- Innovation, regulation and research on tap at RSA 2008
- Researchers uncover 100 VoIP vulnerabilities
- Badware not pushing users offline
- Web attacks won't stop
- Most sites still hack-able
- Tips on employee monitoring
- Research: IT security maturing, but misaligned
- Clarke sharply criticizes Bush cyber-security plans
- Conference seeks to bridge risk, research
- Core finds new CEO
May 24, 2007 | Comments: (0)
White House publishes breach response rules
The White House has issued a memo to the heads of all federal government executive departments that establishes new ground rules for responding to potential data incidents and demands that the agencies clean up their information-handling procedures.
In the notice -- distributed off the desk of Clay Johnson III, deputy director for management in the White House Office of Management and Budget, on May 22 -- authorities also set forth a requirement for all federal agencies to develop and implement a data breach notification policy within the next 120 days as part of the work of the government's Identity Theft Task Force.
In formulating their respective policies, the White House ordered agencies to review their existing requirements with respect to privacy and security, incident reporting and handling, and external breach notification. The document further requires agencies to develop policies that dictate stricter policies for the types of workers who are given access to sensitive information.
Among the most basic advice offered in the executive order is for agencies to:
-Reduce the volume of collected and retained information to the minimum necessary.
-Limit access to sensitive data to only those individuals who must have such access.
-Use encryption and strong authentication procedures.
In his forward to the document, Johnson emphasizes that the requirement should "receive the widest possible distribution" within agencies and that and each affected organization and individual should "understand their specific responsibilities for implementing the procedures and requirements."
Translate as: Claiming a lack of understanding of the data security issue will no longer be tolerated as an excuse on any level in the federal space.
One has to wonder if it is any coincidence that the mandate was issued a year to the day after the Dept. of Veterans Affairs first reported a stolen laptop that held the personal records of over 26 million current and former members of the Armed Forces.
As an example of the requirements the document sets forth, in the area of safeguarding against breaches of personally identifiable information, the White House orders that agencies:
-Establish rules of conduct for people who work on projects or systems involving sensitive data
-Establish physical and electronic safeguards to protect sensitive information
-Maintain accurate, relevant, timely and complete information
-Assign a level of sensitivity to all collected and stored data
-Implement minimum security requirements and controls
-Certify and accredit information systems that hold sensitive data
-Re-train employees to follow data security policies
The rest of the document can be found here.
Posted by Matt Hines on May 24, 2007 02:30 PM
RATE THIS ARTICLE:
-
- COMMENTS
| ZERO DAY PODCAST |
| Listen to the latest podcast: |
MP3
•
•
•
Archive
•
![[VoiceIndigo Mobilize - Listen to podcasts on your mobile phone]](http://www.voiceindigo.com/ht/images/mobilize_logo_sm.gif){kind=logo}
|
TOP STORIES
ADDITIONAL RESOURCES
- Remote Access: Maintain Security and Decrease the Burden on IT
- Beyond AntiVirus: Symantec Endpoint Protection
- What Every Enterprise Needs to Know About VDI
- Disaster Recovery in Minutes
- Protecting Microsoft(R) Applications
- Reduce Recovery Times and Tape Costs
