Cybereye | Could FISMA stem the flow of personal data?
- By William Jackson
- Jul 20, 2006
Abe Kleinfield thinks the Federal Information Security Management Act could be a solution to the rash of security breaches that have exposed the personal data of millions of individuals in recent weeks.
'FISMA is probably the best legislation passed around security,' said the CEO of nCircle Network Security Inc. of San Francisco.
The law mandates a risk-based approach to managing IT security
in government agencies, and FISMA performance is a major component of the annual Computer Security Report Card issued by the House Government Reform Committee. Agencies that do well on the report card don't show up in the drumbeat of headlines announcing personal data breaches, Kleinfield said. They have meaningful security policies that are backed up by education, enforcement and monitoring. He pointed to the recent Veterans Affairs Department snafu as an example.
'Under no circumstances would any sensible person allow anyone to put 26 million records onto a laptop,' he said. 'If they had gotten an A, this would not have happened.'
I'm not very enthusiastic about the A-through-F grading scheme used by the committee, but Kleinfield might be on to something here. If you look at agencies that have announced data breaches recently, there is a pattern. VA has gotten an F for the past two years, as has Agriculture. The Navy suffered a loss, and DOD dropped from a D in 2004 to an F in 2005. IRS also lost data, and Treasury dropped from a D in 2004 to a D- in 2005.
The one anomaly is the Social Security Administration, which had a data loss but rated an A+ in the most recent report card.
There is growing pressure on Congress to do something — anything — about personal data theft. Kleinfield said the best thing Congress could do might be nothing.
'More legislation is not necessarily as important as enforcing the legislation we have,' he said.
Where FISMA falls apart is when it comes to accountability, Kleinfield said. Agencies are measuring their progress under FISMA, but no one is being held accountable for shortfalls.
But accountability will be difficult to enforce unless adequate resources are allotted to agencies. IT security often gets short shrift in budgets, and one of the reasons workers are allowed to take sensitive data home is that they do not have time to complete their work at the office during the day.
In the private sector, state laws have done a good job of highlighting the problem of the lax ways personal data is being handled. The laws are not universal or uniform, but the interstate nature of most business today makes the legislative patchwork a de facto standard under which any company must report its breaches.
Unfortunately, while this has put a spotlight on the problem, the continuing stream of reports shows that it has not solved it.
Existing federal regulations, such as HIPAA, are too industry-specific or, such as Sarbanes-Oxley, do not adequately address IT security, Kleinfield said.
'We need more broad-based thinking,' he said. 'What I would like to see is a FISMA-style methodology applied to the private sector, and accountability applied to it.'
Some help in this area might come from the newly established Center for Identity Management and Information Protection, a research partnership between government, academia and industry housed at Utica College. The center promises to pool resources to develop best practices for detecting and preventing identity theft and data breaches. Let's hope the best practices are good enough.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.