CIPP Guide » FISMA

Continuous Monitoring & Security Controls

hannah — Tue, 09 Nov 2010 16:00:48 +0000

Cybersecurity is one of the highest national priorities in the US. In order to preserve cybersecurity, legislation such as the FISMA (Federal Information Security Management Act) has been substantially updated to improve capacity for preventing, detecting and responding to threats. Ongoing updates to legislation seem to suggest a shift from simply demanding compliance to adoption of a continuous monitoring model.

What is Continuous Monitoring?

In contrast to traditional monitoring processes, which use only a small sample of events, continuous monitoring audits the system during or immediately after they occur.

What is being monitored?

1. Primary Monitoring – this involves security controls. The primary focus looks at hardware, software and firmware.

2. Secondary Monitoring – this type of monitoring is concerned with the operational environment. Secondary foci would include the environment, mission and policy/regulations.

3. Changes to the systems

Key stages in the continuous monitoring process include the following:

Identify the control rule for each control point.
Establish a test that validates each control rule.
Establish tests to identify problematic transactions.
Test transactions regularly.
Identify transactions that fail the tests. Notify the appropriate individuals within the organization of failures.
Investigate failed transactions and act to correct the transactions or control problem.

Continuous Auditing vs. Continuous Monitoring

Both continuous auditing and continuous monitoring aim to provide organizations with more transparency through accurate, timely reporting practices. Continuous auditing is the automated collection of audit indicators from the IT systems, transactions, processes and controls on a continuous basis. This may be carried out by an internal or external auditor. Continuous auditing can serve as a means to detect control failures earlier than other reporting approaches.

By contrast, continuous monitoring is an automated feedback system that reports on the operation of systems and controls. This is analyzed by management to identify gaps or irregularities which may indicate control failures.

SANS Security Controls

Twenty critical security controls were developed by SANS (the SysAdmin, Audit, Network, Security Institute), in collaboration with hundreds of other groups, including the Department of Defense, civilian federal agencies and cybersecurity experts. The SANS controls have been developed in order to reinforce concerns of US cybersecurity legislation, such as the FISMA, in addition to other government documentation, including NIST SP 800-53, SCAP (Security Content Automation Protocol) and FDCC (Federal Desktop Core Configuration). These controls are generally the highest priority concerns of most security professionals.

Each critical control is associated with a series of tests that should be conducted either on a periodic or a continual basis. The following are the security control categories, along with a brief explanation of the potential risk it addresses, as well as how the control can be implemented and measured. The first fifteen categories are critical controls subject to automated collection, measurement and validation.

1. Inventory of authorized and unauthorized devices

Risk: New and unprotected systems are vulnerable to exploitation. They may enable attackers to access the information deeper within the organization.
Implementation: Maintenance of accurate and up-to-date inventories, utilizing inventory monitoring tools. Inventories should include removable media devices, USB tokens, external hard drives and other information storage devices.
Measurement: Connect hardened test systems to the network, to ensure that they are automatically isolated.

2. Inventory of authorized and unauthorized software

Risk: Certain versions of software are vulnerable to exploitation, such as backdoor programs, bots and zero-day exploits.
Implementation: Develop a list of authorized software. Use software inventory tools to track the type, version and patch level of software installed on each system in the organization.
Measurement: Introduce a benign software test program.

3. Secure configurations for hardware and software on laptops, workstations and servers

Risk: Default configurations often do not provide an adequate level of security.
Implementation: Document security settings of system images.
Measurement: Detect unauthorized changes. Use file integrity checking tools and system scanning tools.

4. Secure configurations for network devices (e.g. firewalls, routers, switches)

Risk: Overtime, network devices may be less securely configured.
Implementation: Compare network device configuration against standard secure configurations.
Measurement: Use changes to network devices to test for alert and isolation. Test that protocols (e.g. IPv6) are being filtered correctly.

5. Boundary defense

Risk: Weaknesses in configuration or architecture on perimeter systems or network devices can give attackers access into the system.
Implementation: Communications should be limited to trusted sites and pass through at least one proxy.
Measurement: Test boundary devices by sending and accepting packets through the boundary.

6. Maintenance, monitoring and analysis of security audit logs

Risk: Flaws in security logging and analysis may help attackers disguise location, activities and malicious software on machines.
Implementation: Validate audit logs for hardware and software installed on it.
Measurement: Review security logs from network devices, servers and hosts.

7. Application software security

Risk: Application software that has security flaws could allow attackers to introduce buffer overflows, SQL injection attacks, cross-site scripting, etc.
Implementation: Test internally developed and third-party web and application software. Use web application firewalls to inspect traffic.
Measurement: Test with a web application vulnerability scanner. Use static code analysis tools and database configuration review tools.

8. Controlled use of administrative privileges

Risk: Uncontrolled administrative privileges can allow attackers to take over a machine or elevate administrative privileges.
Implementation: Keep an inventory for all administrative passwords. Ensure that all those with administrative privileges have the appropriate authorization.
Measurement: Verify enforcement of password policy.

9. Controlled access based on need to know

Risk: Sensitive data that is mixed with less sensitive data may be easily compromised, since the level of access is the same.
Implementation: Develop a multi-level data separation scheme.
Measurement: Test that accounts with limited privileges are unable to access the same files as those with more privileges.

10. Continuous vulnerability assessment and remediation

Risk: Delays in finding or repairing software with vulnerabilities can allow attackers to gain control and/or access sensitive information.
Implementation: Vulnerability scanning tools should be used on all systems. Results should be compared to determine if vulnerabilities have been addressed.
Measurement: Verification of application vulnerability scanning.

11. Account monitoring and control

Risk: Inactive user accounts may be vulnerable to impersonation and unauthorized access.
Implementation: System accounts should be reviewed regularly. Accounts that are dormant should be disabled.
Measurement: Evaluation should be conducted on accounts that have been locked out or disabled, as well as those with expired passwords.

12. Malware defenses

Risk: Malware can tamper with data stored on a system, capture sensitive information and transmit it to other systems.
Implementation: Workstations, servers and mobile devices should have anti-virus, anti-spyware and host-based intrusion prevention systems.
Measurement: Test with benign malware to ensure systems are able to promptly identify, block and quarantine it.

13. Limitation and control of network ports, protocols and services

Risk: Poorly configured web servers, mail servers, DNS servers and file and print services may give attackers remote access.
Implementation: Apply host-based firewalls or port filtering tools on end systems.
Measurement: Install test services with network listeners randomly on the network.

14. Wireless device control

Risk: Wireless devices are often remotely exploited when used outside the organization.
Implementation: Each wireless device on the network must have an authorized configuration and security profile.
Measurement: Wireless clients and access points should be tested for vulnerabilities in various scenarios.

