Home > Uncategorized > OMB’s Incident Reporting Requirement

OMB’s Incident Reporting Requirement

Several weeks ago the Office of Management and Budget’s (OMB’s) head of the Office of Electronic Government and Information Technology stated that the reported security-related incidents for US government agencies had more than doubled (from 14 to 30) in only a few months. Why the sudden increase in the number of reported incidents?  A possible explanation is the impact of a fairly recent OMB edict that requires these agencies to report security incidents in which personally identifiable information is compromised to the US Computer Emergency Readiness Team (US CERT) within one hour of the start of the incident. Evans asserted that this increase is due to agencies taking no chances—they now report anything that appears to be an incident in which personal information may have been obtained without authorization. She added that there now also may be increased awareness concerning potential incidents within agencies, something that she views as a positive development. An alternative explanation is simply that more incidents in which personal information is being compromised may be occurring. After all, recent statistics indicate that the number of such incidents has been growing rather dramatically over the past few years.

Regardless of what the cause of this sudden increase in data security breaches is, an important underlying issue, the amount of time allowed, needs to be scrutinized. Although the one hour reporting deadline might superficially seem reasonable, in real settings it is anything but so. In reality this deadline translates to technical personnel having only a few minutes to analyze evidence that may be associated with potential incidents. Perhaps a decade or more ago, when security incidents were relatively rudimentary compared to today’s incidents, one hour might have been sufficient. Today’s incidents, however, are generally much more insidious; attackers generally use tools and methods that very carefully masquerade their activity on the systems that they attack. Consequently, carefully investigating potentially compromised systems may require hours if not days of meticulous effort of one or more technical experts. The one hour deadline will thus result (and has undoubtedly already resulted) in a substantial increase in reported events that in the long run are judged to merely be false alarms.

All is not amiss, however. The merit of requiring federal agencies to report potential data security breaches within an hour of their onset must ultimately be weighed not simply its disadvantages, but rather by comparing its advantages to disadvantages. The advantages are substantial. Before this reporting requirement went into effect, many data security breaches within federal agencies were simply not reported, or if they were reported, they often were not reported in a timely manner. The one hour deadline may ultimately increase the number of false alarms reported (and the associated frustration, waste of resources, and political fallout), but at it also dramatically increases the probability that incidents will at least be reported. It also helps ensure that they will be promptly reported. If personal information has been potentially compromised, one of the major considerations should be protecting the interests of individuals who have potentially been affected. Prompt notification of these individuals is possible only if the incident is promptly detected and reported. Additionally, as Evans has so aptly pointed out, the reporting requirement (no matter how unreasonable the deadline is) has increased awareness concerning data security breaches within federal agencies, thereby ultimately increasing the likelihood that any such incidents will be handled properly.

What is the “bottom line?” Granted, to require a determination whether or not a potential incident is a bona fide incident within one hour is not really very realistic. At the same time, however, this requirement seems to have awakened federal agencies out of a deep stupor regarding detecting, responding to, and reporting data security breaches in which personal information is involved. Susceptibility to identity theft has at the same time been greatly reduced. All things considered, therefore, this requirement appears to have turned out to be a very good thing.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.