IoT
IoT
IT Leadership // Security & Risk Strategy
Commentary
1/28/2016
08:06 AM
Larry Loeb
Larry Loeb
Commentary
50%
50%

OPM Breach Leads To New Systems, Procedures

The Obama Administration announced changes to the Office of Personnel Management designed to ameliorate the flawed systems and processes that led to a massive data breach in late 2014. The plans -- and the steps taken to get there -- hold lessons for any IT organization.

10 Best Tech Jobs For 2016
10 Best Tech Jobs For 2016
(Click image for larger view and slideshow.)

Massive security breaches like the one that occurred at the US Office of Personnel Management (OPM) naturally make headlines. Yet, the steps taken afterward to correct the processes that led to such a situation may be far more interesting to IT professionals than the breach itself.

On January 22, the Obama Administration announced changes in systems and procedures that will be made as a result of the OPM breach, which reportedly occurred in December 2014 and was disclosed last year. The changes reflect what appears to be a systemic top-to-bottom review of what went wrong.

US officials reportedly believe the OPM breach was conducted by a Chinese espionage ring, which accessed records on 21.5 million people, including government employees and job applicants. The hackers also stole the fingerprint images of 5.6 million people.

[ Never underestimate the human capacity for foolishness. Read 10 Stupid Moves That Threaten Your Company's Security. ]

The first notable change is that the Department of Defense (DoD) will assume responsibility from OPM for storing sensitive information on federal employees and others, including those working for government contractors.

Second, the government will create a new entity -- the National Background Investigations Bureau -- to oversee background investigations, a function previously handled by OPM. This bureau will handle some 600,000 investigations annually for new or renewed security clearances. The National Background Investigations Bureau will handle other types of investigations as well, such as those conducted on individuals seeking access to certain government facilities.

(Image: Greyfebruary/iStockphoto)

(Image: Greyfebruary/iStockphoto)

The new bureau will be housed within OPM, but the DoD will be responsible for keeping the data secure.

According to Agence France Presse, no timeline for the changes was announced, but officials indicated some of these steps will occur this year.

These changes -- and the steps taken along the way -- serve as an example of the way any organization can react in the wake of a breach:

  • Review the situation.
  • Analyze what did not function as it should have.
  • Leverage resources the enterprise has onboard to the best advantage.
  • Shake up how things are done functionally if necessary.
  • Above all, directly deal with the existing problems and find ways to solve them.

The US government has an overall problem with computer security personnel. Analyst Rob Enderle writes on CIO.com that a brain drain from government to the private sector is underway. Cybersecurity experts are being lured by big pay packages from private companies desperately seeking those with applicable security experience.

By transferring data security to the DoD, the government is leveraging an existing, core base of cybersecurity expertise, rather than attempting to build from the ground up within OPM.

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
larryloeb
50%
50%
larryloeb,
User Rank: Author
2/3/2016 | 1:26:44 PM
Re: everything changing
OPM can't do it, They dont have the skillsets.

DoD does. It's that simple.
batye
50%
50%
batye,
User Rank: Ninja
2/3/2016 | 11:23:41 AM
Re: everything changing
@larryloeb, how I see it, Gov. is too slow to respond... but now with changes they have no choice as to improve/increase ability to impliment rapid change as need it... 
larryloeb
50%
50%
larryloeb,
User Rank: Author
2/3/2016 | 10:33:06 AM
Re: everything changing
Game changers in what way?
batye
50%
50%
batye,
User Rank: Ninja
2/3/2016 | 10:26:43 AM
everything changing
this days how I see it hackers acting like a game changer for some of the Co....
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of August 14, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.