It is being reported that the US Department of State is missing hundreds of laptops, perhaps thousands of them.  The Department of State is in charge of conducting diplomacy.  In case anyone doubts how important secrecy is for this particular department, the Anti‑Terrorism Assistance Program falls under its umbrella, according to the article at cqpolitics.com.  Obviously, this particular department needs to especially ensure they’ve got adequate data security.

An internal audit has found that this is not necessarily the case, though.  For example, as many as 400 laptops are missing from the Anti‑Terrorism Assistance Program alone.  It is being pointed out, however, that in this case the missing laptops are not necessarily lost or stolen.  The audit report is using the term “unaccounted for,” a term usually meaning “we have no idea what happened except” we can’t find them right now.  The computers could be in some secure location within the Department of State buildings.  The fact is, nobody knows.

This highlights one of the issues that take a backseat when it comes to security, be it information security or otherwise: the lack of follow up.  Security is hardly a one‑time affair, where you install a particular solution and forget abut it—even if the solution is designed to be that way.

For example, consider full disk encryption solutions by AlertBoot.  You can’t get simpler than full disk encryption.  You install it and that’s the end of it.  And with AlertBoot, there’s no way to stop the encryption process or reverse it mid‑encryption.  However, for the paranoid manager in charge of security (the very best kind when it comes to security), the question becomes, “was it installed to begin with?”  Without the proper follow up, there is no way to get an answer to the question.

This is the reason why AlertBoot also includes powerful reporting.  The truth is that security is rarely about protecting something.  It’s about being able to prove that something is protected.   So, even if one’s got the best encryption algorithms protecting one’s data, that’s not good enough.  If a laptop is unaccounted for in the State Department, people are not really concerned about $3000 worth of equipment missing; they’re concerned about who is accessing the information on that laptop.  What better way to prove that these people have nothing to worry about by stating unequivocally that not only do you know the laptop is encrypted, but also to point out when it was encrypted?