An Information Security Place

 

The VA is now buying encryption software for their  computers, handhelds, and other mobile devices.  This makes me wonder about a few things:

1. Are they also installing it on their subcontractor’s computers?  The last theft of VA data happened at Unisys, not at the VA.  How are they going to handle that?
2. Have they EVER done a risk analysis?  I ask this because it would be interesting to see what the analysis said about remote laptops, computers, etc. before the thefts.  Did it show there was risk of this happening?  Did they actually weigh the risk and decide it wasn’t a big deal?
3. My suspicion is that they never ran a risk analysis.  So have they run one now?  Are they just knee-jerking?  Was this process under way before the last theft, or have they gone about this the right way and they just have bad timing?

Even though a risk analysis is always needed, the results are not always correct.  Even if you go about the process in the most scientific manner, you always need to plan for contingencies and the possibilities that your results are either not right or the smallest risks will still happen.

In this case, if the VA did run a risk analysis before the thefts, then they either ignored this risk or deemed it not enough of a risk to worry about.  Though we see it as an obvious risk, and though the many, many stories of laptop theft happening out there before the VA incident make it even more obvious, the VA still did nothing.  That’s why I think they either never had the analysis done, or they simply did one to fulfill requirements then ignored the results.  Both are deplorable practices.

I would really like to see some better disclosure from the VA.  Don’t give me the results of your risk analysis.  Just let us know that you are performing one.  Just like this event, make an announcement that you have a company coming in to help with this and name the company.  Even though you have an obvious hole with the laptops and desktops, you still need to perform your due diligence in making your security holistic  Do not just piece some security measures together to make everything look good to the public.

Vet

It was just reported by SANS.  Be careful if you go there.

 

Vet

This is my first post using MS Live Writer.  I got the link from here.  I am impressed so far.

Picture test

Vet

Martin McKeay posted a few days back about keylogging software on client’s of HSBC Bank.  Bruce Schneier pointed out this article this morning about the same issue.  Both came to roughly the same conclusion: this is ridiculous.

Yes, there are things the bank can do to help with this, but come one, where is the personal responsibility for the clients?  Sheesh.

Vet

Read the story here.  It looks like the process is being held up now because of legal challenges from another company that thought they should win the project.

I have held out commenting on this so far because I don’t have the expertise here to add much of value.  But what does concern me is that the company they are awarding the contract to is a an affiliate of a German-owned company.  That sounds about as smart as giving up the dock security to an Saudi-owned company.

Vet