News
News
7/19/2006
12:45 PM
Connect Directly
RSS
E-Mail
50%
50%

White House Tightens Breach Rules For Federal Agencies

Government agencies must now alert US-CERT within an hour of any actual or suspected data breach involving personal information. But Gartner analysts say while the rule is a good PR move, it's too murky to be effective.

The White House set new rules last week that require government agencies to alert US-CERT within an hour of any data breach involving personal information. Tuesday, research firm Gartner said the directives were good PR, but too vague to be effective.

Last Wednesday, the Office of Management and Budget (OMB) sent a memorandum to the chief information officers of all federal agencies telling them that they must report any data breach to US-CERT within 60 minutes of discovery. US-CERT, which is part of the Department of Homeland Defense, is the federal information security clearinghouse and watchdog.

"You should not distinguish between suspected and confirmed breaches," the memo continued.

In turn, US-CERT is then to forward any such report to the "appropriate Identity Theft Task Force point-of-contact" within an hour of being notified.

Gartner analysts John Pescatore and Jay Heiser were unimpressed.

"[We] believe that the new OMB memorandum is primarily a public-relations response to recent high-profile security incidents," wrote Pescatore and Heiser in an online research note. "Nevertheless, we think it represents a positive change."

They noted that the notification timing shift meant events which may have gone unreported to US-CERT for up to a week must now be forwarded much faster. "An improper-usage incident — such as the detection of sensitive personal information on a home computer or other unsupported device — must now be reported within one hour," Pescatore and Heiser continued. "This will reduce the possibility that such incidents will be reported in the news media before being formally reported by the relevant government agency."

Even so, the existing definition of "improper-usage" is too murky, said the Gartner analysts, and in the long run, faster reporting won't do any good unless the government's security response is drastically improved.

Also on Tuesday, another arm of the OMB issued a memo to all departments and agencies spelling out new information they must provide to Congress under the Federal Information Security Management Act of 2002. Data collected under FISMA is used to generate scorecards on each agency's information security practices.

The most recent report card slapped the federal government as a whole with a D+ grade.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.