Gartner slams government security guidelines

Analyst firm Gartner has dismissed a tightening of security rules for US government agencies as a mere "public relations response" to recent high-profile incidents.

During a burglary in May, thieves stole a laptop containing confidential information on 26.5 million veterans and military personal from the home of an employee for the Veterans Authority.

The laptop was recovered in June and it is claimed that the data was not accessed. Also in May, a recruiter for the Internal Revenue Service lost a laptop with information on 291 of the service's workers and job applicants. In both cases the data was not encrypted.

The US Office of Management and Budget issued a memorandum last week requiring federal government agencies to report "all security incidents" to the US Computer Emergency Readiness Team within one hour of discovery.

Agencies were previously required to report only unauthorised access to data within one hour. The rules allowed for up to a week to report "improper usage incidents" such as storing unencrypted data laptops or home computers.

But Gartner concluded that the new measures will only prevent embarrassing media reports surfacing before the authorities have been informed.

"Gartner believes that 'improper usage' is not defined clearly enough as it relates to personal information, and that either the Office of Management and Budget or National Institute of Standards and Technology should issue more specific guidance in this area," said Gartner analysts John Pescator and Jay Hei ser.

"Increased and faster reporting will lead to little more than accurate and timely statistics unless incident response processes in government are drastically improved."