1.Users are going to be hesitant or questioning when there is a change in process to what they are used to. Security is not themain goal of users and adding another layer of complexity within their routine task will be met with fierce resistance. It is the goal of the department to simply help the community to understand the reason why this new security method is being introduced. It is important to note that strong over-bearing requirements that are not well explained can mean a lower adoption rate and thus make the mission of the site suffer overall.
The first thing that needs to happen is the explanation of multi-factor authentication. In order for a person to understand how they are doing something, they need to know what it takes to accomplish this thing. MFA (Multi-factor Authentication) is another step to the process of authentication no matter what type of vendor you go with (Rosenblatt & Cipriani, 2015). It is important for the department to choose the lesser of the evils and pursue the easiest Multi-Factor option there is.
Users are a custom to providing some levels of personal information for online accounts. They understand that providing this small level of information is needed in order to access the siteâ€™s full feature suit. How do you convince them to provide even more information for MFA? In order to convince them you must be able to provide them with facts about how MFA can further secure their information past what would be secure with a single-factor authentication method. It should be relayed to them that the weakness in their password can be drastically strengthened when coupled with MFA (Scott, 2016). The benefit of having MFA is greater than the risk of not having it. Users should be reassured that the information they give for account registration is for their own safety in the end.
Making a new change to a policy or procedure that impacts the overall user base of the application is a huge deal. Making this change aware to the user base and allowing open discussion and comments to be made for and against it can be helpful to the organization. The U.S. Department of Health and Human Services allows their new rules and procedures to be commented on before being enacted (HHS.gov, 2016). In regards to this new adoption of MFA, the organization should be willing and prepared to open the deployment up for comments for 90 days. This gives users plenty of time to voice their input or even request to be early adopters of MFA solution. Allowing for the user base to early adopt the product is a great way to increase buy-in.
In conclusion, providing a clear and concise explanation of the product and what it does before it is mandatory should be strongly considered. Users can be much more obliging to the product when they have the opportunity to touch and feel it, thus an early adopter feature. User can be safely assured that MFA is actually providing them more good than harm.
HHS.gov. (2016). HHS Regulations Toolkit. Retrieved October 4, 2016, from http://www.hhs.gov/regulations/regulations-toolkit/index.html
Rosenblatt, S., & Cipriani, J. (2015, June 15). Two-factor authentication: What you need to know (FAQ). Retrieved October 04, 2016, from https://www.cnet.com/news/two-factor-authentication-what-you-need-to-know-faq/
Scott, D. (2016, April 20). A Guide to Multi-Factor Authentication. Retrieved October 04, 2016, from http://www.symantec.com/connect/blogs/guide-multi-factor-authentication
2.In order to properly adopt the new Cybersecurity policy requiring two-factor authentication for accessing online services provided by the local government, it is strongly recommended that policy makers follow a seven-step policy cycle. This cycle will guide them in a) identifying the authentication issue/problem; b) conducting research/analysis; c) developing solutions/alternatives; d) consulting with public, private and other community sectors; e) developing policy proposals; f) implementing the policy; and g) monitoring/evaluating the policy. (“The Policy Cycle | Policy NL”, 2016). Remember that policies affecting society should be both reasonable and sophisticated.
The public is going to have reservations about handing over personally identifiable information to the government during the registration process for its online services system, so it is important to clearly explain the reasons for collecting this information. This is why it is critical to use an innovative policy development approach such as engaging the community, where the public is included and participates in a bottom-up policy solution, instead of top-down pushed by the government (“Innovative Approaches to Policy Making and Policy Standards | Policy NL”, 2016). While consulting, ask the who, what, when, where, why and how questions for tailoring the consultation to meet your specific policy needs (“A Consultation Checklist | Policy NL”, 2016).
To help ease the perception of an “invasion of privacy” for requesting information such as names, addresses, cell numbers, email addresses, birth dates, and last four of SSN, it is further recommended that the government establish a public-private partnership. To be effective, this partnership should be big enough to include a representative sample of the community yet small enough to execute quick decisions, restrict government’s role with private groups leading, and include motivated members that are genuinely interested in the issue at hand (Baxter et al., 2009). The government should explain the use of the Privacy Impact Assessment process and how it protects both the publics’ private information and the government agency collecting it (Office of Management and Budget, 2003).
Furthermore, the government must explain how its online services would be degraded without the ability of collecting the publics’ personally identifiable information. Provide solid justifications for the use of each information type and then begin a discussion that covers the technical and administrative security controls that will be set in place to reassure those that are skeptical of the security of their sensitive information. Briefly explain the NIST SP 800-53A and how it is used to implement security and privacy controls in government information systems (National Institute of Standards and Technology, 2014).
Finally, it is strongly discouraged to temporarily suspend the implementation of the Cybersecurity Two-Factor Authentication policy. The current digital era demands increased security as cyberattacks are only getting more sophisticated and frequent. President Obama is quoted as saying, “our individual liberties depend on our commitment to securing cyberspace” (“Foreign Policy Cyber Security”, 2016). To this point, the government must enforce strong authentication practices to prevent cyber criminals and hackers from stealing identities of users and wreaking financial havoc. This policy should continue to be implemented; however, the information described earlier in this opinion letter is a lesson that other agencies can learn from to develop similar policies affecting the public.
A Consultation Checklist | Policy NL. (2016). Policynl.ca. Retrieved 6 October 2016, from http://www.policynl.ca/policydevelopment/pages/consultation-checklist.html.
Baxter, J., Cunningham, B., Greenwald, E., Jacoby, J., Longley, J., & Nolte, W. et al. (2009). Addressing Cyber Security Through Public-Private Partnership: An Analysis of Existing Models (1st ed., p. 3). Intelligence and National Security Alliance. Retrieved from https://www.insaonline.org/CMDownload.aspx?ContentKey=e1f31be3-e110-41b2-aa0c-966020051f5c&ContentItemKey=161e015c-670f-449a-8753-689cbc3de85e.
Foreign Policy Cyber Security. (2016). The White House. Retrieved 6 October 2016, from https://www.whitehouse.gov/issues/foreign-policy/cybersecurity.
Innovative Approaches to Policy Making and Policy Standards | Policy NL. (2016). Policynl.ca. Retrieved 6 October 2016, from http://www.policynl.ca/policydevelopment/innovativeapproaches.html.
National Institute of Standards and Technology,. (2014). Assessing Security and Privacy Controls in Federal Information Systems and Oganizations (p. v). National Institute of Standards and Technology.
Office of Management and Budget,. (2003). M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. Washington D.C.: The White House.
The Policy Cycle | Policy NL. (2016). Policynl.ca. Retrieved 6 October 2016, from http://www.policynl.ca/policydevelopment/policycycle.html.