From creation to elimination, FERC maps its data for better protection

The Federal Energy Regulatory Commission is taking a bit of a different approach to identifying its high value data assets.

Unlike many agencies which parsed their data sets based on high value, medium value and low value, FERC is taking a more holistic approach from birth to death.

Mittal Desai, the chief information security officer at FERC, said the data management security effort focused on governance first.

Mittal Desai is the chief information security officer at FERC.

“We started looking at the lifecycle of data. How do we create it? How do we store it? How do we disseminate that information internally and externally to our constituents and fellow agencies? How do we retain and eliminate that data?” Desai said at the recent ATARC CISO Summit in Washington, D.C. “We started doing an inventory of all our data sets. We knew off the bat that we had classification authority, your basic personally identifiable information (PII) data sets. We used something called critical energy infrastructure informational electric information, which is sensitive. We were able to identify within each program office that we went into the types of data categories and the type of documents each individual works with or creates or stores or disseminates. That created a huge information inventory where not only do I know where my high value assets are sitting from an electronic standpoint and from a hard copy standpoint, but what is my next approach to do?’

Desai said now FERC knows where it’s most sensitive data lives and can make decisions about how best to protect it.

“It’s been a long effort. We have now effectively identified all the assets across the organization. Our next steps now are looking at what types of secure controls we will put in place,” Desai said on Ask the CIO. “We have been working hand-in-hand with National Archives and Records Administration and looking at our disposition authorities. The problem is a lot of our government data has been around for years and years and years, and starts piling up. We have thousands of documents we handle.”

Desai said FERC and NARA are starting to eliminate hard copy documents and moving the information to the archives, while also adding protection tools like data loss prevention and system information management.

It took FERC months to go through all the program offices and ended up learning more about the business processes that the offices use.

Desai said his office’s security team has a better grasp about how the offices are transmitting or protecting data.

“The next steps we started taking from that is now understanding that because of the inventory we have 30 percent of my most sensitive high value assets are sitting in one program office. We are focusing our efforts of putting in security controls in place,” he said. “At some point, once we have put the controls in for our high value assets, we will look at some of the other sensitive categories to see what controls we need to put in place as well.”

Understanding what data an agency has becomes more important as the organization moves applications to the cloud.

The CISOs at the ATARC event agreed that concerns about using the cloud have decreased over the past five years.

“We have about 12 cloud service providers in our portfolio including Amazon, Salesforce, Verizon and others,” said Chris Wlaschin, the Department of Health and Human Services CISO. “Moving to the cloud doesn’t scare me when that movement is documented in sufficient articles of performance work statements, mutual understanding of security requirements, of indemnification if something bad happens, if all the requirements of  a project to move a legacy or premise based system to the cloud are met, it makes sense to do it. Government cannot afford to maintain this legacy environment we have any more.”

Rod Turk, the acting chief information officer at the Commerce Department, added the cloud is a question of trust. Do agencies trust the vendor to secure the data?

“While I don’t know for sure, I have a sneaky suspicion that the large providers have tools that they are not going to tell us about. They have procedures, processes and things that they use in their environment to make sure they are not exfiltrated,” he said. “So it’s really the fear of the unknown in a certain sense and do we know how the providers are going to secure their data and whether or not we as federal government have an element of trust to give us a level of satisfaction that cybersecurity has been implemented.”

At FERC, Desai said if there is trust, then he can outsource some of those security needs to the cloud provider and spend more time on protecting sensitive data on their networks.