A Common Sense Approach to IT Security: Know Your BusinessManagers mitigate risk by understanding their agencies' missions, smartly employing configuration and identity management and using common sense.
Minimizing risk requires agencies to move beyond compliance; which still only represents a starting point in assuring secure data and systems. Compliance alone, as we have learned through painful experiences, will not guarantee information security.
Let us not forget that a few years ago a burglar stole a Department of Veterans Affairs laptop containing the unencrypted personal information for 26.5 million veterans, their spouses and active-duty military personnel. At the time, VA managers complied with the rules; even its inspector general reviewed the departmental process as being satisfactory. Still, one stolen laptop from an employee's home proved very costly; the government in January agreed to pay $20 million to settle a class-action law suit brought by the victims.
Does it make good business sense to have one person be able to copy an entire database and take it offsite?
VA managers thought they protected the data when they completed a required certification and authentication process. This process included the validation of the individual assigned the laptop as indeed being a departmental employee who was allowed to work from home with authorized access to the data. The failure occurred when no one at the VA questioned whether that one worker should be granted access to so much data as well as failing to understand the consequences of allowing this data on a laptop without encryption. Not one person asked the simple question, "Does it make good business sense to have one person be able to copy an entire database and take it offsite?" The response could be yes, but more than likely-as the VA painfully learned-the answer is no.
Who should have asked that question?
The Government Accountability Office's review of the incident suggested the VA lacked the strong leadership and a sustained management commitment to tackle its persistent, long-standing control weaknesses. No one seemed accountable.
Accountability is a shared responsibility, from the head of the agency to the end user who uses the data. Everyone needs to know and understand their role and responsibilities. It's incumbent for agencies to provide everyone with the proper training. If the agency head thinks, "Oh, it's a techie issue over there and I don't have to deal with it," then no one else will take information security seriously.
Employing best practices incorporated in proper identification- and configuration- management processes would have provided VA managers with the tools to decide whether one employee should have had so much data and assure the data was encrypted. And, determining how much data the individual should have access to is key component of information security; what's the business reason for him to have it?
The VA has many missions - healthcare, job assistance, homeless assistance, to name a few. IT security must be linked to the agency's missions, otherwise why bother protecting the data? By understanding the mission, you can mitigate risk, and in the laptop debacle, the mission likely would not have allowed one person to have so much information at his fingertips on a portable device.
That's just plain common sense.
Karen Evans served as administrator of e-government and information technology in the White House Office of Management and Budget and director of the Federal CIO Council from 2003 to 2009. During her 27-year government career, Evans held numerous IT managerial positions, including CIO of the Department of Energy.