Catching up on some reading, I see that in response to the recent WikiLeaks publication of classified US State Department cables, the US Office of Management and Budget has issued a memo, reiterating the instructions that agencies perform a self-assessment of how well they handle and protect classified information.

Clearly, the WikiLeaks incident has significantly elevated security concerns for government agencies (and should also raise concerns for corporations).

The good news is that the OMB guidelines (published here by MSNBC), provide 11 pages of clearly-worded questions, which should serve as a good starting point for agencies as they begin to better secure their systems. While the questions cover a broad set of topics (including “Safeguarding” and “Counterintelligence”), the first section (“Management & Oversight”) contains the following key questions, right up front:

  • Does your agency have sufficient measures in place to determine appropriate access for employees to classified information in automated systems?
  • During initial account activation/setup?
  • Periodically to determine if access is adequate to perform the assigned tasks or exceeds those necessary to perform assigned tasks, and adjust them accordingly?

These are great questions, which get to the heart of the matter of obtaining visibility and control of user access. I’m glad to see the increasing recognition that establishing and operationalizing access governance policies and processes are key to achieving a healthy balance between security control and user productivity.

While the OMB does not regulate private enterprises, we should nonetheless learn from their recommendations, and embrace their approach to access governance.