Recently it was discovered that a Department of Homeland Security (DHS) / Office of the Inspector General (OIG) employee was in possession of a file that contained nearly a quarter of a million – that’s right, 250,000 records of people employed by DHS as well as subjects, witnesses and complainants associated with ongoing investigations from 2002 – 2014. The data included social security numbers, dates of birth, positions, grades and duty stations. Daniel Conrad, Identity and Access Management Specialist at One Identity commented below.
Daniel Conrad, Identity and Access Management Specialist at One Identity:
“If this isn’t a case of poorly governed access to applications and data, I don’t know what is. Governing access to data (and applications) is the process of ensuring only the right people have the right access to the right data (and apps) at the right time – and you can prove it. It seems that DHS has failed on this account by allowing the wrong person to have access to inappropriate data…and their auditing infrastructure was unable to show it.
“Had DHS acquired and deployed a robust identity and access management platform, it may have been able to avert this calamity by first, ensuring only the right people have access to this type of sensitive data. Secondly, a robust framework also have strong auditing and segregation of duties capabilities that may have alerted the right people at DHS that this volume of sensitive data was “leaving the building.”
“It’s good that the DHS has alerted the affected individuals of this “breach.” It would have been better had they prevented it in the first place.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.