In July 2009, the Department of Transportation's Office of Inspector General released the document Audit of the Information Integrity of the Commercial Driver's License Information Technique as necessary by the Safe, Accountable, Flexible, Efficient Transportation Equity Act: A Legacy for Users (SAFETEA-LU) (Pub. L. 109-59). CDLIS consists of a database, known as the Central Site, which maintains individual Master Pointer Records (MPR) with identifying information for each CDL holder in the United States. This database directs or points inquirers to the database of each of the 51 CDL-issuing jurisdictions for more complete driver history records. Connectivity for the technique is provided through an encrypted communications network. The FMCSA has designated the American Association of Motor Vehicle Administrators (AAMVA) as the operator of the Central Site & the communications network. States are responsible for ensuring their systems comply with the CDLIS specifications & procedures as published by AAMVA.
In preparing its document, OIG evaluated several factors related to the information stored at the CDLIS Central Site & on State databases. Specifically, OIG tried to decide "whether CDLIS & State department of motor vehicles (DMV) information systems were adequately secured," & "the adequacy of contingency designs to make definite continued CDLIS service to DMVs following a catastrophe or emergency." (Note: The OIG document refers to DMVs. However, as States continue to reorganize their organizations away from all-inclusive DMVs, FMCSA has used the term "State Driver Licensing Agencies" in earlier rulemakings to refer to these same agencies responsible for issuing CDLs).
The identifying information on the MPR at the CDLIS Central Site includes the name, date of birth, social security number, State of Record, & driver's license number. Because this information, both as individual & cumulative information elements, is thought about personally identifiable information (PII), possessors of the information must take specific steps to prevent unauthorized access & dissemination. Simultaneously, because the information contained at the CDLIS Central Site & on SDLA databases is crucial to highway safety in the work of the CDL issuance process & at roadside enforcement/inspection, it is paramount that the information be available to all authorized users with minimal disruption.
In its document, OIG noted that FMCSA had neither developed & implemented sufficient comprehensive security policies & procedures to protect the portal it makes use of to access CDLIS, nor had it developed complete contingency & testing designs for this technique to make definite uninterrupted CDL information services in the event of a catastrophe or technique outage. The FMCSA is currently addressing these findings by working directly with its service providers & is reporting its progress to OIG through corrective action plan updates. As the operator of CDLIS, AAMVA is also modernizing the technique to adhere to standards established by the Federal Information Security Management Act (FISMA). Similar FISMA standards are being applied to the portal FMCSA owns & makes use of to access CDLIS.
The OIG also noted similar deficiencies in some State systems & programs. In two of nine States reviewed, the OIG found that information security practices, including continuity of operation & catastrophe recovery policies & designs, were either non-existent or casual, & that State continuity of operations, catastrophe recovery, & information technique contingency planners had seldom engaged in adequate testing exercises.
Guidance
Because of OIG's findings, FMCSA encourages States to assess their information security programs & either establish or update policies, designs, & procedures, to provide an adequate level of protection to maintain their operational mission & obligations.
While States are not necessary to meet Federal information security standards, each State ought to make definite that it's adequate & comprehensive processes & procedures in place to protect PII & sensitive information & to maintain its key operations in the work of an outage. The National Institute of Standards & Technology's (NIST) Computer Security Division maintains a Computer Security Resource Middle (CSRC) that provides free information to government & non- governmental entities in an hard work to protect information systems against threats & make definite availability of information & services. FMCSA recommends that States think about NIST standards & review the publications available at its Web-site: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://csrc.nist.gov/index.html.
I. Information Security
The key deficiency in States that OIG noted was the shortage of current information security designs. Adequate planning is necessary to document standards & provide for continuous review & improvement. FMCSA strongly encourages States to create an Information Security Strategic Plan (ISSP) that addresses organizational structure & governance, roles & obligations, & enterprise architecture. From this ISSP, the State ought to create specific policies & guidance to make definite information security. Further, a coordinated plan allows for systematic monitoring & improvement.
While obviously not intended to be comprehensive for giant organizations such as State driver licensing agencies, NIST Interagency Document (IR) 7621, Little Business Information Security: The Fundamentals provides basic information about information security issues. Topics in this publication include: Defending information systems from destroy by viruses, adware, & malicious code; defending web connections; using firewalls; updating operating systems & applications; securing wireless access points & networks; controlling physical access to network components; training employees about information security; & limiting worker authority to put in program, access definite sites, & gain access to network controls. Though States are not necessary to comply with FISMA, NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems & Organizations (Rev. 3, August 2009), provides a comprehensive guide to information security standards. NIST SP 800-100, Information Security Handbook: A Guide for Managers, also provides overview information for developing a security plan. NIST currently makes available over 30 additional publications related specifically to information security on topics ranging from wireless network access authentication to enterprise password management.
II. Technique & Service Unavailability
To mitigate the risks associated with technique & service unavailability, FMCSA encourages States to establish & implement:
Continuity of Operations Plan (COOP)--A plan that focuses on restoring an organization's essential functions at an alternate site & performing those functions for up to 30 days before returning to normal operations.
Catastrophe Recovery Plan (DRP)--An information know-how plan designed to restore operability of a technique, application, or computer facility after an emergency
Information Know-how Contingency Plan (ITCP)--A plan focused on ensuring continuity-of-support for major applications in the event of a disruption in normal operations due to an emergency.
These designs ought to include a business impact analysis (BIA) to decide: the interdependence of systems & work priorities in the event of a disruption; actions necessary to restore technique operations on a short term basis after a disruption until a more permanent solution can be implemented; & actions necessary to reconstitute a disrupted facility or lost information to its earlier level of capability. The BIA ought to also include an analysis of the organization's reliance on contracted support & connectivity, a prioritization list of the systems necessary for the organization's mission-critical functions, maximum allowable outages for technique parts (measured in hours or days), & obligations associated with restoring critical functions (including a line of succession in cases of staff unavailability). For further information on contingency planning, consult NIST's Special Publication 800-34: Contingency Planning Guide for Information Know-how Systems.
In addition to establishing designs for service disruption & catastrophe recovery, it is critical to perform tests that assure the designs will work. These tests ought to be designed as cost-effective ways of determining if contingency systems & personnel perform as expected. The tests also provide the organization & its personnel with the confidence & experience necessary to reply to a actual event. Tests can range from classroom exercises to full technique testing that simulates a actual event. Tests ought to be documented & the results examined for lessons learned & enhancements necessary to the contingency designs. For further information on contingency testing, consult NIST's Special Publication 800-84: Guide to Check, Training, & Exercise Programs for IT Designs & Capabilities.
Issued on: June 23, 2010.
FMCSA
Anne S. Ferro,
Sunday, August 1, 2010
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment