Fed Reacts To Laptop Thefts With New Security Guidelines--But Are They Enough? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Hardware & Infrastructure

Fed Reacts To Laptop Thefts With New Security Guidelines--But Are They Enough?

Federal agencies have until Aug. 7 to follow "recommendations" for security set by the White House.

After a stolen laptop containing personal data on 26.5 million veterans was returned to an FBI office this week, the bureau declared that the laptop's database appeared intact and unaccessed. It's a lucky break for the Veterans Affairs Department. It and other federal agencies have been front and center in several embarrassing data breaches in recent months.

The federal government is taking steps to improve data security in agencies with new recommendations—no mention of requirements—and an Aug. 7 deadline with no obvious repercussions for not meeting it. In a June 23 memo to department heads, Clay Johnson, deputy director for management at the White House Office of Management and Budget, recommended that agencies encrypt data on laptop or handheld computers unless it's classified as nonsensitive; implement two-factor authentication—a password plus a physical device such as a key card—for remote data access; require users accessing systems remotely or wirelessly to reauthenticate after 30 minutes of inactivity; and track data extraction from federal databases.

Most departments already have such measures in place, Johnson said in his memo, and the OMB will work on getting laggards in compliance "to ensure we are properly safeguarding the information the American taxpayer has entrusted to us." He set a deadline of 45 days, yet the memo doesn't mention what would happen if the recommendations aren't followed.

"That's the embarrassing part, they're phrased as recommendations not requirements," says Alan Paller, director of research for the SANS Institute, a provider of information security and training.

Attached to the memo was a checklist for protecting personal data accessed remotely or taken off-site, provided by the National Institutes of Standard and Technology, or NIST, an agency within the U.S. Commerce Department's Technology Administration that establishes government technology standards. The problem with placing NIST in charge of security standards implementation is that NIST "likes to write reports" rather than implement concrete solutions, Paller says.

This high-level push, as well as several congressional hearings on data security, comes after a spate of laptop losses, thefts, and other break-ins. In addition to the laptop stolen from a VA employee's home, a laptop containing personal data was lost by an Internal Revenue Service employee, two more were reported stolen by the Federal Trade Commission, an Agriculture Department network break-in resulted in the theft of Social Security numbers and other personal data, and the Navy discovered Social Security numbers and personal data for 28,000 sailors and family members on a civilian Web site. All those incidents took place within the last two months.

Businesses also have struggled with data breaches in the past two years, including the February 2005 theft of 145,000 records from data provider ChoicePoint. Companies have to comply with state laws that dictate when customers must be notified that their personal identification data has been lost or stolen. The federal government now has the chance to go beyond after-the-fact requirements and take a hard line internally with its agencies. The OMB's recommendations "are in accordance with the strongest ones coming through to the private sector," says Pete Lindstrom, research director with Spire Security.

The government could lose that opportunity unless it holds firm to those requirements and the deadline to meet them. The nine-page checklist from the National Institute of Standards and Technology could prove difficult for the some agencies to meet by Aug. 7. Implementing complex technologies doesn't happen overnight, and it could take 45 days just for an agency to identify sensitive data and where it resides.

Enforcement isn't the only obstacle. While the government's recommendations for data protection make sense, it needs to choose the same approach as businesses—take a broad view of security and not reactively hone in on the specific area of data loss pertaining to stolen laptops and computing equipment. If their IT systems and data are to be truly protected from both carelessness and outright attacks, businesses and the government have to identify the next big security threat, or at least cover their bases in anticipation of what's to come.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll