Printer Friendly Page
LESSONS LEARNED FROM THE VA'S DATA BREACH --
One year later, new security measures guard
against
a lapse like the VA's lost notebook.
Story here...
http://www.pcworld.
com/article/id,132501-c,privacy/article.html
Story below:
-------------------------
Lessons From a Data Breach
One year later, new security measures guard
against a lapse like the VA's lost notebook.
Jaikumar Vijayan, Computerworld
It's been just over a year since the U.S Department of Veterans Affairs
disclosed that a laptop PC and external hard disk containing personal
data on 26.5 million veterans and active-duty military personnel were
stolen from the home of a VA employee.
The disclosure sparked widespread concern over the perceived lack of
information security controls at the agency. It prompted a sweeping
overhaul of the agency's IT organization including top level personnel
changes and a centralization of all IT development, operations and
maintenance activities at VA.
Both the laptop and disk were later recovered by the FBI which also
certified the data to have been untouched. Even so, the massive scope of
the compromise and the attention it generated has driven considerable
change in information security policies not just at the VA, but
governmentwide, analysts and vendor executives said.
"Because of the sheer size of the VA breach, and because it was an issue
that related to veterans, it really brought home the issue of security
in a way that was not there prior," to the incident, said Geoff Gray, a
lobbyist with the Cyber Security Industry Alliance, an industry advocacy
group based in Arlington, Va. "If the question is 'what rises to a level
to really draw the attention of policy makers' this one did," he said.
Here are five lessons learned and steps taken in the wake of the data
breach, according to analysts and vendors.
1. A greater focus on data encryption within government
Since the VA breach, agencies across the government have begun paying
more attention to encrypting data on laptops and other mobile devices,
said John Pescatore an analyst with Stamford, Conn.-based Gartner Inc.
Pushing agencies in that direction is the White House's Office of
Management and Budget (OMB), which shortly after the VA breach
disclosure issued a memorandum to all agency heads recommending
encryption of all sensitive agency data on mobile systems. The level of
compliance with the directive is varied, but most agencies have either
already purchased and implemented encryption tools on their mobile
devices or are in the process of doing so, Pescatore said.
"Encryption is not the end of all problems, but it solves a very major
problem," at government agencies, he said.
2. Stronger breach notification guidelines within agencies
Prior to the VA debacle, few agencies had any formal internal breach
notification process, said Howard Schmidt, an independent security
consultant and former White House cybersecurity adviser.
When breaches such as those at the VA occurred, there were few formal
internal processes for notifying incident response teams and
administrators. The VA incident "turned a tremendous amount of attention
not just on the VA's own notification policies but across the entire
government," Schmidt said. As a result, more agencies today have formal
policies and procedures for reporting and responding to all suspected
and confirmed information breaches, he said. The OMB's guidelines now
require, in most cases, that agencies notify management of data breaches
immediately when they happen.
3. More attention to data retention, classification and minimization
The VA breach also led to a governmentwide review of how personally
identifiable information is stored, accessed and protected, said Chris
Fountain, CEO of SecureInfo Corp., a McLean, Va.-based security services
provider mainly to government agencies.
Many of agencies have undertaken or are planning to perform formal
privacy impact assessments to understand how their agencies are
collecting, using and protecting personal data, Fountain said. They are
using such assessments to rate and prioritize their systems and then
apply appropriate controls based on the amount of personal data each
system contains, he said.
Many agencies are also trying to comply with an OMB directive issued in
the wake of the VA breach that requires them to log all data extracts
from databases holding sensitive information, Pescatore said. Under the
directive, they are also required to verify that the data that has been
extracted is erased within 90 days or is still being used for valid
purposes, he said.
4. Stronger remote access policies
The VA breach spotlighted the need for better controls on agency data
when it is being accessed from remote locations by teleworkers, said
Kevin Richards, federal government relations manager for security vendor
Symantec Corp.
In a memo soon after the breach, for instance, the OMB instructed all
agencies to implement two-factor authentication for controlling remote
access to agency networks and data from remote locations. It also asked
them to require remote users to re-authenticate themselves after 30
minutes of inactivity.
In addition, the VA breach has also resulted in more focus on securing
remote systems via the use of endpoint network admission control tools,
he said. Such tools, which are available from a wide variety of vendors,
are designed to ensure that any system logging into a network has
adequate antivirus and firewall protections, has all the mandated
configurations settings and is properly patched.
5. More authority for agency CIOs
Under a bill passed last year, the CIO's post at the VA has been
elevated to the rank of an assistant secretary. The move was designed to
give the CIO's office more clout and enforcement authority within the
agency.
"The VA's CIO and CISO didn't have the authority to force changes to
happen," Pescatore said. Now there are "definite signs across government
that agencies want to elevate CIO positions," in the same way the VA
did, he said.
-------------------------
Larry Scott --
