OMB sets one-hour data breach rule

 

Connecting state and local government leaders

With the deluge of recent data breaches, the Office of Management and Budget is pushing agencies toward stricter IT security accountability. Agencies now have a clear standard for reporting all incidents and a comprehensive definition of personally identifiable information.

With the deluge of recent data breaches, the Office of Management and Budget is pushing agencies toward stricter IT security accountability.Agencies now have a clear standard for reporting all incidents and a comprehensive definition of personally identifiable information.Some chief information security officers said OMB's effort clarifies the steps agencies must take when an incident occurs'report it to the U.S. Computer Emergency Readiness Team within one hour of discovery'and simplifies the explanation of which incidents need to be recorded immediately.The new standards will help obtain executive buy-in for IT security programs they are implementing, CISOs said.'People generally know what you mean when you say personal information. But it helps us develop our policies and procedures to make sure we're on the same level as to what we mean when we say sensitive information,' said Patrick Howard, the Housing and Urban Development Department's CISO.Previously, agencies worked on different reporting timetables, depending on the incident. But in a recent memo, OMB strengthened notification procedures by making the one-hour requirement standard for any compromise of sensitive personal data.'You should report all incidents involving personally identifiable information in electronic or physical form and should not distinguish between suspected and confirmed breaches,' Karen Evans, OMB administrator for e-government and IT, wrote in the memo.'That's clear-cut. It's stringent but certainly doable,' Howard said.OMB issued the memo despite the fact that the Federal Information Security Management Act of 2002 already requires agencies to report security incidents within one hour to the U.S. CERT, which operates under the Homeland Security Department.'Under prior reporting requirements, agency performance was mixed,' said an OMB official, who requested anonymity.CISOs also have wanted OMB to clearly define personally identifiable information. That definition includes such information as someone's name, Social Seciurity number, date and place of birth, mother's maiden name and biometric records, as well as their educational, financial, medical, employment or criminal histories. The comprehensive definition makes it easier to include in glossaries of what CISOs are identifying.OMB has increased its guidance to push agencies toward stronger information security accountability following recent reports of data breaches at several agencies, including the Energy and Agriculture departments, the IRS and Navy.But it was the delayed report of the theft of sensitive information belonging to up to 26 million veterans, reservists and active-duty military'three weeks after the incident'that cast the spotlight not only on gaps in agencies' security controls but also on notification procedures.And agencies are making gains with the addition of U.S. CERT's operating and reporting procedures for agencies, OMB said.'Reporting performance is improving, but our goal has always been to prevent incidents before they occur. Agency managers and IGs have the primary role to ensure the agencies properly secure their operations and assets,' the OMB official said.The Government Accountability Office also found incident reporting varied in its analysis of the incident response plans and procedures of 20 agencies.'We reported that agencies were not consistently reporting cybersecurity incidents to U.S. CERT,' said Gregory Wilshusen, director of GAO's information security issues.Some agencies reported incidents to U.S. CERT, others to law enforcement, while others did not report incident information outside their agency, he said.U.S. CERT officials also cited agencies' inadequate details of incidents in the GAO report.'The level of detail that accompanied incident reports may not provide any information about the actual incident or method of attack,' Wilshusen said.OMB, however, is working against the self-protection of agency officials, said security expert Alan Paller, research director of the SANS Institute in Bethesda, Md.'Traditionally, agencies believed the risk [of] someone finding out they were a source of a data breach is lower than the risk of the pain they would take immediately if they reported it,' he said, adding there was only a small chance that the data would show up later.Heightened attentionThe attention from the flood of reported data breaches will help CISOs focus attention on the issue, Howard said.'This helps us do our job and elevate the importance that needs to be placed on it,' he said.HUD, like other agencies, implements its IT security program in cooperation with program offices.Howard sets the guidance, provides instructions and monitors compliance.'But we really have to rely on program offices and system owners to implement controls,' he said.To report a data breach, an individual would report it to the department's national help desk. The help desk pushes it up to Howard, who reports the incident to U.S. CERT on its secure Web site to provide notification.The agency later provides a detailed report.U.S. CERT forwards the information with the appropriate Identity Theft Task Force contact, within one hour of notification by an agency, OMB said.OMB also has directed agencies to provide additional data about IT security for fiscal 2006 FISMA reports and 2008 budget submissions.










Standard time



















































NEXT STORY: USPS gets a lift

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.