It's about time! According to the Inspector General's report, the Internal Revenue Service has finally managed to deploy drive encryption across their laptops and other devices (which include desktop computers). Maybe what the IRS needed was a good kick in the seat, which was delivered by the IG earlier this year, when it criticized the tax-collecting agency for being too slow in updating their security related to data safety. Which, is kind of understandable, since the IRS had to deploy encryption software on 98,000 desktops and laptops...in 670 locations! (On the other hand, they created a team to lead the project about one week before their deadline, which also indirectly explains why it took so long...)
It's about time! According to the Inspector General's report, the Internal Revenue Service has finally managed to deploy drive encryption across their laptops and other devices (which include desktop computers).
Maybe what the IRS needed was a good kick in the seat, which was delivered by the IG earlier this year, when it criticized the tax-collecting agency for being too slow in updating their security related to data safety. Which, is kind of understandable, since the IRS had to deploy encryption software on 98,000 desktops and laptops...in 670 locations!
(On the other hand, they created a team to lead the project about one week before their deadline, which also indirectly explains why it took so long...)
However, the IG also found that there were certain areas that were still lacking when it came to data security. For example, its investigation found that the IRS was not paying attention to backed up data. Seeing how sensitive data collected by the IRS remains constant (people's SSNs don't tend to change--last year's name-SSN combo is still valid this year, and probably 50 years from now), backups are definitely an area that require constant vigilance. Especially because it's backed up data. The problem with backups is that almost no one pays attention to them (yours truly included) until something untoward happens: Unlike a desktop or laptop computer that is used every day, nobody notices that a back up tape has disappeared until it's needed...usually in an emergency of some sort (doh! The irony. Backups are meant for emergencies!). The Inspector General has recommended that the IRS conduct annual inventory validation, and that it generate a list of employees who can access the backups, and keep it up to date Unlike with their full disk encryption fiasco, the IRS has set up an implementation schedule for the latest set of recommendations. One hopes things will go much more smoothly than when encryption had to be deployed...
However, the IG also found that there were certain areas that were still lacking when it came to data security. For example, its investigation found that the IRS was not paying attention to backed up data.
Seeing how sensitive data collected by the IRS remains constant (people's SSNs don't tend to change--last year's name-SSN combo is still valid this year, and probably 50 years from now), backups are definitely an area that require constant vigilance.
Especially because it's backed up data. The problem with backups is that almost no one pays attention to them (yours truly included) until something untoward happens: Unlike a desktop or laptop computer that is used every day, nobody notices that a back up tape has disappeared until it's needed...usually in an emergency of some sort (doh! The irony. Backups are meant for emergencies!).
The Inspector General has recommended that the IRS conduct annual inventory validation, and that it generate a list of employees who can access the backups, and keep it up to date
Unlike with their full disk encryption fiasco, the IRS has set up an implementation schedule for the latest set of recommendations.
One hopes things will go much more smoothly than when encryption had to be deployed...
Related Articles and Sites:http://fcw.com/articles/2009/09/15/irs-still-has-gaps-in-backup-data-storage-ig-says.aspxhttp://www.treas.gov/tigta/auditreports/2009reports/200920120fr.pdf