Tuesday, June 26, 2007

VAleat quantum VAlere potest

Network World

Security Strategies




Network World's Security Strategies Newsletter, 06/26/07

VAleat quantum VAlere potest

By M. E. Kabay

In this brief series of articles, I’ve been recounting the tale of data losses at the Department of Veterans Affairs (VA). This will close the subject for now.

On Feb. 2, 2007, Secretary of Veterans Affairs Jim Nicholson announced that a VA employee in the VA medical center in Birmingham, Ala., had reported an external hard drive as missing on Jan. 22. According to Rep. Spencer Bachus (R-Ala.), the backup hard drive contained personally identifiable information (PII) on up to 48,000 veterans - and despite VA regulations promulgated in 2006, as many as 20,000 of those records were not encrypted. A week later, the VA admitted that the hard drive actually contained PII for about 535,000 patients and 1.3 million doctors. It was that loss that led to the letter I quoted in the first article of this series.

A few weeks later, the Government Accountability Office (GAO) released the closest thing to an exasperated blast of exasperation I think government workers are capable of: In Feb. 28 testimony before the Subcommittee on Oversight and Investigations, in the Committee on Veterans’ Affairs of the House of Representatives, GAO Director of Information Security Issues Gregory Wilshusen presented a report entitled “Veterans Affairs Needs to Address Long-Standing Weaknesses.” (PDF) The summary on page 2 of the PDF file include this commentary:

From servers to storage: Virtualization saves

It's touted as one of the fastest and easiest ways to better manage and control your infrastructure. Download this guide today and see how network IT execs are making virtualization pay off in the real world; discover the 8 virtualization gotchas you need to know; and much more.
Click here to download.

“For many years, GAO has raised significant concerns about VA’s information security - particularly its lack of a comprehensive information security program, which is vital to safeguarding government information. The figure below details information security weaknesses that GAO identified from 1998 to 2005. As shown, VA had not consistently implemented appropriate controls for (1) limiting, preventing, and detecting electronic access to sensitive computerized information; (2) restricting physical access to computer and network equipment to authorized individuals; (3) segregating incompatible duties among separate groups or individuals; (4) ensuring that changes to computer software were authorized and timely; or (5) providing continuity of computerized systems and operations. The department’s IG has also reported recurring weaknesses throughout VA in such areas as access controls, physical security, and segregation of incompatible duties. In response, the department has taken actions to address these weaknesses, but these have not been sufficient to establish a comprehensive information security programs. As a result, sensitive information has remained vulnerable to inadvertent or deliberate misuse, loss, or improper disclosure. Without an established and implemented security program, the department will continue to have major challenges in protecting its systems and information from security breaches.”

In early March, the VA reacted to the Jan. 22 loss of the portable hard drive. CIO Robert Howard promulgated a policy restricting the use of portable data storage devices. Only flash drives smaller than 2 GB - and only those issued by the VA’s CIO office itself - would be permitted on the VA network or computers.

Encryption would be used throughout the system, just like the assurance issued in August 2006 about spending $3.7 million on encryption tools. In addition, the CIO announced sweeping changes in security administration, with promotion of five deputy CIOs to the rank of assistant secretaries for the following functions: application development, information security, operations and maintenance, resource management and strategic planning.

The latest news I want to mention is the blinding revelation that has come upon federal agencies as of late May: they will stop storing Social Security numbers and other PII wherever possible.

I tell you, it amazes me sometimes to see the speed with which people can respond to information about security.

[By the way, the Latin title of today’s essay means, “Let it stand for what it is worth.”]


  What do you think?
Post a comment on this newsletter

TODAY'S MOST-READ STORIES:

1. How MySpace is hurting your network
2. Lawyers show how to side-step immigration law
3. Gartner to IT: Avoid Apple's iPhone
4. Cisco moves reputation services into network devices
5. 10 automation companies to watch
6. NY college plans 11n WLAN rollout this summer
7. Pentagon shuts down systems after cyberattack
8. Microsoft, IBM feel heat from Google Apps
9. Why time stands still on the iPhone
10. The case of the 500-mile e-mail

MOST E-MAILED STORY:
Gartner to IT: Avoid Apple's iPhone


Contact the author:

M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor of Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site.



ARCHIVE

Archive of the Security Strategies Newsletter.


BONUS FEATURE

IT PRODUCT RESEARCH AT YOUR FINGERTIPS

Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details.


PRINT SUBSCRIPTIONS AVAILABLE
You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today.

International subscribers, click here.


SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here.

This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription.


Advertising information: Write to Associate Publisher Online Susan Cardoza

Network World, Inc., 118 Turnpike Road, Southborough, MA 01772

Copyright Network World, Inc., 2007

No comments:

Post a Comment