New security guidelines straight from the feds:
A rash of theft and irresponsibility regarding the personal data of government employees has spurred changes in security measures; in general, the government is notorious for being slow adopters of technology, but this time, it seems to be leading the charge.
The new guidelines—set forth by the White House Office of Management and Budget—were put out in June and are geared toward federal agencies that maintain and house personal information of both government employees and citizens. To comply, there are several key components to the new mandates.
According to Dr. Eric Cole—a cofounder and senior security analyst with Intelguardians, a Washington, D.C.-based information security consulting firm—the most common measures one could take are those relating to authentication. Smart cards are important because full-volume encryption does not do any good if the password can easily be compromised. The combination of using smart cards (or key cards) in conjunction with passwords adds an extra layer of security. It is also recommended that when network access is achieved in this manner, that it terminate after 30 minutes of inactivity, further securing the data.
Another section involves keeping detailed records of what information was downloaded and when. Sensitive personal information should not reside on a laptop longer than three months unless the user can prove that ready access to that information is required.
This could have a trickle-down effects through other industries, but many private entities are already prepared for this type of security.
“There will also be a trickle-up effect. I think this is a situation where key organizations have understood the importance of laptop encryption and have been implementing it across organizations to protect critical data. Based on the issues that have occurred, the requirements are serving more as a reactive measure [than] as a proactive stance to security,” Cole said.
These new guidelines have made other industries much more cognizant of their own security requirements, and contractors are also not immune. Most contractors have advanced to the point where they have sales, estimators, technicians and other company representatives working out of the office and on job sites. Many rely on their laptops for information. It could be potentially devastating for a contractor to have his own laptop lost or stolen.
These new guidelines will change the data protection industry in a way that helps make security more readily available and understood by mass markets. More often than not, when the government leads, even those that have been resistant to technology seem to follow.
“Every year or so there is a hot new area of security, and data protection is one of those areas. If you looked at data protection 12 months ago, you had to look long and hard to find players in the space. Now there are over nine companies active in this space with venture capital firms continuing to pump money into these companies,” Cole said.
Contractors who specialize in network security can use this as a steppingstone to obtain new business in the federal marketplace and possibly to secure new customers. For those not interested in entering this realm, they can use the government requirements for their own business processes. Laptop theft and loss can and does happen to everyone. If one of your own employees lost his or her laptop that contained detailed contract information, project pricing data or even employee data, such as payroll information, how would you feel? Perhaps the government is on the right track with these guidelines, and the private sector can learn a thing or two. EC