Â
The VA is now buying encryption software for their 
computers, handhelds, and other mobile devices. This makes me wonder about a few things:
- Are they also installing it on their subcontractor’s computers? The last theft of VA data happened at Unisys, not at the VA. How are they going to handle that?
- Have they EVER done a risk analysis? I ask this because it would be interesting to see what the analysis said about remote laptops, computers, etc. before the thefts. Did it show there was risk of this happening? Did they actually weigh the risk and decide it wasn’t a big deal?
- My suspicion is that they never ran a risk analysis. So have they run one now? Are they just knee-jerking? Was this process under way before the last theft, or have they gone about this the right way and they just have bad timing?
Even though a risk analysis is always needed, the results are not always correct. Even if you go about the process in the most scientific manner, you always need to plan for contingencies and the possibilities that your results are either not right or the smallest risks will still happen.
In this case, if the VA did run a risk analysis before the thefts, then they either ignored this risk or deemed it not enough of a risk to worry about. Though we see it as an obvious risk, and though the many, many stories of laptop theft happening out there before the VA incident make it even more obvious, the VA still did nothing. That’s why I think they either never had the analysis done, or they simply did one to fulfill requirements then ignored the results. Both are deplorable practices.
I would really like to see some better disclosure from the VA. Don’t give me the results of your risk analysis. Just let us know that you are performing one. Just like this event, make an announcement that you have a company coming in to help with this and name the company. Even though you have an obvious hole with the laptops and desktops, you still need to perform your due diligence in making your security holistic Do not just piece some security measures together to make everything look good to the public.
Vet
