Logging data extracts puts some agencies in a bind
<b>SPECIAL REPORT: Case study no. 3</b> | Mandate forces changes in who accesses information.
- By Jason Miller
- Jan 20, 2007
A third requirement in the Office of Management and Budget's June 23 data security memo goes beyond basic policy and technology adjustments. It can fundamentally change an agency's approach to collecting, disseminating and securing data'which is perhaps why agencies have had so much trouble with it.
OMB gave agencies 45 days to begin logging all computer-readable data extracts, and after 90 days, verify if the data has been erased or still is needed. Very few agencies'if any'have met this most challenging mandate of the four, industry and federal experts said.
'This is more complex than it sounds if you decompose the actions into components,' said Bob Post, vice president in Booz Allen Hamilton of McLean, Va.'s assurance and resilience capability team. 'For you to log all computer-readable data extracts, first you have to know what sensitive data is in the database, including individual data fields and elements. Then you have to decide how you will log it.'
Logging isn't that difficult, experts said, because every device creates a log. But the question is how to analyze the thousands of daily logs from a security perspective, said Carlos Blazquez, a senior information assurance analyst with SRA International Inc. of Fairfax, Va.
Logging all data extracts and then deciding if they are needed after three months isn't as simple as buying a commercial software package or installing biometrics on notebook PCs. Chief information security officers must begin with policy changes, then move to technology'and educate employees throughout the entire process.
One agency CISO, who requested anonymity, said the agency asked program officers and data owners to decide what data needed to be protected, based on OMB's definition of personal information.
'Our requirement was to document the data flows,' the CISO said. 'We also asked how they protect the data flows, through encryption or by printing only hard copies.'
The CISO said the agency is evaluating a number of vendor products and likely will end up spending about $1 million to implement multiple software packages.
'We have to make the call on what users can do with the data and have to take our culture into account,' said the CISO, who added the agency should begin meeting the requirement in the next 60 to 90 days.
Carl Beaudry, SRA's senior information assurance engineer, said agencies should consider different data models, such as the least privileged, in which only those who need access to data can have it.
Another model is to keep the data 'under glass,' which means using a thin client or remote desktop approach to access data kept on a server. Beaudry said users can manipulate and save the data, but can't extract it.