Case Study 2: Data Breaches and Regulatory Requirements
CIS438 Information Security Legal Issues
November 11, 2016
National Institute of Standards and Technology (NIST) and Federal Information Security Management Act (FISMA) provide resources, guidance, standards, and guidelines for establishing information security within federal systems however there have been numerous security incidents including data breaches within federal systems. In this case study I will assess one of the documented data breaches within a government system.
Data Breaches and Regulatory Requirements
In an article in the New York Times dated July 9, 2015, Hacking of Government Computers Exposed 21.5 Million People it highlights that every person given a government background and security clearance investigations in the last fifteen years was probably affected including their spouses and friends. Included in the breach was sensitive information including health and financial history, addresses, social security numbers, and some fingerprints.The ongoing attack was identified in April of 2015 targeting the United States Office of Personnel Management (OPM) computer systems. The ongoing attack of the OPM systems was identified during a deeper investigation from a previous breach of the Interior Department network that held personnel database in which 4.2 million records of current and former federal employees. In both cases the hacker gained access via a compromised credential of a contractor.
It was noted that the OPM has all but ignored warnings from government auditors from the Government Accountability Office (GAO) and other internal auditors regarding vulnerabilities (HIRSCHFELD DAVIS, 2015).
A November 2014 report from OPM’s Inspector General’s (IG) office stated the OPM systems were only at 75% adherence under Federal Information Security Management Act (FISMA) 2002 regulations. It was also noted that “several information security agreements between OPM and contractor-operated information systems have expired(GALLAGHER, 2015).” The E-Government Act of 2002 requires the federal government to use information technologies the protect privacy, and to conduct Privacy Impact Assessments (PIA’s). FISMA defines a comprehensive framework of standards, guidelines, and methodologies to protect government information. The National Institutes of Standards and Technology (NIST) publishes the standards and guidelines which FISMA basis it’s framework. A management control which may have prevented this breach is continuous review for expired contracts and inactivating security access for contractors associated with identified contracts. A technical control which by 2015 has become relatively standard is 2-factor authentication methods. 2-factor authentication is an extra layer of authentication required by authorized users beyond a simple userid and password which can compromise with or without the users’ knowledge. The second layer of authentication is typically a random alpha-numeric code randomly generated with an extremely short lifespan, say 30-60 seconds. This code is retrieved by the user at time of login and is match with a paired code in the internal authenticating system. A hacker would need to compromise either the 2-factor authentication system or the receiving device continually to access a system.
It is utterly unimaginable and egregious that OPM gained only a 75% adherence rating to FISMA regulations by 2014, 12 years after it was enacted. Given this information FISMA should have included timeframes for adherence to regulations and significant reassessment actions for not meeting these timeframes. From 2002 to date there have been seven directors of the OPM, the longest tenure being from four years, 2009 to 2013, the director at the time Katherine Archuleta had only been in the position for 20 months. And while the members of the house demanded her resignation to which she submitted one day laterstating one key person being removed will make no improvement in progress towards adherence of the regulations (HIRSCHFELD DAVIS, 2015). While there’s a hint of reality to her statement it was noted in a subcommittee hearing on July 8th 2015 that OPM had only achieved 3 of the 29 recommendations outlined in the OPM’s 2014 FISMA audit report during her tenure. OPM’s assistant inspector general for audits stated “There are currently no consequences for failure to meet FISMA standards”which points to a significant deficiency in the regulatory definition of FISMA(Noble, 2015).
GALLAGHER, S. (2015, June 8). Why the “biggest government hack ever” got past the feds | ArsTechnica. Retrieved from http://arstechnica.com/security/2015/06/why-the-biggest-government-hack-ever-got-past-opm-dhs-and-nsa/
HIRSCHFELD DAVIS, J. (2015, July 9). Hacking of Government Computers Exposed 21.5 Million People – The New York Times. Retrieved from http://www.nytimes.com/2015/07/10/us/office-of-personnel-management-hackers-got-data-of-millions.html?_r=0
HIRSCHFELD DAVIS, J. (2015, July 10). Katherine Archuleta, Director of Personnel Agency, Resigns – The New York Times. Retrieved from http://www.nytimes.com/2015/07/11/us/katherine-archuleta-director-of-office-of-personnel-management-resigns.html?action=click&contentCollection=U.S.&module=RelatedCoverage®ion=Marginalia&pgtype=article
Noble, Z. (2015, July 9). Fixing FISMA, blaming someone, and another lawsuit — FCW. Retrieved from https://fcw.com/articles/2015/07/09/opm-breach-hearing.aspx
Click following link to download this document
Case Study 2 Data Breaches and Regulatory Requirements.docx