Letter: Security rules are only as good as those who obey them
- By Stephanie Kanowitz
- Sep 17, 2007
"Gadgets that don’t play by the rules" is a good article on the challenges of adapting to agency responses to the rapidly changing technology landscape, but I have to ask about your comment in the sidebar that states, "Information technology managers...can buy some time by using common sense rules until they can develop a broader strategy."
With all due respect, the alarm went off at the announcement of the Veterans Affairs Department breach. With all hands on deck across the federal government, agency technology managers have been tasked with making sure that their agencies don't get embarrassed by another breach and yet many more have come to light. It's time to seriously look at the root cause: Information is easy to distribute once authorized access is granted. All of the training can be done and all of the policies in the world can be devised to state what is not allowed, but like speeding in your car, without enforcement, laws are only as good as the people obeying them.
Automated enforcement is needed that is transparent and user friendly so as to enable business productivity while enforcing security. Since unknown storage devices can be introduced, then enforcement needs to be at the information level. Industry is already working diligently to address this issue in the areas of the Secure Information Shared Architecture Alliance and enterprise rights management. The alliance would provide much tighter controls over network access offline and on, and a subset of this vetted off-the-shelf interoperability solution includes enterprise rights management to provide enforcement of agency policies and security awareness trainings at the data-level without putting additional strain on security departments. When "gadgets don't play by the rules," then agencies need to change the rules.