Data security — a bureaucracy's solution

Reacting to the recent problems (see here and here) about federal data getting lost, the US Office of Management and Budget (OMB) has now issued guidelines about how to protect sensitive agency information in the future. As the Washington Post reports, civilian agencies will have 45 days to implement the new measures which essentially are encryption of all movable data (on laptops and handheld computers) and keeping detailed records of all information downloaded from databases containing sensitive information.

The guidelines are available as a pdf document here, and they are instructive less for their substance (see above) than for the insight they provide into the workings of a bureaucracy's mindset: One page of instructions is followed by nine (!) pages of a security checklist that includes a flowchart, a checklist and excessively detailed prescriptions about procedures that I can only describe as mind-boggling...

Care for a snippet? Here is one chosen at random:

"Action item 2.3: Revise/develop organizational policy as needed, including steps 3 and 4.

Guidance: Based upon the results from the previous action items, the organizational policy is revised or developed to fully address the questions posed in the previous action items.

Related SP 800-53 controls and associated SP 800-53A assessment procedures:
AC-1 ACCESS CONTROL POLICY AND PROCEDURES
SP 800-53A: AC-1.1, AC-1.2, AC-1.3, AC-1.4 (for high impact add: AC-1.5, AC-1.6, AC-1.7)"

And this goes on page after page after page…

Update: Fiittingly, today it was announced that the stolen laptop with the soldiers' and veterans' data that triggered this all has been recovered (see CNN report here). Apparently there are have been no reports of identity thefts from the data concerned so far. And since much of the blame was initially put on the analyst from whose house the laptop was stolen, it is interesting to note that this employee apparently had approval dating back from 2002 to use the data with specially written software in his home. He now is challenging his dismissal from the Dept. of Veteran Affairs.

Technorati Tags: owl-content, privacy