US federal breaches spark security review push

The massive data breach disclosed last month by the U.S. Department of Veterans Affairs has triggered sweeping reviews of information security policies at the VA and at several other government agencies that recently suffered smaller data losses.

And last week, officials at the Government Accountability Office and the White House Office of Management and Budget (OMB) said that federal agencies as a whole need to review their processes for collecting and storing data and controlling access to it.

The string of data breaches highlights the fact that agencies have to take a more strategic approach to guarding personal information, said Linda Koontz, director of information management issues at the GAO.

"We are believers in the notion of privacy impact assessments -- of looking at the implications of the information you are collecting and how to protect that," Koontz said in an interview after she testified at a hearing held last Wednesday by the House Committee on Veterans' Affairs.

The recent breach disclosures prompted the OMB to direct all agency heads to describe the specific steps they are taking to implement the requirements of the Federal Information Security Management Act in their annual reports on their compliance with FISMA.

"Agencies have a responsibility to ensure that they are FISMA-compliant and that their employees are trained to work with tough security measures," an OMB spokeswoman said. She added that the OMB has set "sound standards and policies" based on FISMA's mandates and is working with agencies "to make sure practices match these policies."