Continuous risk mandates continuous protections
- By Jai Dargan
- Oct 21, 2016
After more than 16 years, the Office of Management and Budget released the long-awaited revision of its Circular A-130, “Managing Information as a Strategic Resource,” the governing document for the management of all federal IT systems. This circular has been updated to better reflect the challenges associated with IT systems management as well as an evolving information security threat landscape.
Ordinarily, an update to a regulatory document like A-130 would not garner much attention around the Beltway, especially during an election season. But after the Office of Personnel Management data breach in June of 2015, the revised A-130 could not have come at a better time, especially for agency officials tasked with modernizing legacy IT systems and safeguarding information assets against persistent cyber threats.
The new document reflects contemporary challenges associated with federal IT systems management in the landscape of ever-growing concerns around cyberattacks, data breaches and sensitive data exposure -- the grim reality born from the OPM breach. In particular, A-130 solidifies the link between information security and privacy, and it establishes legal responsibilities for executive agencies to continually monitor, safeguard and dispose of personally identifiable information (PII).
Continuous privacy and vulnerability monitoring are now necessary responsibilities of every agency, especially as more employees and contractors access agency-owned information through a variety of mobile and enterprise content management (ECM) systems. By adhering to the guidelines below, agencies will have the fundamentals to secure their systems in accordance with the requirements and best practices laid out by OMB.
“Agencies’ privacy programs shall maintain an inventory of PII, regularly review all PII maintained by the agency, and comply with applicable requirements regarding the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII.” -- OMB, A-130 Circular, Appendix II: Considerations for Managing PII
A-130 strikes new ground with updated language surrounding the protection of PII within agency IT systems. Agency heads bear “ultimate responsibility” for ensuring proper compliance with the requirements of the circular, including the foundational responsibility of inventorying all PII within agency systems. Indeed, understanding what data an organization holds is necessary for any information security strategy to be successful. Agencies can’t expect to mitigate against data breach threats without being able to properly catalog all of the sensitive data they hold -- across databases, network drives and ECM systems. Accordingly, agencies should incorporate solutions that can properly discover and classify content containing PII across those systems, especially in legacy applications that are no longer in use.
“Agencies shall… implement access control policies for information resources that ensure individuals have appropriate authorization and need, and that the appropriate level of identity proofing or background investigation is conducted prior to granting access.” -- OMB, A-130 Circular, Appendix I: Responsibilities for Protecting and Managing Federal Information Resources
End users are the weakest link in any security chain, and the vast majority of incidents implicating data privacy occur as a result of inadvertent user error. A-130 establishes the position of a senior agency official for privacy (SAOP) within every federal agency, who bears responsibility and accountability for defining information governance strategies consistent with these new privacy and security mandates. Successful A-130 compliance means that agencies must develop and adhere to strict information governance programs that incorporate defined guidelines around the lifecycle of PII content -- from the moment of data creation to its dissemination and disposition. Employees and contractors, in particular, need comprehensive and continuous training and must comply with governance rules designed to regulate how, when, why and where PII should be created, stored and shared.
“Agencies shall… implement policies of least privilege at multiple layers -- network, system, application, and data so that users have role-based access to only the information and resources that are necessary for a legitimate purpose.” -- OMB, A-130 Circular, Appendix I: Responsibilities for Protecting and Managing Federal Information Resources
A well-defined information governance strategy will always be designed around the concept of ‘least privilege,’ which holds that end users should be granted only minimal access to IT systems and applications that are necessary for the execution of their job responsibilities. Most leading studies, including research from the 2016 Verizon Data Breach Investigations Report and the Ponemon Institute surveys, conclude that the vast majority of data breaches result from compromised user credentials. In such instances, a threat actor need only determine which users have the most privilege within a system (such as an agency head or IT administrator) in order to access the most sensitive data. Ensuring that the least-privilege principle is followed is a good way to mitigate the risk of sensitive data theft via stolen user names and passwords.
While this concept is understood within IT security teams, end users often gain access to sensitive business documents and files that don’t pertain to their job functions. This is especially true within ECM systems designed for document storage and collaboration. As SAOPs and agency heads develop information governance strategies at large, they should also look to deploy solutions that can automate the management and auditing of user privileges across systems and applications. Solutions that can proactively respond to changes in user permissions or detect and alert on suspicious activities (such as excessive document downloads) go a step further in automating security functions and enabling a more refined security process.
Auditing and monitoring
“Agencies shall... continuously monitor, log, and audit the execution of information system functions by privileged users… to detect misuse and to help reduce the risk from insider threats.” -- OMB, A-130 Circular, Appendix I: Responsibilities for Protecting and Managing Federal Information Resources
Auditing gives administrators the ability to review log files around network activity to help respond to past, current and future security threats. Since compromised credentials are the most frequent avenue for a breach, auditing lets administrators examine what their users are doing within the network -- from configuration changes to downloading or sharing sensitive documents. Such granularity gives agency security professionals vital information in determining the context and scope of a vulnerability, as well as a mechanism to formally report on any access issues or anomalies detected. It also enables a continuous approach to monitoring instead of a “snapshot in time” philosophy, and it can help agencies demonstrate compliance with a host of regulatory frameworks beyond A-130.
Jai Dargan is director of the Security and Compliance Group at Metalogix Software.