Between July and Sept. 30, agencies reported 338 separate security incidents involving personally identifiable information to the Office of Management and Budget, Karen Evans, OMB’s administrator for e-government and information technology, said today.
Many of the incidents, however, are not attacks on government information from outsiders, Evans said in a speech at the IT Association of America’s annual Chief Information Security Officer Workshop in Falls Church, Va.
“Primarily, people are losing data,” she said.
The trend affects agencies’ internal processes, such as how information is handled and who can access it. OMB has required agencies to reassess their processes. It wants them to consider what employees and contractors have remote access to information and how the agencies secure it. OMB also wants agencies to continue to review risk associated with their offered services.
In her speech, Evans gave some preliminary statistics on information security. OMB’s analysis shows that the percentage of agencies’ systems that met accreditation and certification standards increased from 85 percent in fiscal 2005 to 88 percent in fiscal 2006. The percentage of agencies’ systems with contingency plans in 2005 was at 61 percent, and in 2006 it was boosted to 78 percent.
Last year, inspectors general gave 17 agencies’ accreditation and certification reports a satisfactory or better rating, and in 2006, 19 agencies received such ratings, Evans said.
OMB will release the final edition of its annual Federal Information Security Management Act report in March.
OMB issued a memo July 12 revising incident reporting rules to state that agencies must report losses of personally identifiable information within an hour of discovery to the Homeland Security Department. Moreover, those reports should not distinguish between suspected and confirmed incidents, according to memo.
Digg
De.licio.us
Slashdot
Technorati
