A July 2007 report from The Identity Theft Task Force, commissioned by the Office of Management and Budget (OMB) and Department of Homeland Security (DHS), outlined ten "Common Risks Impeding the Adequate Protection of Government Information."
While most organizations are not subject to the same data protection laws as the Federal government (FISMA), many do require the same level of protection on sensitive information to comply with regulations such as HIPAA, GLBA and Sarbanes-Oxley. So this report can serve as a reminder for all organizations that must maintain an information security program.
Written information security policies are critical for compliance with any regulations. Even within FISMA, "Level 1" compliance for a given area of risk includes written security policies. In the next section we outline how our library of information security policies addresses each of the high-level risk areas identified in the report.
Addressing Common Risks
- Security and privacy training is inadequate and poorly aligned with the different roles and responsibilities of various personnel.
ISPME contains pre-written information security policies that require formalized information security awareness and training, including policies to incorporate security requirements into job roles and department mission statements. - Contracts and data sharing agreements between agencies and entities operating on behalf of the agency do not describe the procedures for appropriately processing and adequately safeguarding information.
ISPME provides over 40 written policies that address security requirements in outsourcing contracts, including policies that require the ongoing monitoring of third-party security posture.
- Information inventories inaccurately describe the types and uses of government information, and the locations where it is stored, processed or transmitted, including personally identifiable information.
ISPME contains over 20 written policies describing data classification and labeling, including three and four-category classification schemes.
- Information is not appropriately scheduled, archived, or destroyed.
ISPME contains over 50 written policies covering data classification, archival, de-classification and destruction.
- Suspicious activities and incidents are not identified and reported in a timely manner.
ISPME contains 20 pre-written policies describing the proper reporting and handling of security incidents, including software malfunctions.
- Audit trails documenting how information is processed are not appropriately created or reviewed.
ISPME contains over 100 written policies covering the proper auditing of systems security events, including policies to protect the audit logs.
- Inadequate physical security controls where information is collected, created, processed or maintained
ISPME contains over 40 written policies covering the physical security of IT processing facilities, including equipment location, access controls, environmental controls, and personnel access.
- Information security controls are not adequate.
ISPME contains over 1500 individual controls covering all aspects of ISO 17799/27001.
- Inadequate protection of information accessed or processed remotely.
ISPME contains over 100 policies on remote working, including remote access to networks, systems and data.
- Agencies acquire information technology and information security products without incorporating appropriate security and privacy standards and guidelines.
ISPME contains over 20 written policies covering the acquisition and approval of systems based on security and privacy requirements.
To find out more about developing an information security policy, please request a free sample from our library of information security policies and written information security job-descriptions.
References
Common Risks Impeding the Adequate Protection of Government Information, a July 2007 report from The Identity Theft Task Force.
OMB Memorandum M-06-15, "Safeguarding Personally Identifiable Information," instructed senior agency officials for privacy to conduct a review of policy and processes.
No comments:
Post a Comment