10 Rules For Avoiding Identity Theft ‘Mistakes’

Posted by John Soat,
7/18/2007 – The federal government is trying to clean up its act when it comes to ID theft. That includes lecturing CIOs on the basics of information security.

The federal Chief Information Officers Council was established in 1996, and codified into law by Congress in the E-Government Act of 2002. The CIO Council is described on its Web site like this: “The CIO Council serves as the principal interagency forum for improving practices in the design, modernization, use, sharing, and performance of Federal Government agency information resources.” Membership on the Council is comprised of CIOs and deputy CIOs from 28 federal agencies, including the departments of Commerce, Defense, Justice, and State.

One interesting piece of news featured on the Web site is a PDF document with this title: “Top Ten Risks Impeding the Adequate Protection of Government Information.” Here’s how the document begins:

MEMORANDUM FOR CHIEF INFORMATION OFFICERS

FROM: Karen Evans
Administrator, Office of E-Government and Information Technology

SUBJECT: Top 10 Risks Impeding the Adequate Protection of Government Information

In order to maintain the trust of the American public, we must operate effectively by securing government information and safeguarding personally identifiable information in our possession. To make the federal government’s identity theft awareness, prevention, detection, and prosecution efforts more effective and efficient, the President’s Identity Theft Task Force recently issued “Combating Identity Theft: A Strategic Plan.”

The strategic plan instructed the Office of Management and Budget and the Department of Homeland Security to develop the attached paper identifying common risks (or “mistakes”) and best practices to help improve your agency’s security and privacy programs. Each risk is associated with selected best practices and important resources to help your agency mitigate and avoid these risks. All of the best practices and important resources are inter-related and complementary, and they can be broadly applied when administering your information security and privacy programs.

I love those quote marks around “mistakes” — they’re so … lawyerly. Here’s the list, minus the accompanying best practices and important resources. See how these “guidelines” match up with your own security initiatives.

1. Security and privacy training is inadequate and poorly aligned with the different roles and responsibilities of various personnel. [[Beware the insider.]]
2. Contracts and data sharing agreements between agencies and entities operating on behalf of the agency do not describe the procedures for appropriately processing and adequately safeguarding information. [[Beware the outsider.]]

3. Information inventories inaccurately describe the types and uses of government information, and the location where it is stored, processed, or transmitted, including personally identifiable information. [[Like the front seat of an intern’s car?]]

4. Information is not appropriately scheduled, archived, or destroyed. [[The federal government destroys information? Since when?]]

5. Suspicious activities and incidents are not identified and reported in a timely manner. [[Unless you count The New York Times.]]

6. Audit trails documenting how information is processed are not appropriately created or reviewed. [[What’s an audit trail?]]

7. Inadequate physical security controls where information is collected, created, processed or maintained. [[I’ve got the number for Blackwater around here somewhere.]]

8. Information security controls are not adequate. [[The plain, simple truth.]]

9. Inadequate protection of information accessed or processed remotely. [[Remember: Lock up that laptop.]]

10. Agencies acquire information technology and information security products without incorporating appropriate security and privacy standards and guidelines. [[So what’s wrong with point solutions?]]

These seem like conventional wisdom to me — if government agencies aren’t implementing these simple security measures by now, we’re all in trouble. What do you think? What should federal government agencies concentrate on to stop identity theft — and cybersecurity problems in general?

florida shredding