VAgue promises of improvement

Security Strategies This newsletter is sponsored by Nevis Networks Inside the industry's largest public NAC test Get an independent review of Cisco's CNAC and the Trusted Computing Group's TNC network access control frameworks via Network World's latest Editorial Briefing "Implementing NAC." Get the real scoop and go inside the industry's largest public test of available NAC products. Network World's Security Strategies Newsletter, 06/19/07 VAgue promises of improvement By M. E. Kabay In this brief series of articles, I’ve been recounting the tale of data losses at the Department of Veterans Affairs (VA). On June 14, 2006, Linda D. Koontz, Director, Information Management Issues and Gregory C. Wilshusen, Director, Information Security Issues of the Government Accountability Office of the United States offered testimony before the Committee on Veterans' Affairs, House of Representatives. The GAO report on their analysis and recommendations later appeared as GAO-06-866. Highlights of their analysis included these comments: “For many years, significant concerns have been raised about VA’s information security—particularly its lack of a robust information security program, which is vital to avoiding the compromise of government information, including sensitive personal information. Both GAO and the department’s inspector general have reported recurring weaknesses in such areas as access controls, physical security, and segregation of incompatible duties. The department has taken steps to address these weaknesses, but these have not been sufficient to establish a comprehensive information security program. For example, it is still developing plans to complete a security incident response program to monitor suspicious activity and cyber alerts, events, and incidents. Without an established and implemented security program, the department will continue to have major challenges in protecting its information and information systems from security breaches such as the one it recently experienced.” Two related reports appeared about a week later with specific comments about the May 2006 data breach (GAO-06-897T) and about the overall challenges facing the VA and the Department of Defense (DoD) in protecting personally-identifiable information (PII) of active-duty and retired military personnel (GAO-06-905T). From servers to storage: Virtualization saves It's touted as one of the fastest and easiest ways to better manage and control your infrastructure. Download this guide today and see how network IT execs are making virtualization pay off in the real world; discover the 8 virtualization gotchas you need to know; and much more. Click here to download. At the end of June 2006, the laptop and external hard drive stolen on May 3 from the consultant’s home were recovered. Forensic examination suggested that the data had not been accessed. This good news suggested that the disaster might blow over. It was not to be. The Inspector General (IG) of the VA, George Opfer, released a report on July 11 severely criticizing senior managers of the VA for their lackadaisical response to the original theft of unencrypted PII. The inadequate data security policies had not yet been corrected. VA Secretary James Nicholsen responded to the IG’s report with assurances that the agency had “embarked on a course of action to wholly improve its cyber and information security programs.” More of this debacle in the next column.   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. The case of the 500-mile e-mail 2. The case for client-side security 3. Microsoft: Mystery trio thwarts disk pirates 4. 10 reasons why it’s good and bad to be HP 5. Juniper feels growing pains 6. FBI finds over 1M botnet victims 7. Why sites rarely agree on top results 8. Top 15 USB geek gadgets 9. The dos and don’ts of data breaches 10. Wireless networks: The burning questions MOST E-MAILED STORY: Bill Gates' Harvard commencement speech

Contact the author: M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor of Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by Nevis Networks Inside the industry's largest public NAC test Get an independent review of Cisco's CNAC and the Trusted Computing Group's TNC network access control frameworks via Network World's latest Editorial Briefing "Implementing NAC." Get the real scoop and go inside the industry's largest public test of available NAC products. ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007