Commission issues guidebook on data security
Federal Trade Commission stands ready to help agencies craft security plans that meet their needs, chairwoman says.
The Federal Trade Commission on Thursday published a guidebook that may come in handy for federal agencies working to do a better job of preventing data loss or theft.
The guidebook urges organizations to take five key steps to keep sensitive information safe: Take stock of any personal information collected, eliminate data that is unneeded, properly dispose of unnecessary information, lock up whatever remains and plan a response to potential security incidents.
Deborah Platt Majoras, chair of the FTC, encouraged federal officials to use the guidebook and other commission resources on information security. The commission is an independent federal agency charged with enforcing consumer protection and antitrust laws.
Data security plans have to be tailored to the size of an organization, Majoras said at the International Association of Privacy Professionals annual summit in Washington Thursday. "There is no such thing as a one-size-fits-all data security plan."
The FTC is working hard to strengthen its own data security program, and agencies seeking advice won't "have to reinvent the wheel," Majoras said. "We're happy to share all of our materials and programs with them."
Majoras added that the amount of personal information organizations collect is only going to increase with technological advancements. With that, the risk of breaches increases as well.
Over the past 10 months, federal agencies have reported multiple incidents that jeopardize sensitive personal information such as Social Security numbers and dates of birth for thousands, sometimes millions, of people.
But the FTC chief cautioned against establishing detailed standards.
"Because technologies change over time, imposing some very specific technical standard which we then carve into stone would soon become obsolete or have unintended consequences … like stunting innovation," she said.
Scott McNealy, chairman of the board for Sun Microsystems, said at the summit that government organizations have yet to fully adopt available information security technology.
The most important action federal officials can take is establishing an identity management infrastructure that determines "who is who, and who gets access to what," McNealy said. He said Homeland Security Presidential Directive 12, which requires agencies to issue employees and contractors standard identification cards, gives officials the "end state" they should keep in mind.
By removing data from individual computers and storing it on a mainframe where it is available for downloads when needed, military and intelligence agencies are eliminating much of the risk involved in handling sensitive information, McNealy said. "If I stole that TV, I haven't stolen anything … there's no data," he said.
Military and intelligence agencies "take security and privacy very seriously," McNealy said. "Do the rest of the civilian agencies? Probably not."