Last month, the Office of Personnel Management (OPM) admitted to a massive data breach affecting the personal data of 4.2 million past and present federal employees.
Now, a day after the agency acknowledged a second leak affecting the background investigation records of 21.5 million individuals, OPM director Katherine Archuleta has tendered her resignation in order to help the department “move beyond the current challenges” – the only mention she makes of the security debacle in her brief statement.
According to the OPM news release, the second breach affected “19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.” 1.1 million of the compromised records included fingerprints.
Of the 21.5 million individuals affected by this second breach, 3.6 million were affected by the previous breach, bringing the grand total of individuals affected by the OPM’s poor data security to 22.1 million.
The OPM is not alone: 19 of 24 federal agencies have deficient cybersecurity
While the data breaches to hit the OPM are unprecedented in scale, it should be noted that the OPM is by no means the only federal agency to have poor security practices.
According to a recent report by the Government Accountability Office (Cyber Threats and Data Breaches Illustrate Need for Stronger Controls across Federal Agencies), 19 of 24 federal agencies declared cybersecurity “a significant deficiency or material weakness”. The number of incidents reported to the US-CERT by federal agencies in the fiscal years 2006 through 2014 increased from 5,503 to 67,168.
Furthermore, the report reveals that the number of reported security incidents involving personal information at federal agencies “has more than doubled in recent years—from 10,481 incidents in fiscal year 2009 to 27,624 incidents in fiscal year 2014.”
As the Washington Post observes, the OPM “incident serves as a reminder that government isn’t just a threat because of the powers it exercises or abuses … Americans now find their own government to be the greatest threat to their privacy — not in the narrow sense that government knows too much about everyone (which is also true), but in the broader sense that it is the weakest link for keeping their private data out of the hands of criminals.”
Now OPM strengthens its security
Last month, the OPM announced a series of measures to strengthen its cybersecurity, including implementing two-factor authentication for privileged users, restricting remote access for network administrators, deploying anti-malware software, implementing continuous monitoring, installing more firewalls, developing a risk executive function to ensure risk mitigation, and introducing mandatory cybersecurity awareness training for all staff.
All of these measures could be supported by an information security management system (ISMS), the responsible approach to information security as set out in the international standard ISO 27001.
An ISO 27001 information security regime takes an evidence-based approach to securing your information assets, ensuring that decisions are made according to the scale of the risk and in recognition of the business environment.
ISO 27001 presents a comprehensive and logical approach to developing, implementing, and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments.
The additional external validation demonstrated by accredited registration to ISO 27001 will improve an organization’s cybersecurity posture while providing a higher level of confidence in customers and stakeholders, which is essential for securing certain global and government contracts.
IT Governance has created four ISO 27001 implementation solutions to give US organizations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.