Monday, July 03, 2006

US Government sets new standards on security for personal information

According to the Washtington Post (OMB Sets Guidelines for Federal Employee Laptop Security), the White House Office of Management and Budget has sent a memorandum to all heads of civilian agencies setting additional requirements for the safeguarding of personally identifiable information. The memo requires, among other things, that government departments:

1. Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing;

2. Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access;

3. Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity; and

4. Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.

No comments: