V.A. Security

In May, 2006, The United States Veteran Administration (V.A.) had an analyst take unencrypted data home on his laptop. The laptop was consequentially stolen in a home invasion. The computer’s storage device held sensitive information on over 26 million people. Immediately following the burglary in his home, the V.A. analyst told police and V.A. administrators that he routinely took the laptop home for the previous three years. The stolen data included highly sensitive personal information such as social security numbers, dates of birth, and other health information pertaining to disabilities. The subsequent investigation found that not only was the data unencrypted, that the V.A. had given the analyst permission to carry the data home. An investigation of the matter and the V.A. response has exposed an array of possible solutions ranging from very simple to more complex. The following document intends to recommend security metric implementations and controls to prevent a repeat occurrence of the data loss seen in 2006.

Information technology audits should be embraced by the Veterans Administration. Finance departments in every publically traded company are subjected to annual audits. Government agencies are also subjected to financial reviews. While a finance audit has a mission of adherence to a set of standardized accounting practices, an information technology audit evaluates whether an organization follows system internal technology controls.  According to the research conducted by Neil (1999) the adherence to strong information technology management controls can help prevent data loss. At the time of the data loss in 2006, the V.A. did not have in place a credible information technology audit. The V.A. needs to implement a plan that holds internal systems operators accountable by a third party review. The audit should, at the very least, identify weaknesses and improvement strategies to address those weaknesses. The audit should be conducted by a CISM or ISC credentialed entity.

The number of hackers and cyber terrorists is growing. The V.A. did not employ data encryption technology to protect the data stored on the analysts’ system. Data encryption is important because it keeps sensitive information from being exposed to and by hackers (Nachenberg, 1997). Data encryption protects computers from hacking, and indirectly, encryption also protects systems from viruses that can be released by hackers. Encryption is an old and extensively used technology that has helped protect data at every level of business. The V.A. must begin using encryption at every opportunity as it is simple and inexpensive to implement.

Information technology policies need to be reviewed for weaknesses. A consistent and thorough policy review supports the ability for the V.A. to constantly improve and reflect new advances in risk and system threats. A policy review is much more than simply reading policy; it involves speaking with front-line workers in regards to their standard operating procedures. One obvious mistake that the V.A. made in regards to data loss was allowing an employee to take his laptop home. The computer carried sensitive information and exposing such an amount of private data was an unwarranted risk and resulted in a loss that could have been prevented. Information technology policy review and change is an essential portion of an effective internal control strategy. An effective policy review board would have identified the problem with staff taking home data.

The V.A. computers that hold sensitive information should be protected with the use of key fobs. The key fob acts as a security token with security authentication protection. The serial code on the key fob holds the ability to access a computer or sensitive software information. The key fob strategy has the ability to provide a two-pronged safety authentication measure – the random and constantly changing display code on the device as well as a second authentication code exclusively memorized by the operator. Key fobs offer a level of theft protection in a physical device as well as a backup protection in the owner’s personal password.

Software exposures also continue to be a vulnerability in government agencies. Software exposures can range from employees downloading various applications from the internet to staff listening to streaming music while on the job. While the V.A. has corrected internal controls in regards to carrying computer equipment home, exposure still remains with data leakage. Employees are still able to run data through software-defined networks that is unauthorized and this could inadvertently expose sensitive data to cyber criminals. The V.A. still allows the use of USB flash drives and information could be saved and removed via mobile storage devices. In addition, if the data on the storage device is not encrypted, it can be uncovered.

While key strategies have been effective in response to the 2006 data loss incident, vulnerabilities still remain that may be a risk for a repeat occurrence. Arguably the most important implementation for the V.A. would be to subject current information system internal controls to a credible third party audit. The acceptance of a higher level of outside scrutiny would be a small investment compared to the immense risk and the importance of military data content. A few simple changed can be adopted in policy such as preventing employees from taking home work computers and preventing the use of mobile storage devices in the workplace. Data encryption is a technology that is affordable and simple to manage. Choosing not to use encryption after the 2006 loss is reckless and negligent on behalf of the V.A.

References

Nachenberg, C. (1997). Computer virus-coevolution. Communications of the ACM, 50(1), 46-51.

Neil, M. (2001, January 1). Cybercrime Dilemma. Brookings Review, 19(1).