White House Memo Sets Goals for Security Review to Forestall Future WikiLeaks

To avoid more WikiLeaks-style breaches of secret documents, the OMB asked federal agencies to review security policies to assess how they measure employee trustworthiness and monitor activities.

In an attempt to tighten control of classified information, the Obama administration issued a memo outlining requirements and questions agencies have to address as part of their information security evaluation.

Issued by Jacob Lew, director of the Office of Management and Budget, the memo said federal departments and agencies that handle classified information have to complete their initial security review by Jan. 28. This memo sets the completion deadline for the security assessments the agencies were ordered to undertake in a November memo to review the protocols and processes for safeguarding classified and sensitive information.

The latest memo emphasizes agency safeguards for automated systems, but asked for information about management and oversight, counterintelligence, information assurance measures, education and training, as well as personnel security.

Going through the OMB questions, it is clear the administration is focused on making sure information doesn't leave federal agencies' systems and not on the bigger problem of how information is classified. A number of security professionals have said recently the government should be considering who has access to information and apply appropriate access rights relevant to the job instead of the current system of classifying broad swathes of data.

"There's a fine line between trusted insider and malicious insider," Jack Hembrough, CEO of VaporStream, told eWEEK recently. "Rather than trying to identify who might 'go bad,'" it would be "more productive" to manage what the person can do, he said.

Agencies should be asking, "Are you trying to get what you are supposed to be accessing?" when defining user privileges, Ken Ammon, chief strategy officer at Xceedium, told eWEEK. Extra privileges should be granted only upon request, but the system needs to revoke the extra privileges immediately after the task is complete, he said.

Data leaks from agencies where security is comparatively poor, such as the Army, is more likely than from agencies with more rigorous security practices, such as the CIA, wrote Steven Aftergood, an analyst for Washington, D.C.-based think tank Federation of American Scientists, on the group's Secrecy News. The resulting furor from the WikiLeaks disclosures has the administration thinking that "if the Army becomes more like the CIA" in how it handles security, "it should become less vulnerable" to breaches, which is a "predictable" reaction, but "troubling," Aftergood wrote.