To avoid more WikiLeaks-style breaches of secret documents, the OMB asked federal agencies to review security policies to assess how they measure employee trustworthiness and monitor activities.
In
an attempt to tighten control of classified information, the Obama
administration issued a memo outlining requirements and questions agencies have
to address as part of their information security evaluation.
Issued
by Jacob Lew, director of
the
Office of Management and Budget, the memo said federal departments and
agencies that handle classified information have to complete their initial
security review by Jan. 28. This memo sets the completion deadline for the
security assessments the agencies were ordered to undertake in a November memo
to review the protocols and processes for safeguarding classified and sensitive
information.
The
latest memo emphasizes agency safeguards for automated systems, but asked for
information about management and oversight, counterintelligence, information
assurance measures, education and training, as well as personnel security.
Going
through the OMB questions, it is clear the administration is focused on making
sure information doesn't leave federal agencies' systems and not on the bigger
problem of how information is classified. A number of security professionals
have said recently the government should be considering
who
has access to information and apply appropriate
access
rights relevant to the job instead of the current system of classifying
broad swathes of data.
"There's
a fine line between trusted insider and malicious insider," Jack
Hembrough, CEO of VaporStream, told eWEEK
recently. "Rather than trying to identify who might 'go bad,'" it
would be "more productive" to manage what the person can do, he said.
Agencies
should be asking, "Are you trying to get what you are supposed to be
accessing?" when defining user privileges, Ken Ammon, chief strategy
officer at Xceedium, told eWEEK. Extra privileges should be granted only upon
request, but the system needs to revoke the extra privileges immediately after
the task is complete, he said.
Data
leaks from agencies where security is comparatively poor, such as the Army, is
more likely than from agencies with more rigorous security practices, such as
the CIA, wrote Steven Aftergood, an analyst
for Washington, D.C.-based think tank Federation of American Scientists, on the
group's Secrecy News. The resulting furor from the WikiLeaks disclosures has
the administration thinking that "if the Army becomes more like the CIA"
in how it handles security, "it should become less vulnerable" to
breaches, which is a "predictable" reaction, but "troubling,"
Aftergood wrote.
Email
Print
