May 29, 2009, 6:42 PM — Just where are all those pesky archived files you've been diligently saving for decades? You may know where yours are, but it seems the government doesn't know where theirs are. It was recently reported that the National Archives and Record Administration told Congress that they either lost, or had stolen from them--they're not sure which--a hard drive with over a terabyte of information from the Clinton information. The missing data included sensitive information about White House visitors, including social security numbers.
Isn't that what FISMA was supposed to be all about? The set of government regulations, known as the Federal Information Security Management Act of 2002, held government agencies to a set of security standards and annual reviews. But since 2002, and apparently long before that, FISMA compliance at federal agencies has been coming up short. In fact, this week the GAO reported that most agencies are still far behind on the information security front. Part of FISMA, and indeed part of any security infrastructure, involves physical security. According to news reports, the drive was taken out of a secure area and left on an unsecured shelf.
According to the GAO report, nine out of the 24 major Federal agencies "lacked effective controls to restrict physical access to information assets" and the missing Clinton archives is just one example of several cases of physical theft or accidental loss at Federal agencies.
Physical security is a major, but often forgotten part of storage--a lot of the data being stored by the enterprise is sensitive in nature. Strict controls may be in place to restrict access over the network, but are the same strict controls in place to prevent physical access? Often they're not.
