Federal CISOs seek security standards to prevent data breaches

Despite official urging, telecommuting within federal agencies is languishing, in part because standards for how to secure mobile endpoints don’t exist — mainly the laptops telecommuters would use when outside the office.

Federal CISOs, who are aware of data breaches in both the public and private sectors that have compromised personal information of thousands of people, say that security of laptops — the key to most telecommuter programs — is their biggest worry.

At the same time, government managers face existing federal laws dating back to 2000 that mandate telework programs. In addition, new pressure is being applied for them to encourage more government workers into telecommuting programs as an attempt to dramatically boost the number of work-at-home employees.

Some government CISOs say the best course of action is to follow best practices set down by the National Institute of Standards and Technology (NIST) — the closest thing to certification available.

Click to see: How the feds protect mobile data

NIST recommendations include basics such as installing, running and updating antivirus software; periodically scanning machines with spyware-removal software; and adopting a “paranoia level” of security awareness when writing personal firewall rules.

NIST also encourages encrypting data on laptops and as it is transmitted and the ability to remotely lock down laptops reported lost or stolen — good advice but not as formal as top federal network security executives want.
The General Services Administration (GSA) — which has championed telecommuting for years — has set a high bar for its own program. At a recent forum run by the industry group Telework Exchange, GSA administrator Lurita Doan called for a dramatic leap in telecommuting for her agency by the end of 2009.

With just 10% telecommuting today, she set goals of 20% to be telecommuting by the year-end, and 40% by the end of 2009. According to published GSA estimates, just 4% of federal workers telecommute today.

The U.S. Office of Personnel Management breaks that down further, saying that of those who telecommute, only a quarter of them do so three or more days per week, and 39% do so less than once a week but at least once a month.

While other factors weigh into the slow adoption rate, a recent survey of federal CISOs found that 63% say securing mobile devices used at home is their top data-security priority, but they have no way to know that their precautions are adequate.

The overriding problem federal CISOs face is that there is no official certification of mobile devices that assures them that laptops they issue comply with the Federal Information Security Management Act (FISMA), which contains the blueprint for all federal telecommuting.

According to a survey by Telework Exchange, 83% of these CISOs want certification of what comprises a secure mobile endpoint. The survey is based on responses of 35 out of 117 federal CISOs.

They want secure machines but also want the security to work without much user intervention, a complication that could reduce willingness to telecommute in the first place. “Let’s just face it, we as people just want access, we don’t really care about security,” says Dennis Heretick, CISO for the Department of Justice, at a recent forum on federal telecommuting.