Security relies on policy, HUD CIO says

The answer to securing personally identifiable information (PII) is the development of sound policy, the Department of Housing and Urban Development’s chief information officer said.

At the Potomac Forum's conference on Privacy Issues and Microsoft Solutions held Dec. 13, HUD CIO Lisa Schlosser said the biggest problem she found with securing PII is knowing where the information is going and who's accountable for it.

“This is not a technical problem,” Schlosser said. “Eighty percent of this is setting PII policy and senior executive attention.”

Public, private and academic institutions have experienced a rash of information losses this year. The most recent breach was discovered this week: the University of California at Los Angeles lost 800,000 students’ Social Security numbers. Missing laptop computers and mobile devices have become a big issue among feds this year, starting with the Department of Veterans Affairs’ loss of a laptop containing 26.5 million veterans’ personal information in May.

Most PII data loss is the result of lost mobile devices or network attacks, said Mark Forman, a partner at KPMG. But a new trend is emerging: mistakes such as the accidental dissemination of e-mail messages to the wrong people.

HUD was not immune to bad policy decisions regarding PII. At one point, most low-level lenders could access personal HUD records, Schlosser said. The department has since added access control policies to prevent this, such as assigning levels of access to data and preventing the attachment of nonapproved USB devices to computers.

Getting her superiors’ attention was easy; the highly publicized data losses did the work for her. That not only helped her put policies into place but also aided her with enforcement.

Schlosser also said the increased number of contractors in the government means more people will need to follow — and be accountable for — the same rules as federal workers.

“We all outsource a lot of things,” she said. She called for service-level agreements in contracts to ensure that contracted companies share responsibility in the case of a PII breach.

Featured

  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.