Blog – MFT Nation

heading-img-1
When More Cybersecurity Regulation Works

The Consumer Financial Protection Bureau (CFPB) has fired a shot across the bow of the cybersecurity world and the ever-expanding online payment industry, taking a cybersecurity enforcement action that marked the agency’s first foray into regulating data security.

Dwolla Inc., a Des Moines-based digital payment startup, agreed to pay a $100,000 penalty and improve its data security practices as part of a consent order that the CFPB issued last month.  Without alleging that the company was breached, the CFPB accused Dwolla of overstating the measures it took to protect consumers’ personal information between December 2010 and 2014.

According to the consent order, Dwolla claimed on its website that it met or surpassed industry cybersecurity standards, even though its transactions, servers and data centers did not comply with those standards.  The company also failed to live up to claims that it encrypted all sensitive personal information, according to the CFPB.

The consent order, which requires the company to fix its security practices and conduct biannual risk assessments, represented the five-year-old agency’s first step into territory traditionally policed by the Federal Trade Commission (FTC).  In August, a federal court affirmed the FTC’s authority to regulate data security in FTC v. Wyndham Worldwide, — F.3d —, No. 14-3514 (3d Cir. 2015).  Some industry observers say the CFPB appears to be stretching its authority over “unfair, deceptive or abusive acts or practices” as the basis for regulating data security.  The Dodd-Frank Act gave the CFPB jurisdiction over privacy, but left data security with the FTC.

“Consumers entrust digital payment companies with significant amounts of sensitive personal information,” CFPB Director Richard Cordray said in a prepared statement.  With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing.  It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.

shutterstock_206712406A

 
Cybersecurity Tip: Securing Data At-Rest Is Easier Than You Think

Data In-Transit

By now, everyone involved in the world of cybersecurity understands the importance of sending and receiving data in a secure manner.  Cybersecurity professionals will tell you that whenever you release files and they travel across systems over which you have no control, you must take certain steps to ensure the data is secure.  For example, the file can be encrypted and digitally signed using advanced algorithms before being sent.  Additionally, you can transmit the files across a secure channel using communication protocols such as AS2, SFTP FTPS, etc.  This ensures that in the very rare situation that files would be intercepted, they are unreadable and therefore useless to the intercepting party.  This process is often referred to as securing data “in-transit.”

Data At-Rest

Data “at-rest,” as the term implies, is data which is stored on a drive not currently in use or being transmitted.  Due to its very nature, this is generally a relatively secure state.  The storage device is buried in a machine housed internally behind multiple layers of security, network devices, etc.  However, the data itself is still in a legible and accessible state from the other machines also behind these layers of cybersecurity.  Additionally, these machines are still connected to the internet in some method and thereby potentially accessible by cyber thieves.

Today, the majority of data breaches are initiated by internal machines once thought to be highly secured.  For example, a user unknowingly obtains a piece bTrade Xaof malware from a website, opens an infected email attachment, or even knowingly accesses the data with malicious intent.  These types of events happen many times a day, across organizations of all sizes, and located all around the world.  Securing your data while at rest can make it useless to such a would-be threat.

Securing data at-rest (at least from a high level) seems like it can be done easily enough.  You can encrypt the data using strong algorithms such as AES or RSA using various methods.  The data can be encrypted through software or applications, and even via hardware itself.  However, what happens when you need to access the data?  How do you integrate these encryption methods with your third party applications and communication tools?  This is where the idea of securing your data which has been or will be transmitted externally can become a daunting task….or does it?

Luckily, a solution does exist.  You could deploy a managed file transfer solution which has a secure and encrypted datastore, such as bTrade’s TDXchange software.  In fact, for many years bTrade’s cybersecurity experts have offered the ability to secure the data at-rest with the simple click of a box in the user interface.  We can automatically encrypt all files sent and received over all aspects and areas of processing with virtually no impact to the user.

bTrade Can Help

It’s no longer enough to only secure your data while only in use or transit.  To learn how bTrade can help you secure ALL aspects of your critical data, please contact us at info@btrade.com.

