(Top Post)
Several points here, and I've got to make it quick. First, the information
taken from the VA was taken out on a disk, as far as I know. This was from
an office, not out in the field, where the Pentagon may or may not be
allowed to use them in certain ways. Encryption would have to be considered
as the uppermost security in the event of the Pentagon situation. From a
facility which should and can be controlled, but isn't, it should never have
gotton out of the door in the first place.
The VA made the statement that they were start making training mandatory.
http://www.thespectrum.com/apps/pbcs.dll/article?AID=/20060528/OPINION01/605280327/1014
"But what can be done so the United States government doesn't fall asleep
again? VA Secretary Jim Nicholson has promised to take necessary measures to
ensure a like occurrence does not happen again, including mandatory security
training for all employees with access to private information. That's a good
first step, but we'd like to know what the VA intends to do as a long-term
solution. The volatile information is always going to be at someone's
disposal."
If this employee already had "top-notch" training, his primary goal would be
to protect the client's information from the get to. That is the first step
in good security training. First and foremost, it is the client or customer
AND the agency which must be protected. If that sort of training is
provided, there is very little chance an employee is going to take a disk
home, regardless of whether or not if it is labelled or how. The end all is
not just encryption. An employee can look at information and write what he
or she likes down on a piece of paper, take it out, and do what he or she
likes "if" what goes into and out of these buildings is not controlled. So,
it is "not" necessarily going to happen "if" steps are taken to secure a
facility and employees are trained with "urgency" to protect private
information. If this type training does not occur, there has been no
"top-notch" training received.
I wrote:
"They could and should have made training mandatory which would have
prevented it from being likely to happen."
You wrote:
"They did."
No, they did not.
If someone asks you to fax in your SS number, you are taking a chance of the
information not being taken immediately from the fax machine and possibly
laying around in a basket for a good while. You don't necessarily know who
is in that office and can walk by and see it. It is not a good idea to fax
sensitive information such as a SS number anywhere. It may be legal in
certain areas, but it is not a "top-notch" protective measure. People who
are properly trained in information protection will not ask for this
information to be faxed in.
"Banks," if you understand "size," can have workers which reach in the
hundreds of thousands. Each and every employee can be trained to protect
personal information, although I do not know that "all" banks use the tool
of intense training. Where I am it is done by compliance to law, but the
same intense training should have been done already at the VA and every
government facility in the nation. War related material may have to be
viewed differently if sensitive material can get out of contained areas for
reasonable purposes, but if you get employees alert and aware at all times
of the urgency of information protection, it is a step which does not leave
everything dependent on software encryption.
Your Pentagon situation and thoughts do have merit, but we really can't
compare what happened at the VA with that. No disk with sensitive
information should have been taken out of the door if security were handled
properly. No database with sensitive information should be left unencrypted,
either, but this does not let off the employee who knew just from basic
rules that it should not have gone out. Given adequate training, it would
have been highly "unlikely" that this information would be taken from the
building.
Rita
Post by Fafnir200606.rodent.frell.theremailer.net> wrote in
news:d9526
Post by BaldurPost by FafnirPost by Rita HansardPost by FafnirPost by Rita HansardThey could and should have made training mandatory which
would
Post by Rita HansardPost by Fafnirhave
Post by Rita Hansardprevented it from being likely to happen.
They did.
Every government agency has such training.
Even the Pentagon.
See PL 100-235
Post by BaldurPost by FafnirI can't think of any agency more security conscious than the
Pentagon, nor any secret more closely guarded than a war plan
that was to be executed in thirty days' time.
Well, there must not be the highest level of security, or
there wasn't,
Post by Baldurbecause laptops are not allowed in the area in which I work,
and they damn
Post by Baldursure wouldn't be allowed out of the building if they were.
Many agencies _issue_ laptops; lots of work is done in the
field, not in an office.
The one with the war plan was stolen from a taxi in London.
Post by BaldurPost by FafnirTrue.
According to the GAO report, the Pentagon got an F.
In that case, the Pentagon is not as secure as where I am. We
got an A.
I figured that banks would be more secure than the Pentagon.
Remember that the Pentagon has millions of workers, and it only
takes one screwup.
There's also the fact that the data lost by the VA wasn't
classified 'Confidential' or 'Secret' or 'Top Secret'; it was
probably 'FOUO' (For Official Use Only) and the analyst may not
have understood just how sensitive it was.
