Has the VA ever done a risk analysis – How about some disclosure to the public?
on August 14th, 2006 at 8:15 pmÂ
The VA is now buying encryption software for their 
computers, handhelds, and other mobile devices. This makes me wonder about a few things:
- Are they also installing it on their subcontractor’s computers? The last theft of VA data happened at Unisys, not at the VA. How are they going to handle that?
- Have they EVER done a risk analysis? I ask this because it would be interesting to see what the analysis said about remote laptops, computers, etc. before the thefts. Did it show there was risk of this happening? Did they actually weigh the risk and decide it wasn’t a big deal?
- My suspicion is that they never ran a risk analysis. So have they run one now? Are they just knee-jerking? Was this process under way before the last theft, or have they gone about this the right way and they just have bad timing?
Even though a risk analysis is always needed, the results are not always correct. Even if you go about the process in the most scientific manner, you always need to plan for contingencies and the possibilities that your results are either not right or the smallest risks will still happen.
In this case, if the VA did run a risk analysis before the thefts, then they either ignored this risk or deemed it not enough of a risk to worry about. Though we see it as an obvious risk, and though the many, many stories of laptop theft happening out there before the VA incident make it even more obvious, the VA still did nothing. That’s why I think they either never had the analysis done, or they simply did one to fulfill requirements then ignored the results. Both are deplorable practices.
I would really like to see some better disclosure from the VA. Don’t give me the results of your risk analysis. Just let us know that you are performing one. Just like this event, make an announcement that you have a company coming in to help with this and name the company. Even though you have an obvious hole with the laptops and desktops, you still need to perform your due diligence in making your security holistic Do not just piece some security measures together to make everything look good to the public.
Vet
The VA, like many other government agencies, isn’t prepaired to deal with security breaches… I recently came across a
ComputerWorld article that discusses a survey about laptop and data theft. The statistics were quiet disturbing:
“Eighty-one percent of companies surveyed reported the loss of one or more laptops containing sensitive information during the past 12 months, according to the survey, which queried nearly 500 information security professionals.”
“Sixty-four percent of companies surveyed reported that they have never conducted an inventory of sensitive consumer information.”
These organizations are handling the most sensitive of our Personal Financial Information (PFI), but are not taking the necessary security precautions to secure this data. Like you noted, EVERY laptop that has any information dealing with the VA should be encrypted (such as contractors). Anti-theft software with Remote Laptop Security (RLS) needs to be employed as well.