15. Data loss prevention

Risk: Data leakage may be a result of a variety of attacks (e.g. physical theft, data transfers across the network).
Implementation: Network monitoring should examine outbound traffic. Laptops with sensitive data should have encrypted hard drives.
Measurement: Test data should be moved across network boundaries in a variety of scenarios.

The last five control categories are indirectly supported by automated measurement and validation. They include:

16. Secure network engineering

17. Penetration tests and red team exercises

18. Incident response capability

19. Data recovery capability

20. Security skills assessment and appropriate training

Example of Continuous Monitoring

An example of a continuous monitoring system in action is the recently-introduced CyberScope tool, which is currently being used by US federal agencies. With CyberScope, agency personnel send in real-time reports and questionnaires on their agency’s IT security status. This replaces the previous practice of sending in annual paperwork and reports, which were costly, time-consuming and provided limited or outdated data. CyberScope was developed in order to move IT security management from simply achieving compliance, to a model of continuous monitoring and situational awareness.

Summary

This article explores the concept of continuous monitoring, a current approach to IT security management. Continuous monitoring can improve the quality of information security by providing up-to-date and meaningful information to decision makers. Unlike traditional monitoring, which can only provide a limited snapshot of the security situation within an agency or organization, continuous monitoring strategies are more dynamic. The article also looks at the SANS security controls, which represent the priority concerns of security professionals today.

CIPP/G Preparation

In preparation for the Certified Information Privacy Professional/US Government exam, a privacy professional should be comfortable with topics related to this post, including:

Federal Information Security Management Act of 2002 – FISMA (I.C.f.)
Federal agency performance (I.C.f.i.3.)
US government privacy program development (II.A.a.)
Auditing and compliance monitoring (II.B.c.)

Cyberscope

hannah — Tue, 02 Nov 2010 16:00:57 +0000

In October 2009, the US federal Office of Management and Budget (OMB) released CyberScope, a reporting tool for federal agencies. Under the FISMA (the Federal Information Security Management Act of 2002), agencies are obliged to report on their information security statuses. The introduction of CyberScope aimed to correct any weaknesses and streamline the IT security reporting process. This article takes a look at how CyberScope has improved upon the FISMA reporting approach.

Background

The FISMA, enacted in 2002 under the E-Government Act of 2002, required regular reporting from federal agencies regarding their information security practices. These reports were to be submitted on an annual basis to the Office of Management and Budget. It quickly became clear that the reports being generated were not useful for agencies or oversight groups, as they could only represent a very limited snapshot of the agency’s IT security posture.

Additionally, the costs of enforcing FISMA mandates were high. For instance, the certification and accreditation required by FISMA cost $1.3 billion per year, while compliance auditing required another $1 billion. Since the enactment of FISMA in 2002, it is estimated that the federal government has spent over $40 billion. The annual security reports mandated by the FISMA would cost $1,400 per page to produce. This added up to over $500 million each year.

Clearly, the security reporting processes were costly, time-consuming and unsecure, without seeming to have positive effects on federal cybersecurity. The reporting methods depended on large, static spreadsheets that were often outdated by the time they were published. An automated method that could reduce costs and streamline the reporting process was required.

During October 2009, FISMA was revamped to mandate real-time reporting, rather than the previously-required annual reports. This new type of reporting would be facilitated by CyberScope, an online reporting tool based on a Justice Department tool. Use of CyberScope was mandated for civilian agencies only; the Department of Defense has its own set of reporting tools and mechanisms.

What is CyberScope?

CyberScope is a web-based application that collects data from each federal agency, to assess IT security. This represents a major shift, as IT reporting was previously done through paperwork reports. CyberScope relies on live data feeds and data entry by agency staff. It is designed as a central repository, accessible by agencies through a standard interface and format. Through this interface, agencies provide data to the OMB, which then compiles and generates reports to other agencies, as required by the FISMA.

CyberScope is based on automation; users login by using a secure PIV (personal identity verification) car and PIN (personal identification number). It supports its 600 agency users in various information collection processes. This more automated and frequent method improves the monitoring and evaluation of IT security performance over time.

CyberScope in Use

While federal agencies such as NASA, the Department of the Treasury, the Department of Veterans Affairs, the Department of Agriculture and the Department of State were able to submit real time data feeds by July 2010, many agencies required systems upgrades to support the CyberScope reporting program. In order to accommodate the agencies unable to submit through CyberScope, the OMB has allowed for reporting through Excel templates, with the information being uploaded using XML.

FISMA reporting through CyberScope for the fiscal year of 2010 involves a three-tiered approach, which is made up of:

a) Direct data feeds from security management tools

Direct reporting from continuous monitoring programs and security management tools is required by the OMB. The OMB has defined a set of elements that monitoring systems are obliged to report on. This includes: inventory; systems and services; hardware; software; external connections; security training; and identity management and access. During the fiscal year of 2010, agencies are required to report on a quarterly basis. Beginning in 2011, they will need to report on a monthly basis.

b) Government-wide benchmarking regarding IT security

CyberScope presents agencies with a number of questions regarding the security poster. The agency head is also required to submit a comprehensive overview of the information security policies, procedures and practices of the agency. This overview can be completed through CyberScope. From 2010 onwards, the OMB only accepts submissions through CyberScope.

c) Agency-specific interviews

A team of specialists will interview agencies on specific threats. This information will be presented in the 2010 Report on FISMA to Congress.

The combination of electronic interviewing, in-person interviewing and the continuous collection of data aims to develop a cybersecurity profile for each federal agency. These profiles are crucial for identifying strengths and weaknesses in the federal government’s IT systems and ensure compliance.

As mandated by the OMB, the Department of Homeland Security (DHS) is responsible for providing support to agencies in securing their systems. It is responsible for oversight of the CyberScope tool. The DHS must also track and report progress to ensure implementation is effective.

Beyond CyberScope

CyberScope is one of a number of other digital tools that can help support FISMA objectives and facilitate compliance. For instance, the Department of State has introduced a digital security dashboard which monitors its extensive system of 5,000 routers and 40,000 host computers supporting 285 posts worldwide. The automated dashboard is linked to the Risk Scoring Program.

The Risk Scoring Program routinely monitors and assesses ten categories of vulnerabilities. Each category is then scored between one and ten, with ten points representing the most severe vulnerability. Using the risk scores, letter grades between A to F- are assigned to the IT professionals responsible for the systems. This is done at least once every two days.

The continuous monitoring model introduced by the Program allows IT professionals to identify their degree of risk against the defined criteria. It also allows them to rank themselves against their peers, which can be motivational and foster competition.

