Featured Product
This Week in Quality Digest Live
Risk Management Features
Naresh Pandit
Enter the custom recovery plan
Anton Ovchinnikov
In competitive environments, operational innovation could well be the answer to inventory risk
Kari Miller
An effective strategy requires recruiting qualified personnel familiar with the process and technology
Sarah Schiffling
But supply chains will get worse before they get better
William A. Levinson
People can draw the wrong conclusions due to survivor, survey, and bad news bias.

More Features

Risk Management News
Major ERP projects take six months longer than companies were told
Three webinars to increase participation and understanding within the world of quality assurance
Partnership bolsters defense against growing cybersecurity risks
It is a smart way to eliminate waste and maximize value
An early warning system lets Arctic people know when bears approach
ISO 21434 automotive cybersecurity and implementing design and process FMEAs
Implementing a SIOP process can smooth supply spikes while improving cash flow and increasing profitability
Does your business’ security match up with competitors?
Prior to vote, IAF seeks industry feedback to understand the level of demand from businesses and regulators.

More News

Yo Delmar

Risk Management

Reviewing the U.S. Office of Personnel Management Data Breach

Patching federal security holes

Published: Thursday, August 20, 2015 - 00:00

In June 2015, it was initially reported that the U.S. Office of Personnel Management (OPM) experienced a massive data breach, potentially affecting as many as 4 million current and former federal employees. Updated reports indicate that the actual number of people compromised is more than five times as many as initially suspected, affecting 21.5 million federal employees and civilians.

The finger of suspicion was originally pointed at Chinese state-sponsored hackers, but recently the White House decided not to publicly accuse China due to the risk of revealing U.S. intelligence information in the process. However, the Obama Administration has now changed course and decided to retaliate against the perpetrators in some fashion to deter future attacks.

What made this cyber attack so unique was the breadth of information accessed. The hackers retrieved not just personally identifiable information (PII) such as Social Security numbers, birth dates, and bank information, but they also became privy to highly confidential employee background checks, containing information on family friends and employment history. Even more, highly personal details like run-ins with the law, lie detector test results, mental illness treatments, and bankruptcy filings were revealed. The breach was so vast that hackers even accessed data going back 30 years.

What may be most unsettling of all is that a 2014 audit discovered security flaws within the OPM’s computer system, yet these issues were not reported until several months after being detected. In fact, the report cited “material weakness” in 2013, and its status was escalated to “significant deficiency” in 2014. This lack of action to rectify the report’s findings begs the question: What can be done at the federal level to prevent such devastating reoccurrences? In response, there are five essential steps that need to be taken to close the federal security gaps in today’s complex, digital environment, as follows:
• Comprehend and implement NIST’s Cyber Security Framework.
• Create an incident response program.
• Maintain transparency with those affected and decrease response time.
• Recognize the auditor’s role in cyber security.
• Assess security investments.

Let’s look at these steps one by one.

Comprehend and implement NIST’s Cyber Security Framework

NIST’s Cyber Security Framework (CSF) is an important standard that forms a baseline for government agencies and private organizations in securing assets and sensitive information within critical infrastructure. The CSF leverages existing standards that are constantly being revised and improved to address emerging cyber threats. It’s designed for both government agencies as well as private organizations within critical infrastructure. Version 1.0 of the CSF was released in February 2014 in response to President Obama’s 2013 Executive Order, “Improving Critical Infrastructure Cybersecurity.”

NIST recommends that organizations of all sizes apply the framework to reduce the chances and severity of a data breach. Although the CSF is becoming increasingly accepted, especially within the financial services and utilities industries, it has certainly not been universally adopted. As implementation across diverse public and private organizations increases, cyber security programs will begin to be more standardized, and security professionals will use the same concepts and be able to speak the same language. For federal agencies like the OPM, which hold the key to private citizen information, CSF deployment can’t be elective. No other option provides this level of protection for millions of civilians’ sensitive personal information. 

Create an incident response program

Based on the OPM’s security inadequacies described in the 2014 audit report, it’s clear that the department was missing the mark on some of the most basic levels of data security and protection.

As part of the planning process, it’s essential that organizations develop a robust security incident-response program in the event that a cyber attack occurs. Essential elements of that program include the need to:
• Assess and ensure that the threat landscape is understood
• Develop a true risk profile that is in tune with emerging risks that may affect the organization’s integrity and reputation 
• Ensure that incident response plans are completely supported from the top down within the organization so that they are effectively adopted in a timely manner

There must be consequences if the program is not properly implemented; federal agencies must be held to same standards as private organizations. In the case of the OPM, the federal government is not leading by example. This must change to diminish and ultimately prevent reoccurring attacks.

