Office of Management and Budget Issues Checklist for Protection of Sensitive Information

©2006 Investment Company Institute. All rights reserved. Information may be abridged and therefore incomplete. Communications from the Institute do not constitute, and should not be considered a substitute for, legal advice. [20153] July 3, 2006 TO: TECHNOLOGY ADVISORY COMMITTEE No. 12-06 INTERNAL AUDIT ADVISORY COMMITTEE No. 4-06 RISK MANAGEMENT ADVISORY COMMITTEE No. 2-06 PRIVACY ISSUES WORKING GROUP No. 2-06 COMPLIANCE MEMBERS No. 30-06 CHIEF COMPLIANCE OFFICER COMMITTEE No. 12-06 RE: OFFICE OF MANAGEMENT AND BUDGET ISSUES CHECKLIST FOR PROTECTION OF SENSITIVE INFORMATION In the wake of the recent events regarding laptop computers containing sensitive information being stolen, the Office of Management and Budget in the Executive Office of the President has issued a memo to all heads of federal departments and agencies regarding the protection of sensitive agency information. While the memo does not apply to the private sector, it includes useful information relating to information security, including a security checklist for the protection of information on remote devices, such as laptops, that has been published by the National Institute of Standards and Technology. In addition to recommending that federal departments and agencies utilize the checklist, the memorandum recommends that they take the following actions: ‰ Encrypt all sensitive data on mobile computers and devices; ‰ Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access; ‰ Use a “time-out” function for remote access and mobile devices, which requires user re- authentication after 30 minutes of inactivity; and 2 ‰ Log all computer-readable data extracts from databases holding sensitive information and verify each extract that includes sensitive data has been erased within 90 days or its use is still required. Tamara K. Salmon Senior Associate Counsel Attachment (in .pdf format) Note: Not all recipients receive the attachment. To obtain a copy of the attachment, please visit our members website (http://members.ici.org) and search for memo 20153, or call the ICI Library at (202) 326-8304 and request the attachment for memo 20153.