A financial analyst from the Department of Veteran Affairs brought sensitive personal electronic files from 26.5 million veterans’ home to work on a project, but the personal files had been stolen on May 22, 2006. The data included names, social security numbers, and birth dates of veterans who were discharged from the military starting in 1975. The data was not encrypted. The VA breach was the second largest unauthorized disclosure of social security identification data.
Question #1: List and describe the security weaknesses at the Department of Veteran Affairs.
One weakness is that the Department of Veteran Affairs (VA) failed to implement a policy that strictly prevents employees from taking home classified or sensitive financial data of veterans. It was not clear initially whether the employee was authorized to take home the files. This clearly indicates that there was a lack of a security policy that is required to protect information assets. The data stolen was not encrypted.
A second weakness is that there was a lack of disaster disaster recovery planning where a company focuses on how it can restore business operations after a disaster strikes. There was no plan of action of how to backup any lost data.
A third weakness is that there was a lack of a communication protocol on what to do if the data is lost or stolen. That is, the data was not reported in a sufficient amount of time. The department did not report the incident to law enforcement until two weeks after the incident. The Department of Justice and the Federal Bureau of Investigation stated that the delay may have allowed a more thorough investigation to solve the case.
Question #2: What management, organizational, and technology factors contributed to these weaknesses?
In reference to management factors, decentralized management exists at the agency and that it was difficult to change. Former CIO, John Gauss, stated that that the agency experience “cultural impediments” as reasons why he was unable to implement a central management of IT at the department level or a strong information security programs.
In reference to organizational factors, per recommendations of the VA audit, the VA failed to implement a centralized IT security program to ensure that employee job descriptions contained proper rules about what data they could access and to complete work on intrusion detection systems, infrastructure protection actions, and better access controls. There was a failure to implement a security policy for preventing the employee from taking home sensitive or classified data. According to a document obtained from the Veterans Affairs Committee, the employee did have authorization to take home a laptop and use a software package to work with the data. The documents revealed that the analyst was authorized to use home special software to manipulate data, to accesses social security numbers of veterans, and to remove a laptop and other accessories from the VA building for outside work. It is not clear how stringent the documents were written, but the employee violated the security policy. Apparently, the employee routinely had been transporting data to his home for three years, but unknown to his supervisors.
In reference to technological factors, the company did not implement a security policy of access control where all policies and procedures a company uses to prevent improper access to systems by unauthorized users. To gain access a user must by authorized and authenticated. It is not clear how competent the employee was on the security policy implemented by the VA. It is not clear how much training the employee received on handling classified information. It is not clear whether the employee used special passwords to access the information. Since the data was not encrypted, then the VA failed to implement an encryption policy where plain text or data is transformed into cipher text that cannot be read by anyone other than the user.
Question #3: How effectively did the VA deal with these problems?
Although the VA acknowledged recommendations from the House Committee on Veteran, the CIOs from the VA agreed that a centralized management of all IT programs and activities is required. One of the CIOs wanted a structure where there would be less susceptible to delays, budget overruns, and performance failures. The VA divided its IT operations into two domains. Thus, Congress passed a bill that gave a single executive control over the entire department’s IT spending. The CIO would be raised to rank to undersecretary and the chief information security officer be raised to the assistant secretary level. The VA planned on merging its IT domains to finally centralize IT programs and activities. It is not clear as to how these changes to a new “federated” IT management system based on reducing costs and making the department more efficient will help resolve security issues. The VA made no recommendations of making substantial changes to their security policy so the incident will never happen again. Thus, the effectiveness of how the VA dealt with the problem still vague. The VA needs to make a complete revision of their security policy to prevent any future loss of data from human or technological factors.
No comments:
Post a Comment