in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Drive Encryption Software Refused By VA Contractors?

Representative Buyer (R-IN) has sent a letter to the Secretary of the VA Department this week.  Long story short, the ranking Republican of the US Committee on Veterans' Affairs finds it troubling that the VA doesn't appreciate the urgency behind ensuring that veterans' personal data be protected with tools like hard disk encryption for laptops.

Another Laptop Theft Leads to Compromised VA Data

The trigger for the letter was a recent notification to the committee that an unencrypted laptop with VA medical data was stolen from a contractor.  As a result, 644 vets are at heightened risk of crimes such as ID theft (assuming, of course, that there was no damage from previous VA breaches, such as the May 2006 fiasco).

This latest breach is quite "routine" as data breaches go: the unencrypted laptop was stolen from an employee's car.  I've covered a variation of this story several times this year--and that's just the stuff that I felt compelled to blog on.

What's not so routine about the case is that the contractor had assured the VA that the information was encrypted.  In fact, the story at nextgov.com states that "the vendor had certified to VA that it had encrypted laptops that stored department data," emphasis being mine.

Certified.

Well, someone dropped the ball.

Triggering More Investigations - 578 Refuse to Use Encryption

Representative Buyer also raised an issue about vendors that won't use encryption software.  He noted how the VA's own review of 22,279 contracts showed that 6,440 contracts did not include an information security clause.  5,665 contracts were rectified.

What about the ones that weren't?  Well, apparently 578 contractors (I guess some have more than one contract with the VA) "refused to sign the clause."

That's not as problematic as the fact that there isn't any "VA action to enforce its IT security policies."  Read: those contractors are still doing business with the VA, and the VA doesn't seem to be doing anything about it.

Well, as scandalous as that is, it doesn't surprise me.  I mean, a contract is a contract.  The contractors with 5,665 amended contracts did the VA a favor.  They are within their legal rights not to do so.  What about the 578 contractors?  Well, perhaps this is their last year working for the government, and decided that they wouldn't make additional investments.

Proving Laptops are Encrypted

While some may be under the impression that the above unnamed contractor essentially lied to get a contract with the VA, I wouldn't be too sure in making such a bet.

At the personal/individual level, computer security has never been easier to implement: click here, click there, move your mouse here, boom! You're done.  Certainly, IT admins will find that, say, in 10% of the cases, installing encryption on machines is not as straightforward: for example, there is always some kind of isolated issue with hardware incompatibilities, if you manage a large number devices.

But, assuming you got yourself the right encryption package, deploying encryption company-wide is not as hard as it used to be.

What can I say?  Technology advances.

At the organizational level, though, people are still hampered by the same problems from 25 years ago and earlier: keeping track of stuff (or, if you prefer something more professional sounding, logistics and inventory tracking).

With our unnamed vendor above, it could very well be that everything was set up properly, and as complex systems tend to do, things unraveled with time.  That's why companies are supposed to have audits (and why encryption audit reports were incorporated from the ground up in our AlertBoot endpoint encryption solution).


Related Articles and Sites:
http://www.nextgov.com/nextgov/ng_20100513_1937.php?oref=topstory
http://www.ihealthbeat.org/articles/2010/5/14/laptop-thefts-expose-personal-health-data-on-vets-reservists.aspx
http://republicans.veterans.house.gov/documents/05_12_2010_VA_Information_Security.pdf

 
<Previous Next>

Data Encryption For Wireless Connections Is A Duty, German Courts Declare

Laptop Encryption Software: Oconee Heart Center Computer Stolen

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.