Securing Sensitive Information

Through several Office of Management and Budget (OMB) mandates, government agencies shall establish robust methods of securing sensitive information. Specific information of concern is defined as either agency confidential information or Personally Identifiable Information (PII) prone to identity theft.

Tracked PII – such as name or social security number that is correlated with other linked details including birth day, birth place, and address – can expose a person’s identity. The OMB has issued a number of mandates for securing sensitive information and how to handle data breaches, including: OMB M-07-16, OMB M-06-19, OMB M-06-16, and OMB M-06-15. These mandates cover a number of information security procedures, including:

  • Securing Personally Identifiable Information (PII) and other sensitive information.
  • Developing and following a breach response plan to mitigate the potential consequences of breach, such as identity theft.
  • Reporting all data breaches to US-CERT within one hour of discovering the incident.
  • Encrypting all sensitive information on desktops, laptops and removable media like USB sticks and CDs / DVDs.
A few simple and cost-effective steps which help agencies protect against accidental or intentional disclosure of sensitive information outlined by the OMB include:
  • Reducing the volume of collected and retained information to the minimum necessary;
  • Limiting access to only those individuals who must have such access; and
  • Using encryption, strong authentication procedures, and other security controls to make information unusable by unauthorized individuals.
In addition, in November 2012 President Obama released a memorandum to advance the insider threat programs for federal agencies. The National Insider Threat Policy and Minimum Standards for Executive Branch (Minimum Standards) provides federal departments and agencies with the minimum elements necessary to establish effective insider threat programs:
"The resulting insider threat capabilities will strengthen the protection of classified information across the executive branch and reinforce our defenses against both adversaries and insiders who misuse their access and endanger our national security," says Obama.

How Lumension Helps Agencies Secure Sensitive Information

The Lumension® Endpoint Management and Security Suite (L.E.M.S.S) ensures federal agencies are complying with the current mandates. L.E.M.S.S. unifies the functions of IT operations and security through a single console, server, and agent architecture to seamlessly and more effectively address IT risk and systems management requirements across the agency. L.E.M.S.S. provides a defense-in-depth approach to IT security, protecting against wide variety of threat vectors, including advanced persistent threats (APTs).

L.E.M.S.S. consists of the following modules which support the above compliance mandates:

  • Lumension® Patch and Remediation – Reduces organizational risk and optimizes IT operations through the timely, proactive elimination of OS and application vulnerabilities across all endpoints and servers. Heterogeneous platform and 3rd party vulnerability content support includes Microsoft® Windows®, UNIX®, Linux®, Apple®, Adobe®, Oracle®, Java™ and more.
  • Lumension® Content Wizard – Delivers customized extensibility through wizard-driven and custom scripting tools to take any action on endpoints including deploying and removing software, remediating configurations, performing systems management tasks and delivering custom patches.
  • Lumension® Security Configuration Management – Ensures that endpoints are securely configured and in compliance with industry best practices and regulatory mandates while reducing configuration drift.
  • Lumension® AntiVirus – Provides blacklist protection and removal for all malware including viruses, worms, spyware, Trojans and adware.
  • Lumension® Application Control – Defines and enforces trusted application usage through whitelist policies to ensure that only applications explicitly authorized or trusted are allowed to execute. Includes Advanced Memory Protection to defend against sophisticated memory injection attacks.
  • Lumension® Device Control – Enforces usage policies for device and ports while providing FIPS 140-2 level 2 validated encryption of data on removable media to prevent data loss / theft.
  • Lumension® Disk Encryption – Enables full disk encryption to maximize endpoint security and performance with proven, FIPS 140-2 validated encryption algorithms; and offers encrypted swap and hibernation files for complete security.
  • Lumension® Risk Manager – Comprehensive IT-GRC software that streamlines and automates audit workflows and IT risk management to provide crucial visibility and continuous monitoring across the IT environment to ensure compliance with HIPAA as well as with other pertinent regulations (i.e. PCI), mandates, and internal policies.

 

OMB Requirements How lumension Helps
Encrypt all data on computers and removable media which carry agency data unless the data is determined to be non-sensitive. Secures sensitive agency data by encrypting traditional endpoints (e.g., desktops, laptops) and removable devices (e.g., USB flash drives) or media (e.g., DVDs / CDs).
Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required. Provides comprehensive audit logs that detail what data has been moved onto a specific device and by which user.
Mitigating breach of identity theft and risk involved with the response plan. Provides malware protection through traditional anti-virus and proactive whitelisting capabilities, ensuring unwanted, untrusted or malicious programs cannot run on endpoints and mitigating data breach risk.
Report all incidents involving personally identifiable information to US-CERT within one hour of discovering the incident. Detect non-compliance through the drill-down discovery tool and widgets before there is an incident.

Identify incidents within the reporting dashboard and produce the list of non-compliant items for timely submission to US-CERT.