When conducting a risk analysis, even before beginning the collection and analysis of threats, vulnerabilities and controls of the assets containing proprietary information, there’s work to be done. Work that sadly ISN’T done at many organizations, to their detriment.
An organization will typically take into consideration, among other things, the following:
- Type (e.g. sensitivity to the data owners, criticality to the organization, value to an unauthorized user) of information created, received, transmitted or maintained by the organization
- Amount of information (e.g. number of records, number of individuals)
- Number of access points to the assets containing the information
- Learnings from prior security incidents or breaches
- Safeguards/Controls against phishing attacks, social engineering or other social media channels.
- Security measures maintained by any service providers
So let’s see… what steps did the Office of Personnel Management miss before shutting down the electronic collection and processing of security clearances and background checks?
- The first known security breach at OPM was discovered in the spring of 2014. Although no employee records were lost, the hackers did obtain security system documents and manuals deemed by OPM’s CIO to be outdated.”
- The second known security breach at OPM was discovered in the summer of 2014 and involved the largest contractor providing background checks and security clearance investigation services for OPM. Again, China was named the suspected state-sponsor. More than 25,000 records belonging to DHS employees were stolen. OPM ultimately terminated its contracts with the service provider, U.S. Investigations Services, LLC (USIS).
USIS, by the way, is the same firm that had vetted Edward Snowden and Aaron Alexis (the gunman who killed 12 people at the Navy Yard in 2013)… And had been accused by the Justice Department of defrauding the government by submitting over 500,000 incomplete background check investigations. And also by the way, was almost awarded another $190 million contract in September 2014 to help manage the immigration system, from the department of Homeland Security under the regulatory requirement “to go to the lowest bidder.”
Following the termination of contracts with USIS, OPM awarded background check contracts to another government contractor, KeyPoint, which shortly thereafter discovered that it too had been hacked twice. The first involved the notification to almost 50,000 DHS employees that their personal information may have been “exposed”, no confirmation that it was stolen. The second discovery, following the bolstering of KeyPoint’s security systems, may have involved the compromise of perhaps as many as 390,000 records. AND the stolen security credentials of a KeyPoint employee were the keys to the OPM servers discovery of the third OPM security breach in April 2015 that resulted in the theft of the records of 4.2 million employees. but I digress….
There’s not a lot of information related to the second OPM Security Breach. The level of damage could be anywhere between 18 and 32 million records of current and former employees and involved sensitive security-clearance information.
Finally (maybe) the third OPM breach, discovered in April 2015, involved the theft of 4.2 million records held offsite on a server (belonging to the Interior Department) which was access through that KeyPoint employee’s security credentials. This information included “tens of thousands” of Standard Forms 86, required for all service members and civilians seeking a security clearance and which requires disclosure of “information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions.”
- On July 2, 2015, electronic questionnaires used for background checks were turned off –all federal agencies were ordered by OPM to use paper.
- On July 6, 2015, the electronic system for processing security clearances and background checks on potential government employees and contractors was temporarily shut down-only paper would be used for this purpose in all federal agencies since the web-based platform was determined by OPM to be vulnerable to hacking. The paper copies are to be retained internally and not forwarded to OPM.
- No top secret level clearances will be conducted in the interim.
So, in retrospect, if OPM had only taken the basic steps to conduct a risk analysis for the sensitive information it was entrusted with, perhaps…
- …17 House Republicans wouldn’t have called for the firing of OPM Director and one of her top lieutenants and perhaps….
- …the largest union of federal workers, the American Federation of Government Employees, …wouldn’t have filed a class-action lawsuit against OPM, Archuleta, Seymour and OPM’s …background contractor KeyPoint Government Solutions.
For more updates on the latest information risk management news, subscribe to our monthly newsletter.
Latest posts by Mary Chaput (see all)
- Call for State Privacy Laws to Align with HIPAA - February 13, 2017
- IF YOU HAVE TO DISCLOSE, LOOK YOUR BEST - December 27, 2016
- OCR is using audits to find risks and vulnerabilities that might not otherwise be known. - December 14, 2016