The InformationWeek -- Blogs
CIOs Uncensored

Topics:   CIOs Uncensored

  • Email this page E-mail this page
  • Print this page Print this page
  • Bookmark and Share
  • icon

10 Rules For Avoiding Identity Theft 'Mistakes'


Posted by John Soat, Jul 18, 2007 07:13 PM

The federal government is trying to clean up its act when it comes to ID theft. That includes lecturing CIOs on the basics of information security.

The federal Chief Information Officers Council was established in 1996, and codified into law by Congress in the E-Government Act of 2002. The CIO Council is described on its Web site like this: "The CIO Council serves as the principal interagency forum for improving practices in the design, modernization, use, sharing, and performance of Federal Government agency information resources." Membership on the Council is comprised of CIOs and deputy CIOs from 28 federal agencies, including the departments of Commerce, Defense, Justice, and State.

One interesting piece of news featured on the Web site is a PDF document with this title: "Top Ten Risks Impeding the Adequate Protection of Government Information." Here's how the document begins:


MEMORANDUM FOR CHIEF INFORMATION OFFICERS

FROM: Karen Evans
Administrator, Office of E-Government and Information Technology

SUBJECT: Top 10 Risks Impeding the Adequate Protection of Government Information

In order to maintain the trust of the American public, we must operate effectively by securing government information and safeguarding personally identifiable information in our possession. To make the federal government's identity theft awareness, prevention, detection, and prosecution efforts more effective and efficient, the President's Identity Theft Task Force recently issued "Combating Identity Theft: A Strategic Plan."

The strategic plan instructed the Office of Management and Budget and the Department of Homeland Security to develop the attached paper identifying common risks (or "mistakes") and best practices to help improve your agency's security and privacy programs. Each risk is associated with selected best practices and important resources to help your agency mitigate and avoid these risks. All of the best practices and important resources are inter-related and complementary, and they can be broadly applied when administering your information security and privacy programs.


I love those quote marks around "mistakes" -- they're so ... lawyerly. Here's the list, minus the accompanying best practices and important resources. See how these "guidelines" match up with your own security initiatives.

    1. Security and privacy training is inadequate and poorly aligned with the different roles and responsibilities of various personnel. [[Beware the insider.]]

    2. Contracts and data sharing agreements between agencies and entities operating on behalf of the agency do not describe the procedures for appropriately processing and adequately safeguarding information. [[Beware the outsider.]]

    3. Information inventories inaccurately describe the types and uses of government information, and the location where it is stored, processed, or transmitted, including personally identifiable information. [[Like the front seat of an intern's car?]]

    4. Information is not appropriately scheduled, archived, or destroyed. [[The federal government destroys information? Since when?]]

    5. Suspicious activities and incidents are not identified and reported in a timely manner. [[Unless you count The New York Times.]]

    6. Audit trails documenting how information is processed are not appropriately created or reviewed. [[What's an audit trail?]]

    7. Inadequate physical security controls where information is collected, created, processed or maintained. [[I've got the number for Blackwater around here somewhere.]]

    8. Information security controls are not adequate. [[The plain, simple truth.]]

    9. Inadequate protection of information accessed or processed remotely. [[Remember: Lock up that laptop.]]

    10. Agencies acquire information technology and information security products without incorporating appropriate security and privacy standards and guidelines. [[So what's wrong with point solutions?]]

These seem like conventional wisdom to me -- if government agencies aren't implementing these simple security measures by now, we're all in trouble. What do you think? What should federal government agencies concentrate on to stop identity theft -- and cybersecurity problems in general?

« Are There Really Too Many Linux Distros? | Main | The iPhone Is Breaking Down The Dual-Mode Access Wall For The Enterprise, Too »



Sign up now for the weekly InformationWeek Blog Newsletter.


This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.




InformationWeek Chief Of The Year:
Call For Nominations
Know a dynamic, future-oriented tech chief? We're looking for the most insightful, innovative, forward-thinking business technology leader to honor as our 2008 Chief Of The Year. "Tomorrow's CIO" is the theme of our InformationWeek 500 Conference, and of a recent in-depth InformationWeek Analytics Report based on our extensive survey. The qualities identified with Tomorrow's CIO—equal parts leadership, vision, business savvy, technology expertise--are what we're looking for in our Chief Of The Year.

Candidates must be CIOs, CTOs, or VP-of-IT level executives. Nominations will be accepted now through Oct. 31, 2008.

Please send your nominations to: cjmurphy@techweb.com.



Sign Up For The CIOs Uncensored Newsletter
Every Thursday, Chris Murphy and his fellow analysts explore the business, strategy, and management issues most important to IT leaders.

Sign up for our free, weekly newsletter today!

Newsletter Archives


Global CIO Video



  1. First Firmware Update For The BlackBerry Storm Blows Into Town
  2. Alcatel-Lucent's Big Plans
  3. Get Ready For Some Big News From Nokia
  4. Twitter In Controversial Spotlight Amid Mumbai Attacks
  5. Google Round Up: Evil Layoffs, Chrome Speed Test, Street Views


  1. Apple Recommends Antivirus Software For Mac OS X
  2. Media and Tech Mogul Ted Rogers Dead At 75
  3. Hitachi, Intel Partner On SSDs For Data Centers
  4. Facebook Links Social Networks With Single Sign-On
  5. Nokia Takes On Touch-Screen Rivals With N97 Smartphone
  6. Chip Equipment Sales Seen Down 28% In 2008

 
 

  Ars Technica
Boing Boing
Channel 9 Forums
CRN Blogs
Dr.Dobb's Portal: Blogs
Engadget
Gizmodo
GrokLaw
  Lifehacker
Schneier on Security
Slashdot
TechCrunch
Techdirt
Techmeme
Valleywag

  SEPTEMBER 2008
AUGUST 2008
JULY 2008
JUNE 2008
MAY 2008
APRIL 2008
MARCH 2008
FEBRUARY 2008
  JANUARY 2008
DECEMBER 2007
NOVEMBER 2007
OCTOBER 2007
SEPTEMBER 2007
AUGUST 2007
JULY 2007
JUNE 2007