Maintain transparency with those affected and decrease response time

Although it’s important to ensure that a proper investigation is done when a data breach occurs, it’s essential that organizations, particularly those in the public sector, close the gap between discovery, response, and remediation. In the case of the OPM, the data breach was initially discovered in April, yet was not made public until May. Had victims been promptly informed, they could have taken immediate measures to protect themselves from damaging effects like identity theft, fraud, and more. Even worse, according to the National Journal, the Department of Defense is just now bringing on a new contractor to alert the affected 21.5 million people; notifications have still not been issued. This new hire comes in the wake of mass criticism over the way the CSID, the initial contractor tasked with informing victims, handled notification when that number was just 4.2 million. Concerns over three-hour-long call wait times and incorrect account information pushed the government toward this new hire search, though according to spokespeople at the CSID, they were just abiding by protocol.

Due to the nature of the classified information retrieved by hackers, they now have an intricate web of details about the families and friends of current and former government staff. Although there are best practices that victims can apply to protect themselves, they must now always be on alert for fraudulent activity. The OPM will provide credit monitoring and fraud protection to all affected parties for three years, however, it is recommended that these individuals take preventive measures now, such as changing and complicating passwords that do not include figures such as birthdates, one of the many pieces of information that the hackers now possess. However, according to one federal official, the government may never fully be able to protect victims with just credit monitoring because it’s unclear that hackers are just interested in financial foul play—their motive may be to undermine U.S. security and safety through other measures. 

Recognize the auditor’s important role in cyber security

As security threats within the public sector become more frequent and complex, it is vital that government agencies complete thorough internal audits, in addition to external audits that offer an objective view from the outside in. To be effective, auditors must fully comprehend cyber risk models so that they can tie them back to intricate attack vectors that change shape depending on a hacker’s motivation, skill level, and access. As malevolent cyber activities move towards mobile, cloud computing, and social media, auditors need to stay abreast of evolving industry trends, and promptly explain how organizations can bolster their defensive tactics. It’s essential that auditors hold all federal agencies to the highest standards, like the CSF, and be able to recommend remediation strategies in each of the CSF’s core functions: identify, protect, detect, respond, and recover.

Assess and advance critical security investments

As major cyber attacks continue to occur, it’s important to understand where current public sector security investments are focused and assess where they should be applied to meet evolving needs. Existing security investments are focused on continuous monitoring, where the objective is to proactively protect and detect. Although this is an effective approach, it can’t be the only defense strategy used to protect sensitive information.

Data encryption is becoming a popular topic of conversation in the public sector, though it is very expensive to implement. Right now, sensitive, unencrypted data is traveling through complicated, archaic federal systems. Data encryption is one of the best ways available today to ensure that data is protected if it gets into the wrong hands—whether those hands belong to a foreign adversary or even a malicious insider.

With the scrutiny increasing on the effectiveness of data security within the public sector, security investments should include the following:
• Ensuring security systems meet CSF standards
• Establishing continuous monitoring processes
• Guaranteeing that sensitive data is encrypted at rest and in transit 
• Replacing legacy systems that contain vulnerabilities with modern technologies


The public sector has a steep hill to climb to shore up its cyber and data security practices. Although many government entities are making initial strides to close major security gaps and avert crises like the OPM hack, security practices remain immature and appropriate technology is not sufficiently adopted to drive a fundamental shift. To change the attitude towards security across all sectors, government agencies, including state and federal leaders, must make security a top priority and embrace the five strategies outlined above. Although no data security program is completely impenetrable to the rapidly evolving attack vectors being developed by a growing number of hacking groups, federal agencies must do a better job of protecting our citizens from the threats we face today.


About The Author

Yo Delmar’s picture

Yo Delmar

Yo Delmar is vice president of governance, risk, and compliance (GRC) solutions at MetricStream. Delmar’s focus is on GRC program and solution implementation for large organizations, with an emphasis on GRC strategy and planning, GRC product strategy and messaging, maturity assessments, program definition and oversight, risk management and remediation strategies. Delmar has provided advisory services to F1000 on GRC program implementation, and has managed 300 people through global operations of more than 40 offices.