As a result of the Department of State’s Risk Scoring Program, the Department of State has been able to reduce risk at its domestic offices by 83% since 2008. It has also been able to reduce risk at its foreign locations by 84%.

To complement the automated reporting introduced by CyberScope, the OMB implemented a cybersecurity dashboard. This dashboard was created to facilitate FISMA submissions in a timely and secure manner.

Summary

This article explores the need for CyberScope, an automated, real-time reporting tool, which allows US federal agencies to comply with the FISMA (Federal Information Security Management Act). Prior to the introduction of CyberScope, agencies relied on a costly and time-consuming reporting method, which could only provide a very limited snapshot of their IT security status. CyberScope is also part of a new three-tier approach to FISMA monitoring, which is made up of direct data feeds, government-wide benchmarking and agency-specific interviews. In addition to CyberScope, the article also explores other digital tools based on the continuous monitoring model, which can be used to facilitate FISMA compliance.

CIPP/G Preparation

In preparation for the Certified Information Privacy Professional/US Government exam, a privacy professional should be comfortable with topics related to this post, including:

Office of Management & Budget – OMB (II.A.c.i.)
OMB reporting requirements (II.A.c.i.1.b.)
OMB reporting obligations (II.B.f.i.)
FISMA reporting (I.C.f.i.2.)

Recommended Security Controls for Federal Information Systems

hannah — Tue, 26 Oct 2010 16:00:38 +0000

The National Institute of Standards and Technology (NIST) is responsible for developing standards and guidelines for information security for all civilian federal agencies. It produces security controls for information systems, which are the safeguards necessary to protect the confidentiality, integrity and availability of the data. The NIST SP (Special Publication) 800-53: Recommended Security Controls for Federal Information Systems defines security controls for executive agencies of the US federal government. This article introduces the publication and some of its key concepts.

Purpose of NIST SP 800-53

The FISMA (Federal Information Security Management Act) mandates that information system must adequately protect government data. Under the FISMA, the responsibility for developing security standards falls under the jurisdiction of the NIST. The NIST SP 800-53 provides guidelines for federal agencies to select and define security controls for their information systems. It is also used in non-federal government and private sector organizations as well.

Within the context of federal agencies, the publication was created to achieve the following:

Facilitate a consistent approach to select and specify information security controls.
Offer minimum information security controls.
Offer a catalog of information security controls to meet the current and future security needs of organizations.
Form a basis to develop security control assessment methods and procedures.

The NIST SP 800-53 is directed towards information system and security professionals, which may include:

Chief information officers
Senior agency information security officers
Authorizing officials
Program/project managers
Mission/application owners
System designers
System/application programmers
Information system owners
Information owners
Information system administrators
Information system security officers
Auditors
Inspectors general
Evaluators
Certification agents

Organization & Structure

There are three general classes of security controls and seventeen security control families, as listed below:

Management

Certification, Accreditation and Security Assessments
Planning
Risk Assessment
System and Services Acquisition

Operational

Awareness and Training
Configuration Management
Contingency Planning
Incident Response
Maintenance
Media Protection
Physical and Environmental Protection
Personnel Security
System and Information Integrity

Technical

Access Control
Audit and Accountability
Identification and Authentication
System and Communications Protection

Baselines

The concept of baseline controls refer to the minimum security controls that are recommended for a system, based on its security categorization. The baseline enables agencies and organizations to determine the safeguards needed to protect the systems.

However, baselines alone are not enough to properly manage risk. The following considerations must be made when selecting baseline controls:

Security Controls – Which security controls are “common” controls? How does this relate to the responsibilities of the owners of the information systems?
Operational Environment – How can the operational environment of the system affect physical security controls?
Physical Infrastructure – Do the security controls of the facility provide adequate protection to the information system and its assets?
Public Access – What special security controls are necessary if users access the system through public interfaces? How are the issues of identification and authentication handled?
Technology – What types of technologies are being used within the system (e.g. cryptography, public key infrastructure, wireless technologies)? Which risks can be mitigated through automated mechanisms?
Policy and Regulation – Which laws, Executive Orders, directives, policies, standards or regulations apply to the types of data or systems used by the agency?
Security Objectives – Can any security controls be downgraded to the corresponding controls of a lower baseline?

There are three sets of baseline controls: low-impact, moderate-impact and high-impact levels. This is based on FIPS 199 (Federal Information Processing Standards Publication), which is the mandatory federal security categorization standard. Each impact level is associated with a different security category. Security categories facilitate the proper selection of security controls, as well as how to supplement the baseline to appropriately manage risk.

Security categories (low, moderate or high) are based on the security objectives of confidentiality, integrity and availability. The format for representing the security category (SC) of a system is as follows:

SC_{information system} = {(confidentiality, impact), (integrity, impact), (availability, impact)}

Potential impact values for each objective can be low, moderate or high. Low-impact systems are information systems that have all three security objectives set at “low.” Moderate-impact systems have at least one “moderate” security objective and no objectives greater than moderate. High-impact systems have at least one “high” security objective.

Overall impact levels of information systems take into consideration three elements:

1. Different types of information processed, stored or transmitted by the system.

2. Impact levels of each type of information.

3. Security categorization for each security objective.

The overall impact level is determined from the highest impact level of the three security objectives.

Risk Management

Proper risk management is crucial for any information security program. The risk approach balances security controls with efficacy, legislation, directives, regulations and policies. According to the NIST Risk Management Framework, managing risk involves the following steps:

The information system is categorized.
A set of baseline security controls are selected and used as a starting point for a risk assessment.
The baseline set of controls are supplemented with additional information, including agency security requirements, threat information and other circumstantial information.
The adjusted set of security controls is documented in the system security plan.
Security controls are implemented into the system.
Security controls are assessed using the appropriate methods and procedures.
Information system operation is based on risk determination. This may involve risk to operations, assets or individuals.
The selected security controls are monitored and assessed continuously. Any changes to the system are considered and reported as well.

Updating Controls

The security controls may need to be reassessed and updated. There are a number of events that may trigger this, including:

Data breach
Identification of a new and credible threat
Major changes to the system configuration

According to the NIST SP 800-53, it is recommended to take the following precautions:

Assess the sensitivity of the system and data processed, stored or transmitted by that system.
Assess the current situation of the system, taking into consideration vulnerabilities, threats and risks.
Determine any necessary corrections that may need to be initiated.
Determine if reaccreditation of the system is necessary.

Summary

This article introduces the NIST SP 800-53, which outlines recommended security standards and controls for information systems in federal agencies. The framework was developed as a mandate of the FISMA (Federal Information Security Management Act of 2002), and is recommended for use in the private sector as well. The article outlines the purpose of the NIST publication and lists the organizational structure for the security controls. It also looks at the process by which the controls are selected and how baseline controls can be updated to better reflect an organization’s security situation. Finally, the article outlines the reasons for which controls may be updated and how agencies or organizations can respond to events.

