The state auditor’s office in North Carolina has 234 laptop computers that are still waiting to be encrypted, according to The Insider. This, an entire year after the state’s chief information officer issued standards for the use of laptop encryption software, offered by several vendors including AlertBoot. The state CIO, George Bakolia, fired off a missive to the state Auditor, Less Merritt, saying this delay is “irresponsible and unacceptable.” The auditor responded that it was Bakolia’s fault for not setting a deadline.
Encrypting a computer is not hard. Encrypting hundreds of computers, on the other hand, may be hard, depending on whether the software is designed to handle such a load. The ability to easily do so means that the software “scales.”
It’s a funny thing, really. Normally, one doesn’t wonder whether encryption software scales, since data protection means one has to deal with laptops one by one: not encrypting just one laptop from the 234 could mean that the Auditor’s office still has a sizable data security risk. (For example, perhaps all the computers contain the same sensitive data for tens of thousands of constituents. Under such circumstances, losing one unprotected computer is no less of a breach than losing two or three computers.)
However, scalability issues are a real concern once you pass a certain threshold of devices to protect. Indeed, I’ve heard (unconfirmed) rumors that the IRS had signed up with two computer data security vendors in the past couple of years (not at the same time), specifically to encrypt their computers -- and paid for their services -- without actually encrypting computers. The process was so complicated that the IRS supposedly kind of gave up on it.
Your tax dollars hard at work.
On the other hand, deploying encryption software enterprise-wide is never an easy job, regardless of scalability. Having someone in charge of implementing it is definitely necessary. Plus, people have their regular jobs to do. If one doesn’t specifically make an effort to start such a project, it’s never going to get off the ground.
It kind of reminds me of my experience with my commanding officer in the Navy. He never gave deadlines, claiming that everything “was of the utmost importance to be done ASAP.” Since everything was important, nothing ever got done on time when he wanted it done -- stuff got done when the person charged with the work felt “it was about time to wrap it up.” That’s usually what happens when you assign one guy five different things that are due ASAP.
If you find that your organization needs to get started on data security, the first thing to do is appoint someone to be in charge of seeing the project to its end. Then, and only then, do you start your data security program.
This establishment of a point man is the first step towards a key aspect of data security: the continuous monitoring and assessment of your organization’s security needs. Without it, data security tends to fall by the wayside, eventually leading to what it was supposed to avert -- a breach.
Related Articles:http://www.newsobserver.com/news/story/1337468.html