Two high-ranking senators want to know when agencies will fully implement the Bush administration’s requirements to protect personally identifiable data.
Sens. Susan Collins (R-Maine), ranking member of the Homeland Security and Governmental Affairs Committee, and Norm Coleman (R-Minn.), ranking member of the Homeland Security and Governmental Affairs Committee’s Permanent Subcommittee on Investigations, sent letters to 24 Cabinet agencies Feb. 22 requesting a written timeline for when they will meet all four requirements laid out by the Office of Management and Budget in a June 2006 memo.
In the letter, the senators told the agency secretary which of the five requirements the department needs to implement. The lawmakers also asked for status updates or compliance timelines for five other OMB memos dating as far back as 2005 that deal with data security, including designating senior officials in charge of privacy.
“As the federal government obtains and processes information about individuals in increasingly diverse ways, it is critically important that it ensure the privacy rights of individuals are respected and that personal information is properly secured and protected,” the senators wrote.
The letter comes on the same day the Government Accountability Office found agency progress in meeting these June 2006 security requirements inconsistent.
Auditors said most agencies – 22 of them -- have developed policies requiring personally identifiable information to be encrypted on mobile computers and devices, and 15 agencies have polices that require the hardware to time-out after more than 30 minutes of inactivity.
But GAO also found that only 11 agencies have established policies to log computer-readable data extracts and erase data after 90 days, while 14 implemented two-factor authentication where one of the factors is provided by a device separate from the computer gaining access.
Auditors said many agencies are still researching the technology to use to log computer-readable data extracts and erase data.
GAO also found that only four agencies had policies requiring the use of the National Institute of Standards and Technology’s security checklist in Special Publication 800-53. In addition, 20 agencies had written policies that require encryption software to comply with NIST Federal Information Processing Standard 140-2.
“Gaps in their policies and procedures reduce agencies’ ability to protect personally identifiable information from improper disclosure,” auditors wrote. “We reiterate, however, as we have in the past, that although having specific policies and procedures in place is an important factor in helping agencies to secure their information systems and to protect personally identifiable information, proper implementation of these policies and procedures remains crucial.”
Digg
De.licio.us
Slashdot
Technorati