Also, you can stay current on developments in the world of cybersecurity by following bTrade on TwitterFacebookLinkedIn and Google+.

 
Feel-Good Story of the Year: The IRS Gets Audited (and Fails!)

More Government Dysfunction When it Comes to Cybersecurity

In connection with the US federal government’s National Critical Infrastructure Security and Resilience Month (CISR Month), MFT Nation offered a “case study in what-not-to-do” concerning the cybersecurity misadventures of a key department of the White House.  While writing this case study, we discovered that an additional US government agency—the Internal Revenue Service (IRS)—had some pretty bad cybersecurity practices as well.  We want to share what we learned from a report recently released by the IRS auditor showing how lax the IRS is when it comes to protecting taxpayers’ personally identifiable information (PII).

Unencrypted Email Use Puts Taxpayer Information at Risk

The auditor’s report, entitled “Employees Sometimes Did Not Adhere to E-mail Policies Which Increased the Risk of Improper Disclosure of Taxpayer Information,” is based on a random sample of e-mails sent by 80 IRS employees in one division during a four week period in 2015.  The IRS auditor found the following significant cybersecurity violations:

  • Even though IRS policy requires employees to encrypt emails containing PII, about half of the 80 employees sent a total of 326 unencrypted e-mails that contained information about 8,031 different taxpayers internally to other IRS employees or externally to non-IRS email accounts.
  • 14 of the offending e-mails were sent with taxpayer PII in the e-mail subject line (probably a taxpayer name and social security number), which cannot be encrypted and is expressly prohibited by IRS cybersecurity policies.
  • Six employees sent 20 e-mails that “involved official IRS business” to personal e-mail accounts.


IRS Management Promises to Take Corrective Steps. But Will Management Stand By Its Promises?

IRS management promised to take corrective steps recommended by the auditor to establish a “systemic solution.”  But soon after making such promises, IRS management also issued statements which attempted to downplay the significance of the cybersecurity violations.  For example, one IRS manager claimed that most of the offending emails posed “minimal risk” because they were sent internally and therefore protected by the agency’s firewall.  This type of response demonstrates an utter lack of understanding of cybersecurity best practices.

Most, if not all cybersecurity professionals/experts would tell the IRS that the best data security strategy involves several different security methods deployed in a layered manner.  A layered approach reduces the likelihood that an attack will succeed by forcing the attacker to penetrate multiple security measures deployed at different layers of the network.  In fact, government regulators have sanctioned private sector companies for failing to deploy and/or properly use a layered approach, reasoning that such tools could have eliminated or reduced the risk of a data compromise.

In addition, the attitude of the IRS manager is downright disturbing.  When data is transmitted unencrypted, the risk is never “minimal.”  Remember, not protecting access to your dataall the unencrypted emails were sent behind the firewall.  Also remember that six IRS employees sent 20 e-mails that “involved official IRS business” to personal e-mail accounts.  Remember as well that widespread violations were discovered based on a spot check of a very small sample size—only 80 employees in one division during a four week period in 2015.  One can only imagine how many similar incidents the auditor would have discovered had he reviewed emails sent/received over the last couple years by all 80,000 IRS employees.

As for the unencrypted emails sent behind the firewall, government regulators have sanctioned private sector companies under similar circumstances reasoning that the “potential” for harm still exists.  For example, take a look at all the documents filed in an administrative proceeding brought by the US Federal Trade Commission (FTC) against a company named LabMD.  According to this document filed by LabMD, the FTC spent “millions of taxpayer dollars to destroy a small, innovative cancer detection laboratory” even though no evidence existed that any consumer was harmed by the alleged cybersecurity violations.  One blog described the LabMD saga as “the story of how one simple breach of a single rule by a single employee sank a $4 million per year company.”

