Welcome to GSNMagazine. Skip directly to: main content, navigation, search box.
GSN

Editorial Features | Columns

Reinventing government by managing information risk

By Peter Beardmore

Published April 15th, 2008

Essen IT Cover

Since Al Gore first spoke of "reinventing government" in March of 1993, government organizations at all levels have wrestled with a long list of challenges borne of the possibilities presented by new technologies. The promise of these technologies is inspiring and extraordinary: deliver better service and increase satisfaction for citizens and adjacent organizations alike, while dramatically increasing overall operational efficiency. Yet, the reality can be daunting as organizations seek to capitalize the infrastructure, build new policy, develop new processes, execute initiatives with an existing -- often under-trained -- workforce, and ensure the security and privacy of citizens.

In contrast to the dot-com revolution of the 90’s and the Web 2.0 of today, the e-gov movement has been slow to materialize. And truthfully, that’s probably a good thing. Government’s customers have little patience waiting for online systems to mature. As citizens, we have no freedom to find someplace else to conduct our government business. In government, the investor and the customer are one and the same, causing unprecedented oversight, visibility, and risk-adversity. Citizens remain wary: Do I want the same government that has inadvertently exposed millions of social security numbers on lost laptops to intentionally place my sensitive information on the Web?

Still, from the citizen perspective, there is evidence of progress. Last year, 80 million tax-payers filed online. The waiting lines at the Registry of Motor Vehicles in Massachusetts have lessened somewhat, due primarily to online license and registration renewals. I can even pay my local property tax online, though it’s clearly through a third party processor and it only works if I have my tax bill in hand. It’s not quite paperless, but it’s moving in the right direction.

From a security perspective, there are a number of boxes to check. Federal agencies are balancing FISMA report cards and OMB audits with initiatives such as HSPD-12, Telework and e-Authentication. Most states now have data security statutes that apply to state agencies and municipalities. Ultimately, it’s the information on which these diverse requirements focus. What are the organization’s most sensitive information assets? Where and how does this information traverse the IT infrastructure -- across endpoints, networks, applications and databases, file systems and content management repositories, and storage systems? As this information moves and rests, to what risks is it exposed? What security events might take place? How likely are they to occur? And what’s the likely consequence if they do?

Consider the endpoint, which could be a citizen’s home PC. How do we actually know whether the person accessing the system through the Internet is who they say they are? What is the probability of fraud relative to the kind of transaction? The Federal Financial Institutions Examination Council began tackling this problem in 2001 for the financial services industry. By the end of 2006, all U.S. online banking outlets were implementing multi-factor authentication, layered security or other controls calculated to mitigate those risks.

Today, when I access my bank checking account from a kiosk computer, my bank knows that I’m not logging in from my own PC, thus the risk is determined to be greater than when I’m on my PC. I am therefore prompted to enter a six-digit code that the bank has sent to my cell phone via text-message. That two-factor authentication will be enough to give me access to view my account and pay bills, but if I attempt to make a wire-transfer, I am further authenticated by a phone call from the bank. Again, the risk (this time associated with the transaction type) is calculated to be greater than allowable for the authentication I have used, so the security process adapts on the fly and asks me to clear a higher hurdle to protect both me and the bank.

Recently, my wife attempted to open a high-yield savings account with a well-known national bank. Of course, this was all to be done online. Unaware of what she was up to, I received a call on my commute home from my wife asking, "What was our mortgage payment at our last house?" and "Where does your Uncle Jim live?" It turns out that our bank was using technology known as knowledge-based authentication to verify my wife’s identity using information freely available from public sources and credit agencies.

These technologies -- adaptive, risk-based authentication and knowledge-based authentication -- first adopted by the financial services industry, are now being piloted by government organizations for similar purposes. The adoption of these technologies -- and an information risk management framework -- will make possible continuous online relationships between government organizations and citizens that are well beyond the one-time, paper-enabled transactions described above and move us closer to realizing the potential of e-government.


Peter Beardmore is Product Marketing Manager for RSA, The Security Division of EMC. He can be reached at: .


  • Print
  • Add your comment
  • trackback url: http://www.gsnmagazine.com/cms/trackback/678-1