While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
Do you know the location of every one of your agency’s notebook computers — right now? Do you know who has them — right now? Do you know when those computers left the building — to the second? Are you positive that they all have valid ID markings?
If you can’t answer “yes” emphatically to all of these questions, then you probably don’t have adequate control of your notebook inventory, say federal and industry security experts. In organizations the size of most agencies, this is admittedly a tough challenge, says Kathryn Maginnis, associate deputy assistant secretary for risk management and incident response at the Veterans Affairs Department.
Take her department, for instance. More than 235,000 employees and 100,000 contractors work at more than 1,300 VA facilities, and nearly 100 percent of them work with health care records in some capacity, she says.
“That’s our landscape,” says Maginnis. “Many people coming and going” at lots of locations make data breaches possible.
But dealing with the physical components of security for mobile workers must take place in tandem with securing the least tangible part of the equation: data. A first step is to disavow yourself of the notion that you can easily create a policy about what does and does not comprise “sensitive” information and then focus security efforts on that data subset.
“You can’t make judgments in advance about what someone is going to think is sensitive — everything will be sensitive to someone,” says Maya Bernstein, privacy advocate for the Health and Human Services Department. Maginnis and Bernstein spoke during a recent American Council for Technology Industry Advisory Council briefing on information assurance.
Encrypt it all and remove extraneous uses of personally identifiable information, Bernstein says. She also suggests that agencies “should be impressing upon people to take the minimum amount of things out of the office to do their work.”
Adds Maginnis, “Because the likelihood of [a data loss] happening is so high, it behooves you to be good girl scouts and boy scouts and be prepared.”
A chief rule of thumb for the U.S. Cyber Consequences Unit, a nonprofit security assessment body, is that organizations should view mobile technology as almost disposable. It says agencies should expect equipment to go missing and let that guide the mobile tools they supply to traveling employees and the security practices they demand.
Here are the US-CCU’s recommendations:
A 24x7 approach to risk is the direction that information assurance teams are increasingly taking in government, says Thomas Oscherwitz, vice president of government affairs for identity intelligence consultant ID Analytics of San Diego. Agencies are deploying tools that continuously monitor for malicious actions, and then they rank incidents based on expected network behaviors and on data value, he says.
VA has a team whose job is just as Oscherwitz describes: It reviews all reported incidents and does triage to determine the department’s response and remediation plan, according to Maginnis.
A chief benefit of VA drawing so much attention because of the now-infamous data breach of two years ago is that the department created an enterprise incident-reporting process, she says, and it encourages people to report any and all incidents.“It’s not a bad thing to report when things happen,” Maginnis says. It helps people whose data is lost and also helps identify and prevent vulnerabilities. “We need to get away from the stigma that is associated with reporting.”