CIPP/G Preparation

In preparation for the Certified Information Privacy Professional/US Government exam, a privacy professional should be comfortable with topics related to this post, including:

FISMA performance (I.C.f.i.3.)
System compliance (I.C.f.i.ii.)

SCAP

hannah — Tue, 19 Oct 2010 16:00:38 +0000

SCAP is a means of applying standards to ensure management and measurement of vulnerabilities. The objective of SCAP is to facilitate evaluation and policy compliance by integrating the goals of IT with those of IT security.

What is SCAP?

SCAP (Security Content Automation Protocol) enables maintenance and assessment of enterprise systems security to be conducted in a standardized manner. SCAP is made up of several open standards that are used to identify and describe flaws and other security issues. SCAP standards may be able to carry out any of the following tasks:

- Automatically verify patches

- Check system security configuration settings

- Search systems for vulnerabilities and risks

As the standards are transparent, interoperable, repeatable and automated, organizations can evaluate their policy compliance. For instance, an organization can evaluate for FISMA compliance with SCAP standards. With SCAP, compliance is an automatic result of good enterprise security, since compliance reporting is linked to the system configuration.

NIST (US National Institute of Standards and Technology) defines SCAP standards, defines the mappings and manages the protocol. However, NIST is not responsible for controlling the underlying SCAP standards, which are discussed later in this article.

Components of SCAP

SCAP is made up of security checklist data, vulnerability enumerations and the mappings between these enumerations. SCAP content is described below:

Security Checklist Data

Checklists are overseen by the NIST National Checklist program. This is written in machine-readable language.

Vulnerability Enumerations

This is a list of all security related flaws or issues as well as a list of vendor/product names.

Mappings

These mappings are provided by the National Vulnerability Database (NVD). The mappings describe the affected product names and help identify the standard impact score for flaws or issues.

In addition to the main SCAP standard, there are also six underlying SCAP standards. The underlying standards are listed and described below:

1. CVE

o Common Vulnerability Enumeration

o This describes publicly known IT vulnerabilities and issues.

o CVE provides common names to identify publicly-known problems. These names are also referred to as “CVE names,” “CVE numbers,” “CVE-IDs” and “CVEs.”

o CVE supports an organization’s vulnerability management functions.

o CVE names contain the following information:

§ CVE identification number

§ Either “entry” or “candidate” status

§ Description of security vulnerability

§ Important references, such as vulnerability reports or OVAL-ID

2. CCE

o Common Configuration Enumeration

o This describes system configuration issues.

o CCE also enables the correlation of configuration data from multiple sources in an efficient, accurate manner.

o CCE assigns enumerations (referred to as “CCEs”) to configuration statements and controls. It is similar to the CVE list.

o CCE supports an organization’s configuration management functions.

o CCEs contain the following information:

§ CCE identifier number

§ Human-readable description of the issue

§ Parameters specifying CCE implementation

§ Related technical mechanisms regarding the configuration issue

§ References to the documents or tools that describe the configuration issue in detail

3. CPE

o Common Platform Enumeration

o This is a naming scheme for a number of IT platforms (i.e. operating systems, applications and hardware).

o CPE enables the identification of specific platforms, based on URI (Uniform Resource Identifiers) syntax.

o CPE supports an organization’s asset management functions.

o CPE includes the following:

§ Formal name format

§ Description of complex platforms

§ System to check names

§ Description format

§ Tests to a name

4. CVSS

o Common Vulnerability Scoring System

o This helps to determine the impact of IT vulnerabilities. Other vulnerability scoring systems, such as the CERT/CC or the SANS vulnerability analysis scale may also be used by commercial as well as non-commercial organizations.

o CVSS also serves as a means to communicate vulnerability characteristics.

o CVSS supports an organization’s configuration management and vulnerability management functions.

o CVSS is made of the following metric groups, as described below:

a) Base Metric Group

- This measures the intrinsic, fundamental characteristics of certain vulnerabilities. Base metrics are constant, regardless of time and user environments.
- Base metrics include:
  - Access Vector
  - Access Complexity
  - Authentication
  - Confidentiality Impact
  - Integrity Impact
  - Availability Impact

b) Temporal Metric Group

This measures characteristics that change over the course of time, but are unrelated to user environments.
Temporal metrics include:
- Exploitability
- Remediation Level
- Report Confidence

c) Environmental Metric Group

This measures the characteristics that are dependent upon a specific user environment.
Environmental metrics include:

- - Collateral Damage Potential
  - Target Distribution
  - Confidentiality Requirement
  - Integrity Requirement
  - Availability Requirement

5. XCCDF

o eXtensible Checklist Configuration Description Format

o This is an XML-based language.

o XCCDF is used to represent checklists, benchmarks and other pertinent documents in machine-readable format.

o XCCDF supports an organization’s compliance management and configuration management functions.

6. OVAL

o Open Vulnerability and Assessment Language

o This is an XML-based language.

o OVAL represents configuration information; analyzes the system for patches, vulnerabilities, security configuration standards or other machine states; and reports assessment results.

o OVAL supports an organization’s configuration management and vulnerability management functions.

SCAP Validation & Emerging Specifications

SCAP protocols facilitate the exchange of system configuration controls and vulnerability information in a standardized format. The Validation Program assesses the ability of the products to use the SCAP components. SCAP validation is carried out by independent laboratories, accredited by the NIST. Based on lab results, the product is SCAP-validated. The information is announced on the NIST web page.

There are a number of different SCAP Validated Products, distributed by the following five vendors:

1. Gideon Technologies – SecureFusion

2. netIQ – Secure Configuration Manager

3. secure elements – CS Compliance Platform

4. ThreatGuard – Secutor Prime and S-CAT

5. Tenable Network Security – Security Center

A number of other SCAP products are in the testing process. Other products are on the potential validation list. There are a number of emerging specifications, which are listed below:

ARF (Asset Reporting Format)
OCIL (Open Checklist Interactive Language)
OCRL (Open Checklist Reporting Language)
CCSS (Common Configuration Scoring System)
CMSS (Common Misuse Scoring System)

SCAP Release Cycle

SCAP specifications are under ongoing change in order to meet the needs of its users. SCAP change management is outlined in its Release Cycle:

NIST review, community feedback and candidate process – consideration of new or updated specifications that may become part of SCAP.
Review of potential SCAP candidates – this allows the community to offer comments or feedback before finalization of the specification.
Publication of draft SCAP – gives notices regarding new/updated specifications.
SCAP beta content – provided for testing and use by the community.
Publication of final NIST specification – after this step, the specification becomes effective.
SCAP content finalization – any previously released beta content becomes final.
Laboratory product validation period – product testing by accredited laboratories. This extends for a period of twelve months.
Expiration of product validations – product validations expire after one year.