The same should apply for government agencies like the IRS and its employees; there must be consequences for bad cybersecurity practices.  While the IRS has penalties—ranging from a warning to removal—for employees that put taxpayer information in unencrypted e-mails, there “was no evidence provided” to the auditor that any penalties were enforced.  In other words, no employee will be disciplined for violating crucial cybersecurity policies.  Nor was any IRS manager disciplined; although IRS management did promise to send a meaningless e-mail to all managers stressing the “importance of managerial awareness.”  Yeah, like that’s really going to trigger any real change in behavior.  To effect real change in the IRS cybersecurity culture, there must be consequences for such blatant disregard for vital cybersecurity policies.

The Awkward Truth About US Federal Government Cybersecurity Practices

“Unprotected e-mails put taxpayers at risk of identity theft, or inappropriate disclosure of information about their identity and tax returns,” according to the auditor’s report.  This incident reveals an awkward truth for an agency that is required to protect taxpayer information.  Yet to our surprise and dismay, very few people or media sources are reporting about this very serious problem.  Why is that?  I think we all know the answer.

Stay tuned for further developments regarding the IRS cybersecurity audit (we understand other cybersecurity audit reports exist).  In between MFT Nation posts, you can stay current on developments in the world of cybersecurity by following bTrade on TwitterFacebookLinkedIn and Google+.

 
The Fix is in—Wait, No It’s Not

The US federal government has designated November as National Critical Infrastructure Security and Resilience Month (CISR Month).  Effective cybersecurity measures are one crucial component of our country’s critical infrastructure. So as part of CISR Month, bTrade would like to offer what MFT Nation likes to call a “case study in what-not-to-do” in the world of cybersecurity.

Here’s the Situation 

You are the IT person responsible for maintaining a vast collection of highly sensitive data for your organization.  More than a year ago, your system was hacked and the cyber thieves absconded with a major part of your organization’s sensitive data.  The incident was widely reported by all forms of media, even the fact that the organization’s auditors had been issuing reports which rated your cybersecurity measures as “deficient,” or words to that effect.

So what do you do?  You listen to your auditors and become more vigilant about your cybersecurity efforts, right?  Most would think that, especially if you’re in the private sector.  But this particular situation doesn’t involve a private sector business.  It concerns a prominent government agency within the White House called Office of Personnel Management (OPM), and the most sad/maddening part of this case study is that the latest audit report finds that OPM’s cybersecurity measures are actually regressing.

I kid you not, and here are the pertinent details of this sad/maddening case study in what-not-to-do.

History of Cybersecurity Warnings from OPM’s Auditors

In a previous post, bTrade’s MFT Nation described the importance of OPM’s activities within our country’s critical infrastructure.  We also explained that OPM’s inspector general had issued a series of warnings beginning in 2007 about glaring problems with OPM’s cybersecurity measures.  In fact, the IG issued a “flash audit alert” stating that OPM’s “severely outdated” security procedures put its data at risk.

OPM Breach – Most Damaging Cybersecurity Intelligence Breach in US History

The risk was realized last year when hackers gained access to OPM servers for an extended period of time and made off with highly sensitive data collected during security clearance investigations on some 22 million federal employees.  A major print publication reported that U.S. officials considered the breach to be “among the most potentially damaging cyber heists in U.S. government history.”

OPM’s Deplorable Conduct hasn’t Changed since the Breach

The OPM auditor recently released a new report which finds that OPM’s cybersecurity defenses have gotten worse since the devastating breach. The report points to a “significant regression” in the agency’s compliance with a 2014 cybersecurity law, and notes that the agency “failed to meet requirements that [it] had successfully met in prior years.”

The report also found the agency still suffers a “significant deficiency” in its information security management, doesn’t have a full inventory of its servers, only two of its applications met government user verification, and it doesn’t track fixes of routine security weaknesses.  In fact, of the 26 recommendations issued by the auditor, 17 of them had been issued before, with some dating back to 2008.

