The Federal Deposit Insurance Corporation (FDIC) will implement Digital Rights Management (DRM) software to prevent unauthorized redistribution of digital information. This is in reaction to security incidents where departing employees accidentally took sensitive files on portable media. According to numerous studies, trusted insiders pose a greater risk to sensitive information than hackers and cybercriminals.
I applaud the FDIC for taking this key initiative to proactively protect and control its most sensitive information. DRM will help prevent unauthorized access and distribution of sensitive files regardless of location or device. It can limit a user’s ability to view, edit and print and can even limit the validity time for accessing sensitive information. This applies to both internal and external users.
As a bit of background, Lawrence Gross, Chief Information Officer and Chief Privacy Officer of the FDIC, recently spoke to a congressional subcommittee on its program to identify, analyze, report, and remediate security incidents. The criteria used to determine the severity of an incident is based on the risk of harm it poses to individuals or entities supervised by the FDIC. The agency uses guidelines from the Office of Management and Budget (OMB), which recently changed its definition of what is a major incident.
As a result the FDIC upgraded the incidents where departing employees inadvertently downloaded personally identifiable information (PII) to thumb drives and other portable media. The CIO’s initial judgment was these were inadvertent and posed minimal risk. The new guidelines changed that, hence the reevaluation.
As part of its remediation efforts, the FDIC is conducting an end-to-end assessment of the FDIC IT Security and Privacy Programs in addition to implementing the Digital Rights Management software. The agency will also eliminate the ability of employees or contractors to download to portable media, but there are cases when certain employees still need to do that as part of their job. The CIO said the FDIC is working to identify and implement alternative means to securely exchange data with outside organizations, like state banking departments, by the end of 2016.
The CIO is planning to implement technology that also can help securely share information with external organizations. DRM can protect information shared with third parties and provide the same level of protection the agency needs for its internal employees. Rather than using two systems, the FDIC should leverage the same system for both purposes.
Implementing DRM also provides a proactive approach to data security, rather than reactive technologies that identify issues after they happened. By protecting the data as its created, it helps mitigate the risks of data exfiltration that is becoming more common as both hackers and insider threats pose a risk to valuable information from government and the private sector.
Photo credit Josh Bancroft