and training, Daniel A. Green, Department of Labor, Information Security, International Trade Commission, IT compliance, Office of Personnel Management, policies and procedures, privacy, remote computing, risk management, security training, teleworking, Veterans Affairs