News Stay informed about the latest enterprise technology news and product updates.

Group gives government low marks on data protection

The Cyber Security Industry Alliance, a lobbying group of security vendors, gives the federal government and congress a D-grade for securing sensitive information.

The federal government is not doing enough to secure sensitive information, according to a report issued by the...

Cyber Security Industry Alliance (CSIA), a lobbying group of security vendors based in Arlington, Va.

All organizations that hold sensitive and personal information need to have policies in place that are focused on securing that data and the processes to implement those policies.
Liz Gasster,
acting executive director and general counselCSIA

In its annual report, the organization is also criticizing Congress for failing to pass a comprehensive data security law in 2006 requiring companies with data breaches to notify victims.

"All organizations that hold sensitive and personal information need to have policies in place that are focused on securing that data and the processes to implement those policies," said Liz Gasster, acting executive director and general counsel of the CSIA.

Gasster said she is optimistic that Congress will pass a data security law this year addressing data security and breach notification. The bill failed in the past over jurisdictional issues between congressional committees, she said. The law should apply equally to the government and the private sector.

Congress also must still choose a standard to enhance data encryption, an area that two congressional committees have failed to come to an agreement on, she said.

Lawmakers are also finding it difficult to determine whether to give more power to state Attorney Generals to have authority to enforce an act.

"We want to have strong enforcement and as many enforcers out there as possible, but on the flip side, it can lead to inconsistent enforcement," Gasster said.

Government security:

Federal government pushes full-disk encryption

Poor government security makes industry wary

Security pros glean insight from '06

Personal data on 26.5 million veterans stolen

Who best to avert disaster: government or business?

Specifically, the CSIA rated the federal government in three areas:

  • Security of Sensitive Information: The CSIA said that Congress ratified the Council of Europe Convention on Cyber Crime but failed to pass a comprehensive law to protect sensitive personal information. Grade: D
  • Security & Resiliency of Critical Information Infrastructure: The Department of Homeland Security (DHS) appointed an assistant secretary for cyber security and telecommunications and implemented programs such as LOGIIC and Cyber Storm, but hasn't offered a clear agenda on the Department's top cyber security R&D priorities or established a survivable emergency coordination network to handle a large-scale cyber security disaster, according to the CSIA. Grade: D
  • Federal Information Assurance: Government continues to offer a mixed bag of successes and failures, with progress within the Office of Management and Budget and implementation of HSPD-12, a presidential directive on data security, but much improvement is needed in the areas of using the power of procurement, resolving systemic telework issues, and releasing information on the cost of cyber attacks. Grade: D
  • The federal government was coming off of a year in which a laptop containing the names, Social Security numbers and dates of birth of up to 26.5 million military veterans and some spouses was stolen. Several other agencies reported similar incidents of stolen laptops containing sensitive data.

    The top cybersecurity job at the Department of Homeland Security (DHS) also sat vacant for more than a year until Gregory Garcia took the post in the fall.

    The CSIA is also calling on the DHS to quickly establish cyber security and telecommunications priorities and address emergency communications during the event of a major information infrastructure attack or disruption. The organization says a system should be implemented to monitor the entire information infrastructure.

    "What's key is that it needs to be risk based and based on kind of information that is at issue," Gasster said. "The government has an obligation to implement security practices to secure that information."

    Finally, the group said the Federal Information Security Management Act (FISMA) should be strengthened to give governmental CIOs better enforce authority over budgets and personnel resources. The law should also give federal agencies better tools to scrutinize federal contractors to ensure that they comply with FISMA requirements.

    Dig Deeper on Information security laws, investigations and ethics

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.