The Office of Management and Budget has issued a checklist for safeguarding “remote” information, and said it would be coordinating with agency inspector generals to ensure compliance with the standards.
“The intent of this checklist is to compensate for the protections offered by physical security controls when information is removed from, or accessed from outside the agency location,” said OMB deputy director Clay Johnson.
He recommended that all departments and agencies take a number of actions by mid August, including the following:
* Encrypt data on mobile computers and devices that carry agency data unless it is determined to be non-sensitive, in writing, by an employee’s deputy secretary or an individual he or she may designate in writing;
* Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access;
* Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes of inactivity; and,
* Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.