OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Dataloss] Comments on VA Data Loss Article

From: Richard Forno (rfornoinfowarrior.org)
Date: Thu Jun 08 2006 - 15:45:05 CDT


http://news.com.com/2102-1028_3-6081705.html?tag=st.util.print

> WASHINGTON--The head of the U.S. Veterans Affairs Department told Congress on
> Thursday that the massive theft of personal data at his agency signals the
> need for more "teeth" in federal data security laws.

Actually, the bigger question at hand is to determine exactly how bad the US
Government is when it comes to protecting data -- classified or not.

> Nicholson's appearance before politicians came as his agency deals with
> continued revelations over news that the personal data of as many as 26.5
> million veterans and nearly 2 million active-duty military, National Guard,
> and Reserve personnel was stolen. That information resided on a
> government-owned laptop computer and hard drive pilfered from a VA analyst's
> home in a Maryland suburb of Washington, D.C. A 34-year employee of the
> agency, he had been toting the gear home for the past three years in violation
> of agency policy.

This analyst was breaking policy for THREE YEARS? Why didn't anyone do
anything about it sooner? (See point later about accountability.)

> The theft didn't come to Nicholson's attention until 13 days after the data
> analyst reported the incident to superiors, the secretary said. The analyst
> was fired but has been protected by not being publicly named. Two of his
> bosses have since been fired, Nicholson said.

13 days is totally unacceptable. If a corporation can notify its CEO when
something bad happens or a problem becomes known in their product line,
there's absolutely no reason why it takes 13 days for similar "abyssmal
news" to make its way to the 'CEO' of a Cabinet Agency.

> With or without new legislative action, Walker urged all agencies to limit
> collection of and access to personal information, to curb the amount of time
> such records are retained and to consider using encryption and other
> technological controls, particularly when data is stored on mobile devices

Can anyone explain why the VA needed to posess a complete database on nearly
2 million active-duty military, National Guard, and Reserve personnel? If
it needed access to certain data on active/reserve folks (which they
probably do) couldn't the agency develop ways to query databases operated by
DOD to avoid having another huge database that could, and in fact, did, get
compromised?

> Rep. Tom Davis, the Virginia Republican who heads the committee, said the
> incident had prompted him to weigh changes to a law called the Federal
> Information Security Management Act of 2002, which outlines procedures federal
> agencies must undertake in order to protect their data and systems.
>
> That law requires agencies to notify law enforcement and internal inspectors
> general when a breach occurs, but it does not require notification of
> potential victims or the public. It must be updated to include penalties,
> incentives and "proactive notification requirements," Davis said, adding that
> he is "troubled as the number and

Again, a law that doesn't foist executive-level accountability for failure
will never motivate folks and organizations to change. Let the executive
heads roll, already -- set an example, please! This happened on Nicholson's
watch....I wonder if he, his CIO, CSO, or other senior folks will be held
accountable for this fiasco other than a Congressional hearing or two. My
sense is no.

> To that end, the agency is reviewing its security practices and beefing up
> employee training. Nicholson has also ordered that every VA laptop undergo a
> review designed to ensure that all security and virus software is current, and
> he prohibited future use of personal laptops or computers for official
> business

Does this include raising the question about why 26 million records were
able to be exported onto a laptop in the first place?

How about implementing some thresholds on data export, number of
database-queries-per-minute-or-user, and implementing other such REAL
controls to help prevent this from happening again? Updating Symantec
Antivirus is not a technical control that can fix this problem.

-rick
Infowarrior.org

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/