Government Agencies Struggle to Implement Operational Risk Management Polices to Better Defend Data

If nothing else comes through the stories of prominent, highly publicized hacks over the last two or three years, the limitations of relying on purely technical defense — firewalls, intrusion detection systems, etc. should be clear.

Target, the US Federal Office of Personnel Management (OPM), Anthem, and many others had no lack of “cybersecurity” systems. But these systems failed to neutralize hacks. The end result, unfortunately, included the exposure of personal data of millions of people who had either simply decided to affiliate themselves with these businesses, or, in the case of the OPM hack, simply chose to work for the US Federal Government.

The missing piece, I would argue in each case, is any semblance of an operational risk management (ORM) policy. ORM procedures are designed to prescribe procedures likely to remove the threat of a potentially dangerous hack, by making the outcome less likely to occur.

In an article titled “Justice Department Probing Breach of Its Computer System” Delvin Barrett and Kate O’Keefe of the Wall Street Journal report on yet another successful compromise over personal data. This time the unfortunate victims are employees of the US Federal Homeland Security Department and the FBI.

Through a combination of what appear to be incorrectly managed privileges for access control, and mis-classification of personal data into a “non-classified” data store, identity information for some of our first responders was malicious publicized to “just anybody”.

Not good.