Summary

This article introduces SCAP open standards by exploring the reasons for which they may be implemented within an organization. The article describes the functions of the six components (or underlying standards) of SCAP, which include: the Common Vulnerabilities and Exposures (CVE); Common Configuration Enumeration (CCE); Common Platform Enumeration (CPE); Common Vulnerability Scoring System (CVSS); eXtensible Configuration Checklist Description Format (XCCDF); and Open Vulnerability and Assessment Language (OVAL). The process by which emerging standards are validated and updated is also described.

CIPP/G Preparation

In preparation for the Certified Information Privacy Professional/US Government exam, a privacy professional should be comfortable with topics related to this post, including:

Federal Information Security Management Act of 2002 – FISMA (I.C.f.)
System compliance (I.C.f.ii.)
Program management – FISMA model (II.A.b.i.)

OMB Memorandum 07-16 Safeguarding Against and Responding to the Breach of Personally Identifiable Information

jbrook — Tue, 04 May 2010 12:00:07 +0000

Executive Order 13402 commanded the creation of a Presidential Identity Theft Task Force to examine how the Federal Government could better respond to and protect against data breaches resulting in identity theft. Under Federal regulations, such as the Privacy Act of 1974 and the Federal Information Security Management Act, individuals are guaranteed the security of their data, making adequate protection of data a matter of compliance.

On May 22, 2007 the Presidential Identity Theft Task Force issued Memorandum 07-16. It required all agencies to develop and implement data breach notification policies within 120 days, as outlined by the memorandum. M-07-16 included a number of new recommendations and requirements agencies must use in creating such policies.

What is Personally Identifiable Information (PII)?

M-07-16 expanded the definition of personally identifiable information to the following: “personally identifiable information refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as data and place of birth, mother’s maiden name, etc.”

The following are a number of requirements outlined by various attachments to M-07-16 in order to protect personally identifiable information:

Safeguarding Against the Breach of Personally Identifiable Information

Part A of Attachment I reiterated the privacy and security requirements for Federal agencies enforced under the Privacy Act, such as establishing safeguards, ensuring the integrity of data and establishing “rules of conduct” for individuals handling information. Furthermore, under the Privacy Act, agencies are require to assign risk levels to information systems according to NIST SP 800-37.

Attachment I also created the following new requirements:

Review and Reduce the Volume of Personally Identifiable Information

Agencies should conduct an initial review to identify records containing PII and ensure that the information is timely, accurate, relevant and complete. Only the information necessary for carrying out government activities should be maintained. After the initial review, the holdings of PII should be periodically review according to a public schedule

Reduce the Use of Social Security Numbers

All agencies were required to develop a plan within 120 days of the memorandum to eliminate any unnecessary collection of Social Security Numbers (SSN) within eighteen months. Furthermore agencies were also charged with the responsibility of working with other Federal agencies to create a Federal identifier separate from Social Security Numbers.

Security Requirements

Agencies must implement the following security features to protect all Federal information, not just data containing PII:

Encryption
Require two factor authentication using separate devices when accessing information remotely
Implement a Time-Out function requiring re-authentication after a period of inactivity on remote access and mobile devices
Log data extracts from data files containing sensitive information and verify each extract including the destruction of sensitive data after 90 days after it is no longer in use
Educate all individuals handling PII and have them sign a document annually stating they understand their responsibilities.

Incident Reporting and Handling

Attachment 2 of M-07-16 reviewed FISMA guidelines for the reporting of data breaches and modified several requirements.

US-CERT Reporting

All agencies must report incidents involving PII to the United States Computer Emergency Readiness Team regardless of whether a threat may be potential or confirmed. Reporting must take place with one hour of its detection for Category 1 incidents. Examples of Category 1 incidents include:

An individual gaining physical or logical access to a Federal agency’s network, information system, applications, or data without authorization
Any confirmed or potential breach of personally identifiable information regardless of how the breach occurred

Develop and Publish a Routine Use

Routine use includes all uses of data which are in line with the purposes for which data was originally collected. Effectively taking countermeasures to reduce the threat to information due to a security breach may require Federal agencies to share PII with other agencies and law enforcement officials with whom no data sharing agreement exists. To respond adequately, agencies should establish routine use policies to allow the disclosure of information without the prior consent of the individual in situations involving data breach investigations.

External Breach Notification

Attachment 3 of M-07-16 addresses how and when data breaches should be reported to affected individuals and/or the public. All agencies must develop data breach notification policies to guide officials and deciding when notification is necessary and how it should be undertaken.

Whether Breach Notification is Required

Agencies should assess the level of risk and the likelihood of the breach causing harm using the following five factors:

Type of information compromised
Number of affected individuals
Accessibility and usability of the information
Likelihood of harm occurring
Ability of the agency to mitigate harm

Timelines of the Notification

If notification is to be undertaken, it should be carried out promptly upon discovery. Notification may be delayed, as authorized but a senior official, if notification may seriously affect law enforcement proceedings.

Source of the Notification

Notification to affected individuals should come from the head of the agency where the breach occurred. Notification for breaches affecting less than fifty people may also come from the Chief Information or Privacy Officer.

Contents of the Notification

Notice should be provide in writing and contain the following information

Type of information compromised
Whether the information was encrypted or similarly protected
Steps the individual can take to mitigate harm
Steps the agency is taking to investigate the breach, mitigate harm and protect against future incidents
Contact information for the agency

Means of Providing Notification

Method of notification depends on the number of affected individuals and the urgency of the notification. Methods include:

Telephone
First-Class mail
Email
Existing Government wide services
Newspapers and other media
Any accommodations necessary for individuals with disabilities

Who Receives Notification

For every data breach, agencies must consider whether to provide notification to the affected individuals and/or the public. Notification to individuals should occur promptly after the need for notification has been determined. Notification to the public including the media should be carefully planned to avoid alarm or confusion. Notice should also be posted on the agencies web page when public notification occurs.

Rules and Consequences Policy:

Attachment 4 of M-07-16 set forth a new requirement. All agencies must develop and implement a Rules and Consequences policy for employees handling personally identifiable information.

