FCW Insider

Blog archive

FCW Insider: A clever approach to managing personal data

FCW does not often cover the international arena, but I periodically visit the Web sites of the U.K., E.U. and other governments just to see what's going on. That's how I came across this little gem.


The U.K.'s National Technical Authority for Information Assurance, has proposed a new approach to managing the security of sensitive data, according to the E-government Bulletin, produced by Headstar, a London-based publisher.


The U.K., like the U.S., is especially concerned about what our federal government calls personally identifiable information. A planned national ID card program (or "programme") involving biometrics has heightened those concerns.


In any case, the U.K. has developed a strategy to replace traditional security designations, such as "confidential" or "secret," with "business impact codes" ranging from 0 to 6.


The number indicates the level of "adverse impact" that would be felt by an agency if the data were compromised. The higher the number, the worse the consequences would be.


For example, I would guess that a Labor spreadsheet showing unemployment information by state, but containing no personal data, would rate a 0 or 1. On the other hand, an NIH database of personal health information for study participants would rank a 6.


That is to say, there probably would not be a lot of fuss if Labor were to lose a laptop with that spreadsheet. But GAO would come calling if NIH misplaced those health records.


But here is the clever part of this approach: Each impact code would be associated with a particular set of information assurance measures, which are fairly simple at the lower levels but increasingly complex as the number goes up.


In effect, the system provides a built-in business case for buying security solutions. If an agency (perhaps with help from GAO or the IG) determines that a particular database rates a 5 or 6, it is fairly easy to justify the more costly security measures.


This approach also focuses oversight by GAO or the IG. They would answer two questions: Did the agency apply the appropriate impact code? If so, did they apply the appropriate measures? If the answer to either question is no, the subsequent conversation with the agency is fairly straightforward.


I can't really imagine the U.S. federal government latching onto something like this, but hey, who knows? Change is in the air.

Posted by John Stein Monroe on Nov 11, 2008 at 12:18 PM


Featured

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.