While Congressional questioning and media interest has intensified, the focus of Office of Personnel Management(OPM) investigations concentrate on technical controls, avoiding entire swaths of security best practices regarding data usage and retention. Did OPM adequately gauge the need for this massive warehouse of detailed personal information in the first place?
At the OPM hearing, Congressman Stephen Lynch lamented the amount of information collected, he pointed to a 127-page questionnaire and stated “… we ask them everything. What kind of underwear they wear …” If a Congressman is joking about the excessive levels of detail in just one report, I wonder if any effort has been made to “right size” the data collected by OPM or the organizations they support.
Technical controls, such as implementing encryption and adding the new DHS Einstein, play a role in data security. However we have learned that sometimes such measures fail. This breach raises questions on how organizations can responsibly gather information on individuals. If we know controls fail, consideration should be given to collecting and storing only the most useful data, thereby reducing operating costs, risks and the impact of breaches.