The policy must outline the requirements of employees according to their level of responsibility and the type of information they handle. Employees must be aware of their responsibilities under Federal law as well as the consequences for any violations. Supervisors that fail to take disciplinary action when violations occur are also subject to penalties. The policy should address:

The types of individuals that must comply, including employees, contractors and other individuals handling PII maintained by the Federal government
The types of actions that constitute violations including
- Failing to maintain or implement security controls
- Accessing PII or disclosing PII to other individuals without authorization
- Failing to report suspected data breaches or unauthorized disclosures
- Failing to adequately instruct, train or supervise employees handling PII (for managers)

Summary

The Federal Government has a legal responsibility to protect the personally identifiable information is has collected from individuals. Memoranda such as M-07-16 ensure that the security of personally identifiable information remains an ongoing discussion and concern within the Federal Government.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

OMB Memorandum 07-16 (II.A.c.2.j)

OMB Memorandums 06-19 and 04-26: Small Changes with Big Impacts

jbrook — Tue, 27 Apr 2010 12:00:43 +0000

Memorandum 06-19

Memorandum 06-19 was issued by the Office of Management and Budget in July 2006 to update the reporting requirements for data breaches involving personally identifiable information. It also addressed the need to budget in anticipation of providing adequate data security.

Reporting Security Incidents

Under the Federal Information Security Management Act, all government agencies must alert the U.S. Computer Emergency Readiness Team (US-CERT) of any potential or confirmed security violations. Response times and procedures vary according to the type of violation. OMB 06-19 decreased the reporting time for incidents involving personally identifiable information to within one hours of its detection or discovery. This helps to facilitate prompt, efficient response to security and privacy threats. Security violations involving PII must be reported regardless of whether the information is stored physically or electronically.

Incorporating Security Funding Into Information Technology Investments

The second part of M-06-19 reiterated past memoranda which addressed budgeting for security funding with regard to information technology. When developing fiscal year budgets, agencies should:

Use M-00-07 as a guidelines for preparing budget policy
Ensure that security and funding is integrated into information technology at all stages of development and use
Ensure current standards meet existing requirements so that new funds may be spent on developing new or improved systems
Address how funds and resources are allocated between correcting current weaknesses in security and developing new IT
Consider M-06-15 “Safeguarding Personally Identifiable Information” and M-06-16 “Protection of Sensitive Agency Information” when considering any improvements or changes to IT investments.

Memorandum 04-26

Memorandum 04-26 was issued in September 2004 regarding personal use policies for employees accessing government computers and the use of file sharing technology.

What is file sharing technology?

File sharing technology, also known as P2P (peer-to-peer) networking allows users to upload music, photos, videos, and other files to allow mass distribution. P2P networks do not depend on a single network or server to support all of the requests, but rather draws resources and bandwidth from users’ computers to support the transfer of files. While file sharing technology in itself is not illegal, there are many problems associated with it. Most e-piracy takes place through P2P networks, allowing individuals to download movies, music, books, pornography and other media content without paying. Furthermore, P2P networks facilitate the transmission of computer viruses.

The use of file sharing technology on government computers or networks is prohibited to prevent employees from engaging in illicit activities and/or compromising the security of privacy of the information maintained by the U.S. Government.

Directions to Agencies to Prevent File Sharing

M-04-26 directed agencies to take the following steps to protect Government information systems from problems associated with P2P technology:

1. Establish or Update Agency Personal Use Policies to be Consistent with CIO Council Recommended Guidance

All agencies must develop personal use policies outline the proper use of government information technology for the government employees that use them. Personal use policies should address the user’s responsibilities, possible consequences and include provisions against use of P2P technology

2. Train All Employees on Personal Use Policies and Improper Uses of File Sharing

In addition to receiving personal use policies, all employees should receive training on how personal use policies relate to their specific responsibilities towards maintaing the security and privacy of data.

3. Implement Security Controls to Prevent and Detect Improper File Sharing

Agencies should use NIST standards to implement internal security controls that prevent the access and use of P2P technology on government computers.

Summary

Memoranda from the Office of Management and Budget usually do not create all new privacy and security legislation. Rather, they amend or add to existing regulations. Often the changes may be small, such as in M-06-19 and M-04-26, however it does not make them less important. OMB memoranda allow privacy and security practices to be an ongoing process within the Federal government and strengthen the protections guaranteed to us under U.S. law.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

OMB Memorandum 04-26 (II.A.c.i.2.c)
OMB Memorandum 06-15 (II.A.c.i.2.e)

OMB Memoranda 06-15 and 06-16: Safeguarding Information Maintained by the U.S. Government

jbrook — Wed, 10 Mar 2010 12:00:22 +0000

OMB Memoranda 06-15 and 06-16: Safeguarding Information Maintained by the U.S. Government

In 2006, the Office of Management and Budget published two memoranda back to back dealing specifically with protecting certain types of information maintained by the Federal Government. M-06-15 addresses safeguarding personally identifiable information. M-06-16 deals with the protection of sensitive agency information. Both memoranda reiterate the security requirements of previous regulations, and expand upon them to make them more effective.

OMB M-06-15: Safeguarding Personally Identifiable Information

M-06-15 served as a reminder to government agencies of their responsibilities towards protecting personally identifiable information.

Under the Privacy Act of 1974 agencies must:

Establish rules of conduct for individuals working accessing, using or maintaining personally identifiable information. Employees should receive adequate training in their privacy and security responsibilities and be made aware of the consequences of noncompliance with the Privacy Act.
Implement adequate administrative, technical and physical safeguards to protect personally identifiable information.

M-06-15 asked all Senior Agency Official for Privacy appointed pursuant to M-05-08 to review agency policies to ensure compliance with the Privacy Act. The review was to be included in a report reviewing implementation of an compliance with the Federal Information Security Management Act (FISMA).

OMB M-06-16: Protection of Sensitive Agency Information

M-06-16 described important security controls agencies should use to protect sensitive agency information:

1. All mobile devices that store or access agency data should be encrypted

2. Remote access to agency data must require a two factor authentication process which includes a device separate from the device gaining access

3. Agencies should implement time-out functions on remote access mobile devices that log out a user after 30 minutes of inactivity

4. Agencies must maintain adequate logs of all computer readable data extracts from information systems containing sensitive data. Data that is no longer in use should be erased after 90 days.

M-06-16 also included the National Institute of Standards and Technology (NIST) checklist for remote access:

1. Confirm identification of personally identifiable information protection needs– Any PII that may be at increased risk from remote access must be identified and a risk assessment performed.

2. Verify adequacy of organizational policy– Existing policy should be reviewed to ensure that the procedures and security controls adequately protect PII. Policy should be improved upon if necessary.

3. Implement protections for personally identifiable information being transported and/or stored offsite– This step involves ensuring the proper security controls including encryption are applied to sensitive agency data before it is transported or store away from the main agency network.