The auditor offered these striking facts to support its deficiency findings:

  • “OPM has a history of troubled system development projects. Despite multiple attempts and hundreds of millions of dollars invested, OPM has encountered well publicized failures to modernize its retirement claims processing, financial, and background investigation systems. In FY 2016, the agency’s enormous IT infrastructure overhaul initiative was significantly behind schedule.”
  • “We believe that OPM’s IT security management structure – as currently defined on paper – can be effective with some minor improvements (see the next section of this report). However, this structure was not operational for the majority of FY 2016, and therefore we believe that this issue again rises to the level of a significant deficiency.”
  • “At the end of fiscal year (FY) 2016, the agency still had at least 18 major systems without a valid Authorization” ”—i.e., an assessment/evaluation of whether a system’s security controls are meeting the security requirements of that system.
  • “OPM has not established an agency-wide risk management strategy. In addition, the 12 primary elements of the Risk Executive Function as described in NIST SP 800-39 are not all fully implemented.”
  • “OPM does not have configuration baselines for all operating platforms. This deficiency impacts the agency’s ability to effectively audit and monitor systems for compliance.”
  • “The majority of OPM systems contain Plan of Action and Milestones that are over 120 days overdue,” and “contingency plans for most of OPM’s systems have not been reviewed or tested in FY 2016.”
  • “Many individuals with significant information security responsibility have not taken specialized security training in accordance with OPM policy.”

Basically, all aspects of OPM’s IT infrastructure have problems.  The equipment is outdated despite “well publicized failures to modernize.”  The infrastructure is not well managed as there is “a history of troubled system development projects,” including the “IT infrastructure overhaul initiative” which is “significantly behind schedule.”  OPM’s policies and procedures are either lacking or not followed (the “12 primary elements” of OPM’s “agency-wide risk management strategy” are “not all fully implemented”).  The human resources are not properly trained, including those individuals with “significant information security responsibility” that have not taken “specialized security training” required by “OPM policy.”  Not a pretty picture.

But the most galling aspect of OPM’s IT infrastructure is that all these deficiencies are still present after a historically bad data breach and “[de]spite multiple attempts and hundreds of millions of [taxpayer] dollars invested.”  Pitiful.  Just pitiful.

If a private sector business had such a poor cybersecurity track record, all hell would break loose.  Congress would call for hearings, the media would be outraged, lawyers would sue, and government agencies would levy heavy fines.  But we see no similar steps taken with respect to OPM.  Why?  Where is the outrage?  Have we come to accept government waste as a fact of life?  Are we willing to look the other way when we get shoddy work despite spending “hundreds of millions of [taxpayer] dollars”?

We certainly hope not.  It’s time to treat all critical infrastructure the same, whether it be in the public or private sector.  So join us in saying to OPM:  You need to get your house in order, and time is of the essence because you are responsible for highly sensitive data affecting tens of millions of Americans.

Stay tuned to MFT Nation for developments in the OPM case study, and to stay current on developments in the world of cybersecurity by following bTrade on Twitter, Facebook, LinkedIn and Google+.

Index_Services

 
Authentication, Authentication, Authentication

Good Time to Take Stock of Your Authentication Methods

I’m sure almost everyone has heard that when buying real estate the three most important factors to consider are “location, location, location.”  When it comes to data security, one could say the three most important factors to consider are “authentication, authentication, authentication.”

In its November 2016 cyber newsletter, the Office for Civil Rights (OCR) disclosed that some of the many data breaches that have occurred in the healthcare sector were due to “weak authentication.”  As the healthcare sector continues to be a top target for cyber-attacks, OCR advises that all healthcare organizations should perform a risk analysis to determine whether proper methods of authentication have been implemented.

