We are understandably tired of hearing about the potential compromise of personal information contained on lost government laptop computers. Indeed, in the past couple of months alone, the, the Internal Revenue Service and the Federal Trade Commission have grappled with that contained large amounts of private data.
Reacting to what could become a crisis, the Executive Office of the President's Office of Management and Budget (OMB), has issued new security guidelines to address and compensate for the lack of physical security controls when information is removed from or accessed from outside of federal department and agency locations.
Specifically, the OMB recommends that all departments and agencies:
Encrypt all data on mobile computers/devices that carry governmental data unless the data is determined to be nonsensitive;
Allow remote access only with "two factor" authentication where one of the factors is provided by a device separate from the computer gaining access;
Use a "time out" function for remote access and mobile devices that requires user reauthentication after 30 minutes of inactivity;
Log all computer-readable data extracts from databases holding sensitive information, and verify that each extract including sensitive data has been erased within 90 days or that its use is still required.
The purpose of the foregoing, as stated by the OMB, is "to properly safeguard our information assets while using information technology." That is correct, except that the information assets also obviously implicate the interests of the actual people whose data is housed on government laptops.
Unfortunately, the OMB has stopped short of issuing actual requirements here, and instead promulgated recommendations. The recommendations make sense as a first step, and, frankly, should be required.
The OMB has asked that the above safeguards be put in place within 45 days by federal departments and agencies. Hopefully, the expression "good enough for government work" soon will include federal action with respect to the OMB's recommendations, and we will stop hearing about misplaced government laptops that contain easily accessible sensitive data.