BreachExchange mailing list archives
OMB tightens IT security incident rules
From: lyger <lyger () attrition org>
Date: Fri, 14 Jul 2006 07:07:47 -0400 (EDT)
Courtesy InfoSec News and WK: http://www.gcn.com/online/vol1_no1/41334-1.html By Mary Mosquera GCN Staff, 07/13/06 Agencies must now report all security incidents involving personally identifiable information within one hour of discovering the incident, the Office of Management and Budget said in a memo tightening information security notification procedures. OMB also added new requirements for incorporating the cost of security in agency IT investments for fiscal 2008 IT budget submissions. The Federal Information Security Management Act of 2002 requires all agencies to report security incidents to the U.S. Computer Emergency Readiness Team (US-CERT) within the Homeland Security Department. Procedures require agencies to report according to various time frames based on the type of incident. OMB has strengthened notification procedures by making the one-hour requirement standard for both electronic and physical security, and for suspected as well as confirmed security breaches. You should report all incidents involving personally identifiable information in electronic or physical form and should not distinguish between suspected and confirmed breaches, said Karen Evans, OMB administrator for e-government and IT in the memo dated yesterday. [...] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- OMB tightens IT security incident rules lyger (Jul 14)