From: InfoSec News (alertsinfosecnews.org)
Date: Fri Jul 14 2006 - 03:07:20 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.gcn.com/online/vol1_no1/41334-1.html

By Mary Mosquera
GCN Staff
07/13/06

Agencies must now report all security incidents involving personally
identifiable information within one hour of discovering the incident, the
Office of Management and Budget said in a memo tightening information
security notification procedures.

OMB also added new requirements for incorporating the cost of security in
agency IT investments for fiscal 2008 IT budget submissions.

The Federal Information Security Management Act of 2002 requires all
agencies to report security incidents to the U.S. Computer Emergency
Readiness Team (US-CERT) within the Homeland Security Department.
Procedures require agencies to report according to various time frames
based on the type of incident.

OMB has strengthened notification procedures by making the one-hour
requirement standard for both electronic and physical security, and for
suspected as well as confirmed security breaches.

You should report all incidents involving personally identifiable
information in electronic or physical form and should not distinguish
between suspected and confirmed breaches, said Karen Evans, OMB
administrator for e-government and IT in the memo dated yesterday.

US-CERT will forward all agency reports to the appropriate Identity Theft
Task Force point of contact, also within one hour of notification by an
agency.

The tightening of incident notification comes on the heels of House
Government Reform Chairman Rep. Tom Davis (R-Va.) directing agencies to
report to him in two weeks summaries of all data breaches that have
occurred since 2003.

One security expert believes that Davis may get information only about
data breaches that have already been made public or those that have not
had a direct impact on Americans.

The agencies cannot answer that honestly because if they do, they will
provide evidence that they had not told US CERT about all of the attacks,
said Alan Paller, research director at the SANS Institute in Bethesda, Md.

In addition to existing guidance for 2008 IT budgets, the memo urged
agencies to detail how they distribute their resources between correcting
existing security weaknesses in steady-state investments and proposing
funds for system development, modernization or enhancement.

Agencies with significant weaknesses that the agency Inspector General or
the Government Accountability Office have identified should also highlight
the specific funds requested for proposed development, modernization or
enhancement efforts to correct these security weaknesses. This includes
correcting weaknesses found during privacy program reviews and for
implementing security controls.

Under existing guidance, agencies must integrate security and fund it over
the lifecycle of each system undergoing development, modernization or
enhancement. Steady-state system operations also must meet existing
security requirements before new funds are spent on system development,
modernization or enhancement.

_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]