4. Implement protections for remote access to personally identifiable– Users should access agency data through a Virtual Private Network (VPN) to ensure proper authentication and security. Security controls should be implemented to limit the ability to access or download PII remotely only to authorized individuals. All sensitive data stored on remote access devices should be encrypted, if policy allows remote storage. If policy does not allow storage of PII on the local hard drive of a remote device, proper security controls should be implemented to allow remote use without local storage of the data

Summary

The protection of agency data including sensitive information and personally identifiable information remains a significant concern for government agencies and the Office of Management and Budget. While memoranda 06-15 and 06-16 include no new recommendations or policies, such memoranda enforce the idea that attention to and review of security controls is an ongoing process that must occur regularly to ensure proper protection of agency information.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

OMB Memorandum 06-15 (II.A.c.2.e)
OMB Memorandum 06-16 (II.A.c.2.f)

FISMA: The Federal Information Security Management Act

jbrook — Thu, 04 Mar 2010 12:00:00 +0000

The Federal Information Security Management Act

The E-Government Acts of 2002 involved a large number of new regulations to implement and control the use of electronic technologies by the U.S. Government. Title III of this Act, called the Federal Information Security Management Act required all Government agencies to develop extensive information security programs.

What is the Importance of FISMA?

The Federal Information Security and Management Act deals with Information Security, which is one of the Fair Information Practice Principles. Proper protection of data does not only include the acceptable use and disclosure of the data by the agency, but also the measures taken to prevent abuse of information by other parties and to protect the status and availability of the data.

FISMA incorporates the three main components of information security:

Confidentiality– involves implementing the necessary restrictions and authorizations to limit access to sensitive data.
Integrity– involves ensuring information is authentic and preventing improper modification or destruction
Availability– involves the ability to readily access information and the timeliness of the information

What Does a FISMA Compliant Information Security Program Entail?

Periodic risk assessments must be conducted evaluating any potential harm caused by unauthorized access, use, disclosure or destruction of the data including an assessment of the magnitude of harm
Risk assessments are used to develop policies which are cost effective and reduce any security threats. These policies must also protect data at all stages of the life cycle
The efficacy of policies, procedures and security controls must be tested at least annually, with higher risk systems requiring more frequent evaluations.
An agency must implement a way to detect, report and respond to security violations
An agency must develop a continuity of operations plan to return function as quickly as possible in the event of a security incident of disruption.

What is Security Certification and Accreditation?

Security Certification and Accreditation is the official process taken to authorize the operation of an information system by an agency of the U.S. Government. By accrediting an information system, the agency accepts full responsibility for the system and will be held accountable for any negative impacts or problems that may arise.

The four phases of the Security Certification and Accreditation process:

Initiation Phase– ensures all parties are on the same page regarding the information system, its contents and controls before the system is evaluated. In this phase, the information security system is prepared and the security plan is analyzed and updated for review.
Security Certification Phase– evaluates security controls to make sure they are functioning correctly, that the system is operating as it should and that the information is adequately protected. In this phase, all security controls are tested documentation is created with the results.
Security Accreditation Phase– the information gathered during the previous phase is used to determine if the operation of the information system presents an acceptable security risk. In this stage, the authorizing official determines whether or not an information system may become operational, and proper documentation is filed if the system is ready to become accredited.
Continuous Monitoring Phase – ensures ongoing enforcement by requiring ongoing configuration and management control, monitoring of security controls and the filing of status reports and documents.

Reaccreditation occurs periodically and after significant changes in the system or environment. The Security Certification and Accreditation process is used to evaluate an individual information system and its security. It is similar to but distinct from Privacy Impact Assessments which are used to evaluate privacy protections with regard to changes in a records system. PIA and C&A evaluations for particular information systems may overlap in coverage. However, PIA are also used to evaluate privacy concerns involved with using matching programs, sharing information between agencies or when transferring data to electronic form. C&A evaluations are less frequent and more extensive and evaluate individual security systems and their related policies.

Enforcement of FISMA

Monitoring of FISMA compliance is built into the regulation through mandatory reports due to the Director of the Office of Management and Budget, and several House of Representative and Senate Committees. The report must include:

The information resources used by the agency
The information technologies used by the agency
The program performance
Financial management information including annual budgets, and accounting to determine cost effectiveness
Record of any significant vulnerabilities in the policies, procedures or security systems.

In 2008, OMB Memorandum 08-09, added new reporting guidelines that required each agency to report:

The number of each type of privacy review used by the agency during the previous fiscal year
Any new policies, guidance or advice provided by the agency official in charge of privacy in the past fiscal year
The number of written privacy complaints received in the past fiscal year
The number of privacy issues referred to another agency with the relevant jurisdiction in the past fiscal year

Each agency must also create a performance plan in consultation with the Director of the Office of Management and Budget regarding the time period and resources needed including budget, staffing and training to implement or continue to implement, secure FISMA compliant information security systems.

FISMA also requires annual independent evaluations of the information security programs and procedures. The evaluation is conducted by the Inspector General of the agency, if one is appointed. It one is not appointed, the head of the agency must hire an external party to evaluate the system. A report the evaluation must be submitted to the Director of the Office of Management and Budget who then summarizes the findings in the Director’s Report to Congress.

Summary:

The Federal Information Security Management Act protects privacy by requiring extensive evaluations and monitoring of Government information systems to ensure data is adequately protected and operating at an acceptable level of risk.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

Federal Information Security Management Act (I.C.f.i-iii.)
The E-Government Act of 2002 including Privacy Impact Assessments (I.C.c.i.-ii.)

Data Destruction and Privacy

jbrook — Mon, 23 Nov 2009 12:00:27 +0000

If asked to identify the point in the information lifecycle in which data is often most vulnerable, most people would not say “Destruction.” Destruction itself is a simple concept. After personal data or technology storing personal data is no longer useful it is discarded. However, completely erasing data from existence is not that easy. Computer files are particularly difficult to destroy. Furthermore, with the increasing use of cloud computing services, more and more personal data is being stored on third party servers, where the information controller has to trust their provider to remove the information when requested. Control over the deletion and destruction of data is taken out of the data controller and the data subject’s hands.

The problems associated with proper disposal, make it so that the destruction of data is one of the times personal information is most likely to be at risk for unauthorized access. Because of this, data destruction remains an important privacy issue discussed among professionals in the industry today.

Why is Data Destroyed?

Data Destruction is a necessary and important part of the information life cycle. Deleting data from a server frees space on the hard drive for other data that may be more pertinent to business operations. Destroying untimely data also helps limit the extent of a breach should unauthorized access occur.

The Fair Information Practice Principles include regulations regarding the limits and uses of collected data. Once data is collected, the data controller is restricted to using it for purposes related to the reasons for which it was originally collected. Data that is outdated or no longer useful is destroyed. Data destruction may also occur after transferring data to new technologies and discarding the old ones. Data, especially that has been hosted with a cloud computing service, may also be deleted at request of the data subject or data controller.