Deploy “Reasonable and Appropriate” Authentication Methods

Remember, HIPAA requires that covered entities must select healthcare authentication measures that are “reasonable and appropriate” for their normal operations and security requirements.  The OCR newsletter lists certain types of authentication methods, like single-factor and multi-factor.  According to OCR, healthcare organizations tend to use single-factor methods such as “login passwords or passphrases to access information.”

bTrade Can Help Address Authentication Needs

If you are a healthcare organization and want to determine whether you have implemented proper authentication measures, contact us at info@btrade.com to schedule a free consultation with a bTrade authentication expert.  He or she will assist finding an authentication method that is “reasonable and appropriate” considering your organization’s size, complexity, technical infrastructure, hardware, and software security capabilities.

In addition, you may want to consider bTrade’s TDMedXchange software solution because authentication is just one of many features that a healthcare organization could use to help prevent a data breach and ensure compliance with HIPAA requirements.  The authentication requirements in TDMedXchange are fully customizable and include features such as:

  1. Virtual Keyboard to thwart keystroke loggers
  2. Strict password settings
  3. One Time Passwords
  4. Customizable password length, lockout, history, age, include/exclude characters, etc.

 

To stay current on developments in the world of data security, follow bTrade on Twitter, Facebook, LinkedIn and Google+.

 
bTrade’s MFT Solutions Receive Near-Perfect Score On Another Data Security Evaluation by Banking/Financial Services Company

Managed File Transfer Vendor Earns “Excellent Supplier” Rating on ISO 9001 Supplier Evaluation for a Long-Time Customer

bTrade, the industry leading compression and managed file transfer (MFT) provider, announced today that it once again scored well in connection with an ISO 9001:2008 supplier evaluation, this time from its customer, Telered, S.A.

Telered is a Panamanian company that provides Panama’s electronic payments network. The shareholders of Telered are all the major Panamanian banks who demand infrastructure supported by state-of-the-art technology, including bTrade software solutions.  Telered maintains connections with many entities, both private (local and international) and public, through a communications infrastructure that transmits the information between the entities and the affiliated financial institutions in a secure and reliable manner.  Telered has been a bTrade customer for more than a decade.

Because the Panamanian payments network is certified under the ISO shutterstock_206712406A9001:2008, Telered conducted a supplier audit of bTrade earlier this year.  bTrade was rated on key metrics such as experience, performance against competition, product quality, price, and delivery and response to problems.

bTrade is pleased to report that it received from Telered a compliance rating of 98.2%.  According to Maria Barrera, a Process Analyst at Telered, the 98.2% score puts bTrade in the category of “Excellent Supplier.”

“It is extremely gratifying to receive this recognition from our customer, Telered, S.A.,” said Steve Zapata, President and CEO of bTrade.  “bTrade has always focused on continued quality, and this supplier rating reconfirms our mission to provide our customers with the highest quality products and services possible,” added Zapata.

For more information on bTrade’s solutions and services, please visit bTrade.com.

About bTrade

bTrade develops managed file transfer technology solutions for enterprises that share sensitive data across applications and organizations, and face complex security and compliance mandates.  Thousands of customers depend on bTrade solutions to gain control and oversight of the movement of critical corporate data to facilitate data growth, reduce security risk, and improve IT and business efficiency.  bTrade was founded in 1990 and is led by eBusiness visionaries who have delivered industry-leading business integration solutions to thousands of enterprise customers worldwide.  bTrade is privately held and profitable with its global headquarters located in Glendale, California USA.

 
Good Ideas From the Fed—No, really!

In an earlier post, MFT Nation critiqued the U.S. Federal Government’s (the “Feds”) recently revised data security policies entitled Circular No. A-130, Managing Information as a Strategic Resource (the “Circular”).  In that earlier post, we focused on the not-so-good aspects of the Circular.  We also promised to discuss the positive aspects in the future, which is the purpose of this post.

