But there still is room for improvement, the survey found. Although 92 percent of government respondents had received security training, compared to 69 percent in the private sector, 34 percent of them reported that at times they felt they had to circumvent security policies to get their job done, a statistical dead heat with those in private enterprises.
“They might know better, but they don’t behave better,” said RSA public relations manager David Seuss.
RSA did a person-on-the-street service in Boston and Washington in November, questioning 140 people about real-life security practices in the workplace. Eighteen percent of the respondents were federal government workers, 6 percent were state government and another 6 percent were government contractors.
The surveys were done anonymously to try to ensure honest answers. Although a certain level of denial might be assumed in such a survey, the amount of risky behavior admitted to seems to indicate a high level of candor.
The results show that, in general, government security policies are more restrictive than those in the private sector, and government workers display more caution. Government workers are less likely to:
- Frequently conduct business remotely over a VPN or Web access (37 percent government compared with 56 percent in private sector).
- Frequently conduct work over a wireless network from a public hotspot (8 percent vs. 25 percent).
- Cary sensitive information home on a mobile device (26 percent vs. 44 percent).
- Have a wireless internal network in the office (39 percent vs. 66 percent). Of those government offices with wireless networks, 100 percent require some logon, compared with 81 percent in private offices.
But they are slightly more likely to e-mail work material to a home address (16 percent vs. 13 percent). And although numbers may be better in government, they still included plenty of violations of policy.
In the end, securing IT systems and the data they contain requires more than security tools and policies, the report concludes.
“It is not enough to establish policy; actual insider behavior must be measured and tracked against established policy,” it said.
Security must be looked at as a risk management exercise, said Tom Corn, vice president of products at RSA Data Security Group. Putting security controls in place is only the next-to-last step in effective security. Before this is done, sensitive data must be defined, identified, appropriate levels of risk determined and then proper controls put in place. This process must be followed by an audit process to track effectiveness.
Shannon Kellogg, director of government affairs, said government regulation such as the Federal Information Security Management Act and guidance from the Office of Management and Budget, have contributed to government workers’ awareness of security issues.
“It’s heading in the right direction,” he said. “But there needs to be some additional work” to improve the level of risk assessment and effective policy enforcement.
---
Autor(en)/Author(s): William Jackson
Quelle/Source: Government Computer News, 11.12.2007
