FERET: VA’s proactive solution for data breach analysis
By Adair Martinez
The lack of a formalized, quantifiable risk evaluation of incidents was not efficient. We did not have a system that prioritized, maximized or optimized VA resources in response to data breach incidents. In addition, communication channels between the local information security officer and privacy officer, NSOC and the national level were not well defined. The lack of a risk assessment process and incident handling coordination potentially reduced the timeliness and effectiveness of response actions by the VA. In 2006, the VA began the process of developing a formal process to conduct risk assessments of privacy and security incidents that involve potential data breaches.
The solution that we developed is called the Formal Event Review and Evaluation Tool, or FERET. FERET prioritizes data breach incidents so that they can be addressed and corrected in a timely fashion. The more critical incidents are addressed first. Also, FERET allows us to run trending reports so that we can become aware of -- and fix -- any recurring problems.
FERET is a risk-based tool that provides important information to support VA’s Data Breach Incident Resolution capability. It is based in BMC Software’s Remedy solution. It offers a standardized means for identifying data breach incidents. More specifically, it provides an analytical framework for capturing critical information about an event, determining whether such an event constitutes a data breach incident and determining the risk level associated with that incident.
The FERET application provides an objective, quantifiable risk assessment of potential data breaches. Currently, there are no commercial-off-the-shelf applications available in the private sector that perform the functions of the FERET application. FERET utilizes 53 questions divided into six categories that help define the risk profile of an incident. These six categories include administrative safeguard failures, physical safeguard failures, technical safeguard failures, type of data disclosed, number of veterans or persons affected and mitigating factors.
Each incident is given a risk score when entered into FERET. Generally speaking, the structure of the risk scores increase as the relative risk increases for each variable entered into FERET. For example, a minor violation of VA policy, such as sending an unencrypted e-mail with PHI from one VA employee to another over the VA network, has a risk score of 1. However, if certain types of sensitive data are reported as having been disclosed (e.g., full social security number), the FERET application rates the risk level higher. An example, the risk score for a missing data device is 4, whereas evidence of malicious intent to access data for harm or profit (i.e., potential identity theft) would result in a numerical risk score of 20 (the highest risk score utilized).
FERET was implemented on June 1, 2007, and already we are seeing the benefits of a data breach risk analysis tool. FERET, in conjunction with various other initiatives -- such as enhanced privacy and security awareness training for VA employees and contractors; deployment of encryption of mobile devices, and ongoing facility assessments to evaluate their privacy and information assurance postures -- is contributing to the VA’s achievement of the gold standard in data security.
The VA is committed to improving its information protection program to ensure protection for the personal data of the millions of veterans it serves. FERET is helping us to achieve that goal. Moving forward, our IT security will only improve as we track and correct problems that arise.
Adair Martinez is Deputy Assistant Secretary for Information Protection & Risk Management at the U.S. Department of Veterans Affairs.
- Add your comment
- trackback url: http://www.gsnmagazine.com/cms/trackback/682-1
