Security relies on policy, HUD CIO says

The answer to securing personally identifiable information (PII) is the development of sound policy, the Department of Housing and Urban Development’s chief information officer said.At the Potomac Forum's conference on Privacy Issues and Microsoft Solutions held Dec. 13, HUD CIO Lisa Schlosser said the biggest problem she found with securing PII is knowing where the information is going and who's accountable for it.“This is not a technical problem,” Schlosser said. “Eighty percent of this is setting PII policy and senior executive attention.”Public, private and academic institutions have experienced a rash of information losses this year. The most recent breach was discovered this week: the University of California at Los Angeles lost 800,000 students’ Social Security numbers. Missing laptop computers and mobile devices have become a big issue among feds this year, starting with the Department of Veterans Affairs’ loss of a laptop containing 26.5 million veterans’ personal information in May.Most PII data loss is the result of lost mobile devices or network attacks, said Mark Forman, a partner at KPMG. But a new trend is emerging: mistakes such as the accidental dissemination of e-mail messages to the wrong people.HUD was not immune to bad policy decisions regarding PII. At one point, most low-level lenders could access personal HUD records, Schlosser said. The department has since added access control policies to prevent this, such as assigning levels of access to data and preventing the attachment of nonapproved USB devices to computers.Getting her superiors’ attention was easy; the highly publicized data losses did the work for her. That not only helped her put policies into place but also aided her with enforcement.Schlosser also said the increased number of contractors in the government means more people will need to follow — and be accountable for — the same rules as federal workers.“We all outsource a lot of things,” she said. She called for service-level agreements in contracts to ensure that contracted companies share responsibility in the case of a PII breach.