OPM Breach Leads To New Systems, Procedures

The Obama Administration announced changes to the Office of Personnel Management designed to ameliorate the flawed systems and processes that led to a massive data breach in late 2014. The plans – and the steps taken to get there – hold lessons for any IT organization.
10 Best Tech Jobs For 2016
10 Best Tech Jobs For 2016
(Click image for larger view and slideshow.)

Massive security breaches like the one that occurred at the US Office of Personnel Management (OPM) naturally make headlines. Yet, the steps taken afterward to correct the processes that led to such a situation may be far more interesting to IT professionals than the breach itself.

On January 22, the Obama Administration announced changes in systems and procedures that will be made as a result of the OPM breach, which reportedly occurred in December 2014 and was disclosed last year. The changes reflect what appears to be a systemic top-to-bottom review of what went wrong.

US officials reportedly believe the OPM breach was conducted by a Chinese espionage ring, which accessed records on 21.5 million people, including government employees and job applicants. The hackers also stole the fingerprint images of 5.6 million people.

[ Never underestimate the human capacity for foolishness. Read 10 Stupid Moves That Threaten Your Company's Security. ]

The first notable change is that the Department of Defense (DoD) will assume responsibility from OPM for storing sensitive information on federal employees and others, including those working for government contractors.

Second, the government will create a new entity -- the National Background Investigations Bureau -- to oversee background investigations, a function previously handled by OPM. This bureau will handle some 600,000 investigations annually for new or renewed security clearances. The National Background Investigations Bureau will handle other types of investigations as well, such as those conducted on individuals seeking access to certain government facilities.

The new bureau will be housed within OPM, but the DoD will be responsible for keeping the data secure.

According to Agence France Presse, no timeline for the changes was announced, but officials indicated some of these steps will occur this year.

These changes -- and the steps taken along the way -- serve as an example of the way any organization can react in the wake of a breach:

  • Review the situation.
  • Analyze what did not function as it should have.
  • Leverage resources the enterprise has onboard to the best advantage.
  • Shake up how things are done functionally if necessary.
  • Above all, directly deal with the existing problems and find ways to solve them.

The US government has an overall problem with computer security personnel. Analyst Rob Enderle writes on that a brain drain from government to the private sector is underway. Cybersecurity experts are being lured by big pay packages from private companies desperately seeking those with applicable security experience.

By transferring data security to the DoD, the government is leveraging an existing, core base of cybersecurity expertise, rather than attempting to build from the ground up within OPM.