[ISN] OMB emphasizes data security guidance

InfoSec News isn at c4i.org
Tue Jun 27 01:27:45 EDT 2006


By Mary Mosquera
GCN Staff

The Office of Management and Budget today provided a checklist of best 
practices that agencies must have in place in 45 days to compensate 
for the absence of physical security controls when employees remove 
information or access it from outside of agency premises. 

Most departments should already have the measures recommended by the 
National Institute of Standards and Technology in place, according to 
Clay Johnson, OMB deputy director for management. 

"We intend to work with the inspectors general community to review 
these items, as well as the checklist, to ensure we are properly 
safeguarding the information the American taxpayer has entrusted to 
us," he said in the memo dated June 23 [1]. 

Besides the checklist, agencies also by early August must encrypt all 
data on mobile devices that carry sensitive data and allow remote 
access only with two-factor authentication. One of those factors 
should be provided by a device separate from the computer gaining 
access. Agencies will implement a "time-out" function for remote 
access and mobile devices users, who will need to re-authenticate 
after 30 minutes of inactivity. Agencies will log all 
computer-readable data extracts from databases holding sensitive 
information. They must verify that each extract of sensitive data has 
been erased within 90 days or its use is still required. 

OMB provided sample privacy documents for system of records notices 
for personnel security files, identity management systems, identity 
card proofing and Privacy Act statement and a Privacy Act statement 
for users of personal identity verification cards. 

Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee, 
applauded OMB's memo. 

"Today's action by the Office of Management and Budget to reinforce 
security standards for sensitive information controlled by the federal 
government is a sensible step, given the various data breaches we have 
seen in recent weeks," he said. "[G]iven the spotty record of 
compliance [with the Federal Information Security Management Reform 
Act] we have seen among the agencies, I sincerely hope this action 
leads to both better results and better practices-and if not, perhaps 
Congress will have to step in and mandate specific security 

[1] http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf

More information about the ISN mailing list