June 5, 2007
The Commonwealth CIO is issuing this Advisory Memorandum regarding the protection of Sensitive Agency Information at the recommendation of the Enterprise Security Board (ESB) for the immediate attention of Agency and Department Heads and CIOs.
Identity theft, the wrongful acquisition and use of personal data, continues to be one of the fastest growing crimes in the US. The Department of Justice reported that 3.25 million Americans discovered that their personal information had been misused in the past year. Commonwealth government organizations have a duty to ensure that personal information collected, used, maintained, or disseminated in the process of providing services to the public must be safeguarded against loss or theft. The public expects and deserves no less.
As stated in the Enterprise Information Security Policy (ITD-01-1), agencies are responsible for ensuring that appropriate internal and general security controls are in place. Those responsibilities include establishing security control objectives, which encompass a wide variety of security-related tasks and activities. Issues to be addressed include assessment of security risks, objectives, and controls; understanding of residual risk; and monitoring and evaluation through assurance mechanisms.
To that end, it is essential for all Commonwealth departments and agencies to ensure that sensitive information, in particular personal information, is protected. This should start with a re-evaluation of existing security controls required when personal information is removed from, or accessed from outside an agency or department locations.
Further, all Executive Department agencies and organizations are advised to ensure that the following security controls are implemented:
- Encrypt all data on mobile and remote computers/devices (e.g. laptops and/or desktops) that are used from outside an agency location to access or store sensitive or personally identifiable information to support normal business operations.
- Ensure that sensitive or personally identifiable information maintained on peripheral devices (e.g., USB enabled portable storage devices, DVD, and/or CD-ROM) is secured through the use of encryption technologies or other security measures.
- Restrict remote access to sensitive information, including but not limited to personally identifiable information (PII), to authorized remote access services identified in the Enterprise Remote Access Security Policy (ITD-SEC-2.00).
- Use a "time-out" or automatic log out function for remote access and mobile devices requiring user re-authentication after a specific, agency defined period of inactivity.
- Track remote or mobile access to sensitive information and have procedures to ensure saved or downloaded information is securely deleted when it is no longer necessary for business purposes.
While not endorsing a specific manufacturer or vendor solution, the ESB has been made aware of commercial and open source products that meet the control objectives transmitted in this advisory. Departments and agencies may have some or all of these products in place in accordance with existing enterprise and/or local security policies and standards.
Commercial options for encryption include, but are not limited to PGP  whole disk encryption, and Windows Vista's BitLocker ,which provides OS-level encryption. GuardianEdge's Encryption Plus, Hard Disk version 7.1 provides an accessible tool for encryption.Truecrypt  provides free, open-source disk encryption software for Windows XP/2000/2003 and Linux, and has been used by EOHHS agencies to secure mobile devices. Options for secure deletion include PGP, DBAN , and KillDisk .
Additionally, an excellent resource for security-related software and applications is SourceForge.net, which has the largest repository of open source applications available on the Internet. The products hosted on SourceForge.net are typically free or low cost, and provide high value, quality and reliability, as well as adherence to secure, open standards.
Finally, for further assistance in identifying appropriate options for your agency, please contact one of the following members of the Enterprise Security Board: John Beveridge ( john.beveridge@SAO.state.ma.us ); Dan Walsh ( firstname.lastname@example.org ), or Jennings Aske ( email@example.com ). For assistance in identifying whether or not other tools can accessibly accomplish one of the activities described in this memorandum, please contact Joe Lazzaro ( firstname.lastname@example.org). For currently published Enterprise Security Standards, please reference the Policies, Standards & Guidance section of the Mass.gov/itd Web site. Moving forward, the Enterprise Security Board intends to continue working closely with ITD to evaluate and ensure that controls not currently specified in enterprise policies or standards are incorporated where appropriate. It is important to keep in mind that the goal is to properly safeguard the information the citizens of the Commonwealth have entrusted to us.