Risk analysis could have prevented OPM misery

'An ounce of prevention is worth a pound of cure'
By Mary A. Chaput
09:06 AM
Share

The massive data breach at the Office of Personnel Management has already brought down director Katherine Archuleta and launched a class-action lawsuit by the American Federation of Government Employees. The breach has compromised sensitive records (including Social Security numbers) of an estimated 21.5 million people.

The two biggest takeaways from the OPM breach are:

  • This fiasco could have been prevented by conducting a bona fide information risk analysis on the front end
  • Data breaches often come in stages, where the first round of mistakes leads to a second round of breaches, etc.

In conducting a risk analysis, an organization takes a proactive look at:

  • Type of information created, received, transmitted or maintained by the organization (sensitivity of the data, criticality to the organization, value to an unauthorized user, etc.)
  • Amount of information (number of records, number of individuals)
  • Number of access points to the assets containing the information
  • Lessons learned from prior security incidents or breaches
  • Safeguards/controls against phishing attacks, social engineering or other social media
  • Security measures maintained by any service providers

If OPM had carefully assessed these things, they might have avoided the events that ultimately led to the shutdown of all electronic collection and processing of security clearances and background checks. Here's the timeline:

The first known breach was in the spring of 2014. No employee records were lost, but hackers obtained security system documents and manuals which OPM considered to be outdated.

The second known breach occurred in the summer of 2014 and involved U.S. Investigation Services, OPM's largest contractor. More than 25,000 records of Department of Homeland Security employees were stolen. USIS is the same firm that "vetted" both Edward Snowden and Aaron Alexis, the gunman who killed 12 people at the Navy Yard in 2013. OPM eventually sacked USIS and awarded its contract to KeyPoint, which then got hacked twice (resulting in the suspected compromise of about 450,000 records).

The third OPM breach occurred in April 2015 and involved the theft of an estimated 4.2 million records held in an offsite server that was accessed through a KeyPoint employee's security credentials. By July, investigators determined that the breach was much larger (affecting 21.5 million people and counting). Effective July 6, all federal agencies began processing their own background checks on paper and have ceased forwarding any information to OPM.

This rapid unraveling is what happens when an organization fails to conduct a thorough information risk analysis before putting sensitive data in jeopardy. Benjamin Franklin said it best: "An ounce of prevention is worth a pound of cure."