The Feds claim the Circular will “drive the transformation of the Federal Government and the way it builds, buys, and delivers technology by institutionalizing more agile approaches intended to facilitate the rapid adoption of changing technologies, in a way that enhances information security, privacy, and management of information resources across all Federal programs and services.”  (This sentence is what an English teacher would call a “run on” sentence).  To achieve such laudable goals, the Feds say they focused on the following three elements when drafting the Circular:

  • Real Time Knowledge of the Environment.  In today’s rapidly changing environment, threats and technology are evolving at previously unimagined speeds.  In such a setting, the Government cannot afford to authorize a system and not look at it again for years at a time.  In order to keep pace, we must move away from periodic, compliance-driven assessment exercises and, instead, continuously assess our systems and build-in security and privacy with every update and re-design.  Throughout the Circular, we make clear the shift away from check-list exercises and toward the ongoing monitoring, assessment, and evaluation of Federal information resources.
  • Proactive Risk Management.  To keep pace with the needs of citizens, we must constantly innovate.  As part of such efforts, however, the Federal Government must modernize the way it identifies, categorizes, and handles risk to ensure both privacy and security.  Significant increases in the volume of data processed and utilized by Federal resources requires new ways of storing, transferring, and managing it Circular A-130 emphasizes the need for strong data governance that encourages agencies to proactively identify risks, determine practical and implementable solutions to address said risks, and implement and continually test the solutions.  This repeated testing of agency solutions will help to proactively identify additional risks, starting the process anew.
  • Shared Responsibility.  Citizens are connecting with each other in ways never before imagined.  From social media to email, the connectivity we have with one another can lead to tremendous advances.  The updated A-130 helps to ensure everyone remains responsible and accountable for assuring privacy and security of information – from managers to employees to citizens interacting with government services.

This is all good stuff.  Data security policies should focus on real-time knowledge of the environment, proactive risk management and shared responsibility.  In fact, bTrade focused on these and other concepts when developing its TDXchange software solution.  But again, it’s just amazing the Feds waited until 2016 to come to this realization and finally draft data security policies around these concepts.  But I digress.  Back to the topic—positive aspects of the Circular.

Appendix I establishes minimum requirements for information security programs and assigns responsibilities for the security of information and information systems.  Appendix I requires agencies to do such things as:

  • Perform ongoing reauthorization of systems (replacing the triennial reauthorization process) to better protect agency information systems;
  • Continuously monitor, log, and audit user activity to protect against insider threats;
  • Periodically test response procedures and document lessons learned to improve incident response;
  • Encrypt moderate and high impact information at rest and in transit;
  • Ensure terms in contracts are sufficient to protect Federal information;
  • Implement measures to protect against supply chain threats;
  • Provide identity assurance for secure government services; and,
  • Ensure agency personnel are accountable for following security and privacy policies and procedures.

Again, this is all good stuff.  For many years now, the Feds have required the private sector to incorporate such data security practices into their businesses.

Appendix II outlines some of general responsibilities for managing personally identifiable information (PII).  Appendix II summarizes requirements in the following areas:

  • Establishing and maintaining a comprehensive, strategic, agency-wide privacy program;
  • Designating senior agency officials for privacy;
  • Managing and training an effective privacy workforce;
  • Conducting Privacy Impact Assessments (PIA);
  • Applying NIST’s Risk Management Framework to manage privacy risks in the information system development life cycle;
  • Using the fair information practice principles when evaluating information systems, processes, programs, and activities that affect privacy;
  • Maintaining an inventory of PII and reducing PII usage to the minimum necessary for the proper performance of authorized agency functions; and,
  • Limiting the creation, collection, use, processing, storage, maintenance, dissemination, and disclosure of PII to that which is legally authorized, relevant, and reasonably deemed necessary for the proper performance of agency functions.

Such data security policies can already be found throughout the private sector.  It is the type of ecosystem for data security and privacy which businesses have been recognizing and adopting for many years now. Governmental agencies are being told that they have to develop a culture of privacy and security protection within their organizations and are being given the framework to follow.

The Circular is definitely needed given recent cyberattacks affecting the Fed.  In addition, it is hard for the U.S. government to expect businesses in the private sector to do something the government does not do itself.

