The Obamacare website fiasco, about which much has been said, is not just the story of a failed website. Lost in the analysis, was a small sentence that indicated security testing had not been done, "because there was a lack of time". I have heard this excuse, more than once, by some of the biggest software vendors in the land. What it boils down to is a priority list of things that must be done, and security testing doesn't make the list.
What it means to users is simple: We will take the risk with your data, while we make improvements to the website.
Who can make that kind of decision, and how can they rationalize signing off on risks that are not theirs to take? The person responsible for security of the site was a man named Tony Trenkle, CIO at Centers for Medicare and Medicade Services, who according to the CBS news story at http://www.cbsnews.com/8301-250_162-57611202/departing-obamacare-security-official-didnt-sign-off-on-site-launch/, resigned this week and is now gone. He would not sign off on the acceptance of risk, but CMS Administration, Marilyn Tavenner did. CBS's article goes on to say "HHS also says there is an aggressive risk mitigation plan in effect, "the privacy and security of consumers personal information is a top priority for us" and personal information is "protected by stringent security standards." Of course, without security testing, they are not in any position to say what the risks are to the data.
Tavenner's testimony http://oversight.house.gov/wp-content/uploads/2013/07/Tavenner-CMS-Statement-PPACA-Data-Hub-7-17.pdf gives broad assurances that security was met through FISMA, indicating she neither understands, nor appreciates, what FISMA actually does. Years from now, we might see a FISMA report telling us what shortcomings have to be corrected to meet existing requirements, but it won't be soon.
More than once, I have been in the position to brief the person responsible for acceptance of risk. I asked them to acknowledge the risks, accept the mitigation strategy (which limits the amount of time the risk will exist), and fund the mitigation effort. Only on rare occasions will the person in charge decline, and almost always, they decline for a good reason. Usually, there is enough significant risk that going operational is not a good option, but delaying will have serious political consequences. Trenkle would have known there was no security testing, so there was no way to measure the amount and type of risk that had to be mitigated. He also knew the consequences of delay were higher up the food chain. So, he declined to sign. Smart man.
Today's Politico http://www.politico.com/politico44/2013/11/white-house-blocks-tech-chief-from-testifying-on-obamacare-177047.html says the White House is declining to allow Todd Park to testify on the Hill because he is "too busy" repairing damage to the site. The House Committee on Oversight and Government Reform will call a witness list that includes HHS Deputy Assistant Secretary for Information Technology Frank Baitman, CMS Deputy Chief Information Officer Henry Chao, U.S. Chief Information Officer Steve VanRoekel and David Powner, Director of IT management at the Government Accountability Office. Maybe someone could ask how they make a risk assessment on a system that had no security testing done on it. Amazon books:
No comments:
Post a Comment