Group gives government low marks on data protection |
 |
By Robert Westervelt, News Editor
31 Jan 2007 | SearchSecurity.com |
|
|
The federal government is not doing enough to secure sensitive information, according to a report issued by the Cyber Security Industry Alliance (CSIA), a lobbying group of security vendors based in Arlington, Va.
|
|
|
|
|
All organizations that hold sensitive and personal information need to have policies in place that are focused on securing that data and the processes to implement those policies.
Liz Gasster,
acting executive director and general counsel, CSIA
|
|
|
|
|
|
|
|
|
|
In its annual report, the organization is also criticizing Congress for failing to pass a comprehensive data security law in 2006 requiring companies with data breaches to notify victims.
"All organizations that hold sensitive and personal information need to have policies in place that are focused on securing that data and the processes to implement those policies," said Liz Gasster, acting executive director and general counsel of the CSIA.
Gasster said she is optimistic that Congress will pass a data security law this year addressing data security and breach notification. The bill failed in the past over jurisdictional issues between congressional committees, she said. The law should apply equally to the government and the private sector.
Congress also must still choose a standard to enhance data encryption, an area that two congressional committees have failed to come to an agreement on, she said.
Lawmakers are also finding it difficult to determine whether to give more power to state Attorney Generals to have authority to enforce an act.
"We want to have strong enforcement and as many enforcers out there as possible, but on the flip side, it can lead to inconsistent enforcement," Gasster said.
Specifically, the CSIA rated the federal government in three areas:
Security of Sensitive Information: The CSIA said that Congress ratified the Council of Europe Convention on Cyber Crime but failed to pass a comprehensive law to protect sensitive personal information. Grade: D
Security & Resiliency of Critical Information Infrastructure: The Department of Homeland Security (DHS) appointed an assistant secretary for cyber security and telecommunications and implemented programs such as LOGIIC and Cyber Storm, but hasn't offered a clear agenda on the Department's top cyber security R&D priorities or established a survivable emergency coordination network to handle a large-scale cyber security disaster, according to the CSIA. Grade: D
Federal Information Assurance: Government continues to offer a mixed bag of successes and failures, with progress within the Office of Management and Budget and implementation of HSPD-12, a presidential directive on data security, but much improvement is needed in the areas of using the power of procurement, resolving systemic telework issues, and releasing information on the cost of cyber attacks. Grade: D
The federal government was coming off of a year in which a laptop containing the names, Social Security numbers and dates of birth of up to 26.5 million military veterans and some spouses was stolen. Several other agencies reported similar incidents of stolen laptops containing sensitive data.
The top cybersecurity job at the Department of Homeland Security (DHS) also sat vacant for more than a year until Gregory Garcia took the post in the fall.
The CSIA is also calling on the DHS to quickly establish cyber security and telecommunications priorities and address emergency communications during the event of a major information infrastructure attack or disruption. The organization says a system should be implemented to monitor the entire information infrastructure.
"What's key is that it needs to be risk based and based on kind of information that is at issue," Gasster said. "The government has an obligation to implement security practices to secure that information."
Finally, the group said the Federal Information Security Management Act (FISMA) should be strengthened to give governmental CIOs better enforce authority over budgets and personnel resources. The law should also give federal agencies better tools to scrutinize federal contractors to ensure that they comply with FISMA requirements.
|
|
|
|