How Do Data Breaches from Improper Destruction Occur?

Today, data usually takes two forms: electronic and paper. Paper files containing personal information are a frequent cause of data breaches due to carelessness. Unclaimed copies, faxes and other paper files are often thrown into recycling bins or the trash with little thought as to the personal information that may contain. This leaves personal information vulnerable to dumpster divers that sort through trash looking for information that may allow them to commit fraud.

Another common way that deleted data may be accessed is through the improper disposal of computers and other electronic equipment with the ability to store data. Sending files to the recycle bin or hitting the delete key does not actually erase a file from existence. What it does is remove the link from the file directory while a copy of the file still remains until it is written over by other files. Some operating systems support software which allows undeletion so that files have been previously deleted can be restored. Computer hard drives, USB drives, cell phones and other related products are all susceptible to data breaches if they are recovered by dumpster divers or through computer recycling programs and their hard drives have not been overwritten, encrypted or physically destroyed.

Cloud computing has improved the interactivity and productivity of businesses and individuals but it has also increased the potential for the unauthorized access of information. When a company or individual stores personal information with a cloud computing service be it a Payroll Account Servicer or Facebook, they are trusting that servicer to protect and eventually delete their information when requested. However, it may be days, weeks or even months before that information is deleted. Furthermore, placing information in the cloud allows more individuals, that are not under the control or supervision of the data subject or the data controller to have access to personal information, laying the ground for misuse of information.

Data breaches are a serious occurrence and take place on a regular basis due to carelessness and general ignorance of the danger that improperly disposed data may pose.

How Should Data Be Disposed?

While different regulations may call for various means of protecting data, there are a number of commonly accepted ways for individuals and businesses to properly dispose of in both paper and electronic forms.

Physical Destruction:

Shredding- the most commonly used form of destruction in homes and small business in which paper is cut into small pieces to make the information harder to reassemble. Cross-cut shredders are more effective than length wise only shredders which may be reassembled into usable data with a minimal amount of work.
Incineration- Paper and/or electronic equipment may be burned to make it unreadable. While the destruction is effective there is a large debate concerning its impact on the environment.
Pulverization- Uses high pressure to crush objects into unusable forms. Like incineration it is effective in protecting data, but poses environmental problems as the chemicals and products used in computers and paper degrade in landfills.

Electronic Destruction:

Overwriting- Involves writing over data files with files containing junk information. The more times a file is overwritten the more securely it is protected from possible recovery. Overwriting is not 100% effective, however it is a common tool that is available on all computers to protect data.
Encryption- Involves the use of private and public cipher keys to code data using algorithms. Only users with the correct key can decode the data to readable form. The HITECH act is considering using encryption as the exclusive method of data destruction.
Degaussing- Involves realigning the magnetic fields of devices which use magnetization to store data such as hard drives, magnetic tapes and audio cassettes.

What are the U.S. Federal Regulations Regarding Data Disposal?

There are number of different regulations in place in the United States that deal with the proper disposal of personal information. These are often incorporated into the various laws regulating privacy in different sectors and industries.

The Fair and Accurate Credit Transactions Act

In 2003, the the Fair and Accurate Credit Transaction Act was passed as an amendment to the Fair Credit Reporting Act, both which deal with the protection of personal information in consumer reports. FACTA includes a disposal rule for the protection of information contained in consumer reports by any entity which may use such information for business functions. Such entities may include landlords, employers, automobile dealers, debt collectors and financial institutions. The law requires such entities take take reasonable measures to destroy consumer reports including the physical and electronic destruction of data to make it unreadable. It also calls for independent audits to determine an entity’s compliance with the disposal rule.

The Gramm-Leach-Bliley Act

In 1999, the Gramm-Leach-Bliley Act was passed to protect personally identifiable information used by financial institutions. It includes a Safeguards Rule which requires financial institutions to designate a coordinator of their information safety program. It also requires extensive routine risk assessments of the physical, technical and administrative safeguards to determine the threat of internal or external abuse of personal information. The proper disposal of data is included in such risk assessments.

The law sets up for the proper protection of data against security risk, but like many information privacy laws in the U.S., is criticized for being largely unenforceable due to the variations in technology, methodology, and use of information from business to business. The GLBA does set up heavy penalties for businesses that do not complete risk assessments and develop security plans to handle potential threats.

The Health Insurance Portability and Accountability Act

HIPAA is a broad law dealing with issues within the health industry. It contains a Privacy rule and Security Rule for the protection of personal health information. While HIPAA does not specifically have rules regarding the destruction of data, it does require covered entities to take reasonable measures to ensure the protection of data and compliance with HIPAA standards. Historically, improper disclosure has been one of the number one methods of unauthorized access to protected health information.

The Federal Information Security Management Act

In 2003, FISMA (pdf) was passed to regulate information security within the Federal Government. Similar to the Gramm-Leach-Bliley Act, FISMA requires periodic risk assessments to determine the threat and magnitude of harm due to unauthorized access, use, modification, disclosure, or destruction of sensitive information throughout its life cycle. The act calls for detailed plans and security measures to be implemented in order to protect against potential threats.

Data destruction has been recognized as an important security risk in U.S. regulations, however many of the aforementioned regulations do not set clear or standardized guidelines for the correct disposal of information. Data destruction remains a confusing and complicated topic. Most regulations use language such as “reasonable measures” to acknowledge the fact that data is extraordinarily difficult and expensive to destroy. However, “reasonable measures” also creates a lot of room for interpretation and so data destruction through the United States and its industries remains largely self-regulated.

What About Data Destruction Services?

As awareness has grown about the dangers posed by improperly disposed data, a number of independent data destruction services have appeared to be part of the solution. Many of these companies offer certificates of destruction assuring it’s customers that their data is well protected and properly destroyed. While many of these companies may properly dispose of data, potential customers should be aware that the industry is completely self-regulatory. There is no government authority that certifies data destruction services in the United States and so the certificates they issue are only as good as the reputation and accountability of a company.

In Conclusion

Data Destruction is an often overlooked part of information security which is essential to individuals and businesses alike. Maintaining the security of personal information is one of the key elements of information privacy and not data is fully secure until it is completely and properly destroyed. Both individuals and businesses need to be aware of the potential consequences of improper disposal of data, recognize their accountability in ensuring its destruction and complete extensive research when choosing other services such as cloud computing and/or data destruction services which may be given control over the process.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

Introduction to Privacy: “Information lifecycle principles” (Foundations: I.E.vi)
Information Security: “Cryptography” (Foundations: II.C.a.iii), “Implementing information security controls – Asset management” (Foundations: II.C.b.iii) and “Physical and environmental security” (Foundations: II.C.b.v)