10 Rules For Avoiding Identity Theft 'Mistakes' - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // CIO Insights & Innovation
Commentary
7/18/2007
07:13 PM
John Soat
John Soat
Commentary
50%
50%

10 Rules For Avoiding Identity Theft 'Mistakes'

The federal government is trying to clean up its act when it comes to ID theft. That includes lecturing CIOs on the basics of information security.

The federal government is trying to clean up its act when it comes to ID theft. That includes lecturing CIOs on the basics of information security.The federal Chief Information Officers Council was established in 1996, and codified into law by Congress in the E-Government Act of 2002. The CIO Council is described on its Web site like this: "The CIO Council serves as the principal interagency forum for improving practices in the design, modernization, use, sharing, and performance of Federal Government agency information resources." Membership on the Council is comprised of CIOs and deputy CIOs from 28 federal agencies, including the departments of Commerce, Defense, Justice, and State.

One interesting piece of news featured on the Web site is a PDF document with this title: "Top Ten Risks Impeding the Adequate Protection of Government Information." Here's how the document begins:

MEMORANDUM FOR CHIEF INFORMATION OFFICERS

FROM: Karen Evans Administrator, Office of E-Government and Information Technology

SUBJECT: Top 10 Risks Impeding the Adequate Protection of Government Information

In order to maintain the trust of the American public, we must operate effectively by securing government information and safeguarding personally identifiable information in our possession. To make the federal government's identity theft awareness, prevention, detection, and prosecution efforts more effective and efficient, the President's Identity Theft Task Force recently issued "Combating Identity Theft: A Strategic Plan."

The strategic plan instructed the Office of Management and Budget and the Department of Homeland Security to develop the attached paper identifying common risks (or "mistakes") and best practices to help improve your agency's security and privacy programs. Each risk is associated with selected best practices and important resources to help your agency mitigate and avoid these risks. All of the best practices and important resources are inter-related and complementary, and they can be broadly applied when administering your information security and privacy programs.

I love those quote marks around "mistakes" -- they're so ... lawyerly. Here's the list, minus the accompanying best practices and important resources. See how these "guidelines" match up with your own security initiatives.

    1. Security and privacy training is inadequate and poorly aligned with the different roles and responsibilities of various personnel. [[Beware the insider.]]

    2. Contracts and data sharing agreements between agencies and entities operating on behalf of the agency do not describe the procedures for appropriately processing and adequately safeguarding information. [[Beware the outsider.]]

    3. Information inventories inaccurately describe the types and uses of government information, and the location where it is stored, processed, or transmitted, including personally identifiable information. [[Like the front seat of an intern's car?]]

    4. Information is not appropriately scheduled, archived, or destroyed. [[The federal government destroys information? Since when?]]

    5. Suspicious activities and incidents are not identified and reported in a timely manner. [[Unless you count The New York Times.]]

    6. Audit trails documenting how information is processed are not appropriately created or reviewed. [[What's an audit trail?]]

    7. Inadequate physical security controls where information is collected, created, processed or maintained. [[I've got the number for Blackwater around here somewhere.]]

    8. Information security controls are not adequate. [[The plain, simple truth.]]

    9. Inadequate protection of information accessed or processed remotely. [[Remember: Lock up that laptop.]]

    10. Agencies acquire information technology and information security products without incorporating appropriate security and privacy standards and guidelines. [[So what's wrong with point solutions?]]

These seem like conventional wisdom to me -- if government agencies aren't implementing these simple security measures by now, we're all in trouble. What do you think? What should federal government agencies concentrate on to stop identity theft -- and cybersecurity problems in general?

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Commentary
Is Cloud Migration a Path to Carbon Footprint Reduction?
Joao-Pierre S. Ruth, Senior Writer,  10/5/2020
News
IT Spending, Priorities, Projects: What's Ahead in 2021
Jessica Davis, Senior Editor, Enterprise Apps,  10/2/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Slideshows
Flash Poll