In my post earlier this week on the latest FISMA ranks, I referenced a quote by Virginia Rep. Tom Davis.
He posted further comments on the Hill Blog Monday that are worth reading. He lets the Department of Homeland Security off the hook a bit, but really expresses frustration with the Department of Defense.
Good to hear directly from our legislators, rather than in a press clipping.
The latest grades are out for the Federal Government when it comes to information security. According to Government Technology, Rep. Tom Davis, ranking member of the House Government Oversight and Reform Committee, gave the federal government an overall grade of C-minus when it comes to safekeeping information on government computer systems. After being mired with D’s for the past three years, a C- shows some improvement, but still leaves a lot of room for growth.
While the Department of Justice and the Department of Housing and Urban Development showed the most improvement, with Justice jumping from a D to an A-minus, and HUD from D-plus to A-plus, there were also some significant declines. NASA fell from B-minus to D-minus and the Department of Education, which fell from C-minus to F.
As Rep. Mike Turner, ranking member of the Information Policy, Census and National Archives subcommittee, said in the Government Technology article, “It’s troubling that some of the agencies with the most sensitive information continue to score poorly on this. The report identifies problems in federal agencies which include the Department of Defense, the Department of State, and the Nuclear Regulatory Commission.”
However, on closer inspection, two of the biggest grade improvements came as a result of simply documenting the inventory of systems. You’d think this was a very elementary step to take for securing sensitive data.
As the article points out, “more improvement is needed in how systems are configured from a security standpoint and for training for employees with significant information security responsibilities.”
Nobody in government IT should be satisfied with this improvement. Average compliance scores are one thing, but they most likely mean better than average vulnerability to exploits.
The Health Insurance Portability and Accountability Act, better known by its acronym (HIPAA), was passed by Congress way back in 1996. Yet, in spite of its being on the record books as long or longer than almost any other major regulatory compliance mandate facing IT departments, it has clearly been the proverbial “red-headed stepchild” when it comes to enforcement.
The Office of Civil Rights is actually tasked with enforcement of the law. According to a post by Rebecca Herold, “The Department of Health and Human Services (HHS) Department Office of Inspector General (OIG) appears to be making movement on their promise in their Fiscal Year 2007 Work Plan to ‘review HIPAA privacy and security implementation under Medicare and Medicaid to identify key issues in the HHS information technology initiative.’”
Herold cites two references in the April 9 issue of Privacy and Law Report, from the Bureau of National Affairs (BNA, a subscriber site) as potential signs of increased enforcement. The report states auditors will reportedly assess Piedmont’ Hospital in Atlanta’s compliance with the HIPAA security rule and indicates the Centers for Medicare & Medicaid Services (CMS) are also planning increased enforcement.
Yet, in the same post, Herold shares these paltry statistics from the Office forCivil Rights, the governing body responsible for HIPAA enforcement. “Through February 28 [the department] had closed 77% of the 25,662 complaints it had received. The OCR referred 373 of the complaints to the Justice Department for criminal investigation.”
If my math serves me correctly, that means that, of the nearly 20,000 complaints the OCR “investigated”, less than 2% were worth further action? COME ON!!
Oh, and why is Health and Human Services promising any improvements if it’s up to the Office of Civil Rights is the one that has got to be the ones to step up and make improvements in enforcement?
Sounds like a pretty empty promise to me.
Publicly-traded companies in America have been through a couple rounds of SOX audits, but companies in other parts of the world will be getting their first taste of similar compliance requirements in the next year.
J-SOX, the Sarbanes-Oxley-inspired name for the Financial Instruments and Exchange Law, will go into effect in April 2008 for approximately 3,800 companies listed in Japan, along with their foreign subsidiaries. Like SOX, the Japanese regulation was also enacted in response to accounting scandals involving companies like Seibu Railway Co., Livedoor Co., and the Murakami Fund.
According to an article by Thomas Hoffman, some companies are already being proactive. Fuji’s largest North American subsidiary is documenting its hardware, their IP addresses, and the software running on them. In addition, they are documenting the controls it has in place for several IT processes that could affect the company’s financials. Tokyo Electron America, Inc., based in Austin, TX, is tracking and monitoring their global IT systems and documenting the security safeguards they have in place for each system.
If there is any lesson Japanese firms can learn from the first two years of SOX, it is to not procrastinate, particularly with getting the people, processes, and technology in place that will weave compliance into the overall fabric of daily activity in the IT department. Otherwise, it becomes an almost total interruption to the IT department’s responsibility to overall business services.
Sounds like some American subsidiaries may be heeding the lessons learned from other American companies and passing it on to their Japanese counterparts…and that’s a good thing.