On November 6, 2010, The NY Times ran an article about a security breach at the General Services Agency (GSA). It was not a small breach. One of the GSA’s employees had sent the names and Social Security numbers of the agency’s entire staff to a private email address.
GSA technicians discovered the e-mail with names and Social Security numbers while reviewing logs on Sept. 22 – a week after the message was sent – and deleted it from the recipient’s e-mail account and laptop.
On October 25th, almost six weeks after the breach occurred, the agency told employees about the worker who had apparently transmitted the file containing the personal data by accident while seeking “work-related assistance,” and said that the e-mail had not been forwarded. The agency said those involved had cooperated, and the computer that received the data was scrubbed clean by agency technicians.
The GSA, which manages federal property and employs more than 12,000 people, paid for employees to enroll in a one-year program through which they could monitor their credit reports, as well as have up to $25,000 in identity theft insurance coverage.
However, Jack Hanley, who represents approximately 4,000 General Services employees (who are members of the National Federation of Federal Employees union), said the agency’s delay in notifying employees had put them at greater risk, and that, employees could remain vulnerable after the one-year program period.
“Some of them,” said Hanley, “have come to our office who have worked years to clean up their credit and have just got mortgages approved. And now if someone messes with their credit, they’re going to lose.”
The agency inspector general, Brian Miller, is investigating the incident.
Risk management and data loss prevention are critical to every enterprise.
Breaches often occur when no harm is intended. For example, an employee wants to be able to use their laptop at the office, so they bring in a wireless access point (WAP), install it and carry on … without realizing that they have opened a huge back door into a protected network.
Only continuous monitoring can assure that there are no breaches in your security wall.
On November 4, 2010, president Obama signed an Executive Order on Controlled Unclassified Information giving federal agencies 180 days to comply.
The EO was signed to address the inconsistent marking and safeguarding of documents, which has led to unclear or unnecessarily restrictive dissemination policies and created impediments to authorized information sharing. Secure information sharing with proper markings is now mandated in all U.S. departments and agencies.
The CUI Executive Order standardizes practices around the sharing of controlled unclassified information with a goal of improving the sharing of information within the executive departments of the federal government. The Executive Order specifically adopts, defines, and institutes CUI as the single designation for all information formerly referred to as Sensitive But Unclassified (SBU).
TalaTek provides a unique combination of compliance and security.
TalaTek provides solutions in e-mail, document, and SharePoint classification software. Now we are among the first CUI classification providers to meet the requirements of the Controlled Unclassified Information (CUI) Executive Order for Microsoft Outlook e-mail messages and Microsoft Office documents.
It has never been more important to have the right set of tools in place to both comply with federal regulations and to safeguard data. With our suite of solutions for CUI compliance, TalaTek offers the following key features:
- Users are forced to select the pre-programmed CUI markings from a drop down list in Microsoft Office and Outlook before they can save, send or print information.
- Headers, footers and watermarks can be automatically applied to documents and email in order to reinforce the sensitive nature of CUI information.
- Properly formatted CUI portion markings can be applied via an easy to use graphical interface. As a result users no longer have to manually add portion markings to documents or emails, which were often in the wrong format.
- Visual labels can be inserted before and/or after the subject line and message body of an email, and can be customized to meet specific marking standards required by the CUI memorandum.
In addition to automatically marking e-mails and documents with the appropriate labels, TalaTek’s marking solution also safeguards information: marked information is only accessible to people who have clearance to see it.
For more information on our comprehensive suite of risk management, security and compliance services, click here.
