What Will Your Agency do if Sensitive Citizen Information is Stolen?

What will happen when taxpayers' personal information gets stolen from the next government department? According to Howard Glavin, Manager of PCI Service Delivery for IBM, it may be time for the Database Administrator (DBA) to "assume the position" and wait for the cops. At the California Department of Technology Services Security Awareness Fair last week, Glavin had some advice on how to prevent such a situation from occurring. Access should be granted on a need, right and time to know basis, making the situation easier to control.

Not everyone needs to have access to the same information. Managing users means understanding who needs to deal with what programs, and who does not. It is not only the programs but the information inside which only certain people should have access to. Citizens use credit and debit cards to pay fees and taxes. Social Security numbers are on practically every document submitted. Where is this information stored? In government databases. And who has access to those databases? Glavin pointed out that ninety-two percent of data theft happens from within an organization. Keeping the citizen's information on a need-to-know basis is critical to user management.

Along with a need for access, is the right to access. No person should have rights to information they do not absolutely need for a given responsibility. Glavin describes having access like hording pennies -- "[we] get it but we never give it back!" He asked who could remember the last time they "went to someone and said, 'I have more access then I need. Please take it away?'" Limiting rights to access means thorough discernment when initially granting access, and swift removal of access when an employee leaves or changes responsibilities.

The third aspect of access management is time. Limiting the times when a user ID is active is not currently an universal practice, but according to Glavin, it could save managers some headaches down the line. Time-to-know "means that if it's midnight, and you work an eight to five shift during the day, you have no [access to] that data." If a user ID is granted permission to access databases at only certain times, and it accesses the database outside those specific parameters, something is amiss. "Thieves don't [steal information] during the work day. They do it during lunch hours, before and after hours. Fact of life," Glavin explained.

The implementation of need, right, and time to know policies of user management means better accountability, making it easier to keep track of the goings-on of the department. The best way to ensure proper execution of such access standards is auditing. But auditing is best done intermittently, especially for large agencies. "If they went into state government and audited all users, all activity, we would need a computer half the size of California, and I guarantee the fault line would fail because of the weight."

Most managers know that user management policies are necessary to ensure the security of the data, the personal information held in those systems, but for the most part policies are not being strictly enforced. And unless database managers would enjoy explaining how the taxpayers' information slipped out, it might be a good idea to take a look at the agency's access policies.