The members of 18F are young, brilliant and changing government from the inside out.
Casey Coleman is nothing if not a pragmatist. Coleman, CIO for the General Services Administration, is charged with protecting the agency’s data — not an easy task with up to 18 percent of the agency’s 12,000 employees telecommuting. Although Coleman remains confident that GSA has stringent security measures in place, the threat of a data breach is never far from her mind.
Security “is always a moving target,” she says, so her group strives to stay ahead of the curve and be vigilant. “The bad guys are always trying to figure out ways to compromise the federal infrastructure.”
Telework has come a long way since the days when an employee would dial in to the office network, enter a user ID and password, and access e-mail and other pertinent information. The explosive growth of mobile devices has given people the ability to access data anywhere, anytime.
At the same time, work-life factors are contributing to the rise in the number of federal teleworkers. With gas prices skyrocketing, telework is no longer seen as a luxury or job perk. “We have the perfect storm — ever-escalating fuel costs and worsening traffic congestion and an increasing emphasis on green initiatives — and this lends itself to telework,” notes Kathryn Kadilak, president of Strategic WorkLife Solutions, a consulting firm in Warrenton, Va., and a veteran of 30 years of federal service.
Increased productivity and the need for continuity of operations are other reasons the number of teleworkers will continue to rise, according to research by the Telework Exchange. But with growth come risks and potential for system breaches. Mindful of how vulnerable data can be when it leaves the network, security officials share proactive measures — beyond firewalls, virtual private networks and passwords — to keep government teleworkers, their systems and federal data safe.
Encrypt each notebook system’s hard drive, not just the software. GSA has kicked off a new initiative to encrypt notebook hard drives as an extra layer of protection. Even if a machine is lost, the data cannot be cracked. “It’s a different approach and an extra measure of security,’’ says Coleman. “So besides a password, you need to type in an encryption key so the data is unscrambled.”
Use two-factor authentication for double the protection. Often, authentication consists of entering a password that says you are who you are. Two-factor authentication requires two out of three proofs: something known, like a password; something possessed, such as a token badge or card that people carry with them and insert into the computer; and something unique about a person’s appearance, such as a fingerprint or an iris scan — some type of biometric, says Coleman.
Agencies should also implement controls that allow for a time-out function for remote devices requiring user authentication (a re-login with two-factor authentication) after 30 minutes of inactivity, suggests Gregory Wilshusen, director of security issues at the Government Accountability Office. He leads audits on information security controls within agencies.
Track your assets. GSA uses an asset-tracking tool from Computrace, which lets it keep tabs on the location of all remote notebooks. “We know where they are at all times, so if one should be reported missing or stolen, we can erase all the contents of the device when the person tries to plug it into the Internet,” Coleman says.
Document sensitive information that users copy off the network. Wilshusen says agencies are required to log all computer-readable data extracts from databases containing sensitive information and verify that each extract has been erased within 90 days or its use is still required. For example, if an Internal Revenue Service tax examiner copies three or four years of tax records onto a notebook computer for use during a field audit, then the IRS, Wilshusen says, “is supposed to log that and verify that copies of the tax records on the notebook are either erased within 90 days or still needed.”
Determine whose equipment is being used. Agencies should have policies on whether teleworkers can use their own PCs and mobile devices to conduct agency business, says Wilshusen.
He advises that, regardless of whether a teleworker uses his or her own computer or the agency’s, “that equipment should be configured in a manner consistent with the agency’s information security policies, including those on currency of antivirus
software, firewalls and software patches.”
Others, however, say it’s best to institute a blanket policy requiring use of government equipment when working remotely. “Separate business computers from personal, so data and security issues don’t overlap,” says Karen Scarfone, a computer scientist with the National Institute of Standards and Technology. She makes recommendations for civilian agencies about securing remote workers’ data.
Keep computers updated at all times with security patches provided by the manufacturer. Scarfone, who has also authored two reports on Microsoft Windows XP, notes that the operating system has an automatic update feature, which is something users can enable and configure to keep computers current. “You have vulnerabilities in software that attackers can take advantage of,” she says, “and by getting these updates, it gets rid of these vulnerabilities and makes it harder for attackers to succeed.”
Create separate XP user accounts. “We recommend having separate user accounts for your daily use of the computer and for your administrative tasks, like installing software,” says Scarfone.
Employees at GSA who telework at least once a week
Target for January; to keep agency on track to meet 50% goal by September 2010
A standard user account should be used for tasks such as e-mail and web browsing. Besides installing software and patches, a separate administrator account should also be used to give someone the right to remove a program. The reason? “If a person encounters malware, and that malware gets run on the admin account, then the attacker ends up having all the privileges the admin has — which is everything,” she says.
(For information about secure configurations for Windows XP and Vista, go to the Federal Desktop Core Configuration site at fdcc.nist.gov.)
Develop, document and deploy procedures. One of the root causes of security vulnerabilities that Wilshusen discovers during his audits arises when agencies fail to fully or consistently implement their information security and assurance programs. “Our recent reports illustrate that agencies often did not adequately design or effectively implement key information security policies and procedures, thereby diminishing assurance that controls are implemented correctly, operating as intended or producing the desired outcomes.” He says GAO finds inconsistencies on almost every audit that it conducts.
Train employees, then train them again. Although it may seem apparent, federal security officials and experts strongly emphasize the need to train employees who are eligible to telework so they understand their agency’s security policies. They also advise differentiating between workers who don’t require access to sensitive information and those who do.
“We tend to treat everyone the same way, which means we’re spending a lot of money and putting a lot of time into protecting data when employees are in jobs that don’t require access to or processing of sensitive information,” says Kadilak, who previously oversaw the telework program for the Justice Department.
Once a determination is made about who needs access to what, security officials can make better, informed decisions on the types of security they want to provide and to what degree.
“What I hear now is it’s a one-size-fits-all approach,” she says. “To me, that doesn’t make good financial sense from a management standpoint. Be realistic about your budgets and make some distinctions between different types of teleworkers and different levels of IT security for those teleworkers.”