Let’s hope the Feds don’t go another 16 years until the next update.

 
Fed up with Data Security Hypocrisy

The year 2000 was also a memorable time for the IT world.  We survived the feared Y2K problem, but the dot-com bubble was about to burst.  Google was just a baby and desktop computers dominated the IT landscape.

But the year 2000 is significant in another respect—it was the last time the U.S. federal government (the “Feds”) reviewed and updated its data security policies.  We kid you not.  Until recently, the Feds were relying on 16 year-old data security policies.  As you might expect, the policies contained antiquated notions of data security, including one that listed “password protection” as the only “effective security technique.”

The good news is that the Feds recently reviewed the outdated policies and have released a revised version entitled Circular No. A-130, Managing Information as a Strategic Resource (the “Circular”).  The impetus for the Circular, according to the Feds, is the “rapidly evolving digital economy.”  If that is true, logic suggests the Feds would have reviewed/updated their data security policies much earlier than they did.  The truth is that Feds were forced to take a more proactive approach to data security after a hack occurred last year at the Office of Personnel Management that was described as the “most devastating cyber attack in our nation’s history.”

Certain statements in the Circular demonstrate an understanding by the Feds of the gravity of the situation.  For example, the Feds state an awareness that IT is “at the core of nearly everything the Federal Government does.”  And to their credit, the Feds acknowledge they “cannot afford to authorize a system and not look at it again for years at a time.”  Time will tell whether the Feds practice what they preach.

The release of the Circular generated a great deal of attention, but it is really shutterstock_206667445Anothing extraordinary.  It’s the type of document the Feds have required of private sector organizations for quite some time.  For example, the Federal Trade Commission has a document containing a 10-step data security policy guide for businesses, and the Federal Communications Commission created a similar document for private sector businesses entitled Cyber Security Planning Guide.  The Circular incorporates the policies from these two documents (as well as a whole lot more, because it’s tough to stop the Feds once they start writing policies).

The Feds have consistently fined businesses for failing to “implement and maintain” data security policies.  Similarly, companies have avoided the wrath of the FTC by showing they had established and implemented “comprehensive” data security policies.  Talk about hypocrisy; judging private sector businesses by standards with which the Feds had never complied.  I guess it’s good to be the king, so to speak.

They claim the Circular will “drive the transformation of the Federal Government and the way it builds, buys, and delivers technology by institutionalizing more agile approaches intended to facilitate the rapid adoption of changing technologies, in a way that enhances information security, privacy, and management of information resources across all Federal programs and services.”  Let’s just say that we are skeptical.

Why?  To be effective, policies should be written clearly and concisely, targeted to the end user. Too many policy manuals are ignored or never read because they are too wordy, boring, or confusing.  The Circular is all of that.  It’s an 85-page monstrosity with a host of problems.

To start with, there are a total of 90 definitions that consume the better part of 12 pages of single-spaced text.  To make matters worse, the Circular is replete with general statements of policy, but lacking in understandable specifics.  The Circular also points readers to plethora other regulations, such as a requirement to “[i]mplement security policies issued by OMB, as well as requirements issued by the Department of Commerce, the Department of Homeland Security (DHS), the General Services Administration (GSA), and the Office of Personnel Management (OPM).  If that weren’t enough, the Circular directs users “to apply the standards and guidelines contained in the NIST FIPS, NIST SPs (e.g., 800 series guidelines), and where appropriate and directed by OMB, NIST Interagency or Internal Reports (NISTIRs).”  Good luck with that one!

That said, the Circular has certain favorable aspects that are worth noting.  We will discuss this in an upcoming post.

If you have questions about the above content, contact our data security experts at info@btrade.com.

Also, to stay current on developments in the world of data security, follow bTrade on Twitter, Facebook, LinkedIn and Google+.

 
 
 
 
Web Design BangladeshBangladesh Online Market