The Federal (and even more so, State and Local) government often
don't take individaul privacy all that seriously.
There are NO penalties prescribed for violations of the Privacy
Act. None.
Bear in mind that if the analyst hadn't voluntarily 'fessed up',
it's very likely that no one would ever have known about this.
And he wouldn't have lost his job.
I bet that's happened more than once.
Post by BaldurPost by FafnirFifteen years after the incident described above occurred.
That's why I am so flabbergasted that they haven't taken the
simple steps I suggested.
It is a mess.
Post by FafnirIf they had, possession of that external hard drive with the
VA
Post by BaldurPost by Fafnirdata on it wouldn't do the thief any good.
Well, that's pretty much a given, however, we cannot assume
that the disks
Post by Baldurare going to get out. Every effort in the world can and has
been made to
Post by Baldurprevent that in "some" facilities and the upgrades are
effective.
And yet laptops are lost or stolen and flash drives containing
classified information are sold in the Baghdad bazaar.
It IS going to happen, and the biggest mistake a manager can
make is to say "I order you to maintain data security!" and to
assume that that will happen.
Post by BaldurPost by FafnirYou say that you are involved in banking; don't banks encrypt
their transaction data before they transfer it?
Yes.
Post by FafnirI assume that banks are more security conscious than even the
government; a failure to secure their data would drive them
out
Post by BaldurThere are two areas of banking. One side is commercial and the
other side is
Post by Baldurfederal. I work for the feds, and it was the government which
made
Post by Baldurcompliance with certain conditions mandatory, or they would
bar the door and
Post by Baldurnot allow us to do business. In other words, security in the
extreme is
Post by Baldurmandatory by law where I am. Security on the commercial end is
also
Post by Baldurmandatory by law, but it is not as stringent on a personal
level as the
Post by Baldurfederal side. There's differences between us and the
commercial end of
Post by Baldurbanking. One of these differences includes credit checks every
five years
Post by Balduralong with a background investigation, and credit criteria
conditions are
Post by Baldurstringent. I wouldn't even have to get close to bankruptcy in
order to lose
Post by Baldurmy job, and we are not just given training. We are watched on
the level of a
Post by BaldurVegas casino to see that we comply. What I don't know is how
it is paid for,
Post by Baldurbut I believe it comes from the private sector, and it is
beyond expensive.
It's pretty obvious that the government can't watch millions of
employees all over the world that closely.
But they COULD provide OTFE software on all computers.
Easily and cheaply.
TrueCrypt is free.
Even for commercial use.
It's not a panacea, but it would have taken care of the problem
in the three cases I've mentioned.
Post by BaldurPost by FafnirPost by Rita HansardI would appreciate your showing me by way of proof that all
government
Read the post again.
I didn't say "all government employees", but 'all government
agencies'.
Truck drivers don't get the mandatory annual security training.
Post by BaldurI see no proof other than your word that "such" training is
mandatory in all
Post by Baldurgovernment facilities.
If you work for a federal agency, you're responsible for knowing
SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING.
(a) In General.--Each Federal agency shall provide for the
mandatory periodic training in computer security awareness and
accepted computer security practice of all employees who are
involved
with the management, use, or operation of each Federal computer
system within or under the supervision of that agency. Such
training
shall be--
Your agency will presumably have an order implementing such
training which refers to that law.
Post by BaldurThe VA has publically stated that training was made
mandatory only after the breach. "If" top-level training were
mandatory in
Post by Baldurthe first place, they right then admitted negligence.
Which is why I doubt that they said any such thing.
They say on their website that the data analyst was not
authorized to take this data home, is being dismissed, and that
one of his managers resigned as a result of this fiasco, so
maybe they did...
But again, with millions of employees and millions of
laptops/flashdrives, security managers need to assume that
something like this will happen, and need to take steps to
mitigate the damage.
Secure areas of the Pentagon don't permit flashdrives (or IPods)
for just this reason, and search employees upon leaving the
building.
But they don't search the National Security Advisor, who got
caught taking a laptop full of classified information home.
Post by BaldurPost by FafnirPost by Rita Hansardare given top-notch training
Read the post again.
They are not. I'm sorry to tell you, but they are not, and
especially in the
Post by Baldurareas of information classifications.
I never said that they are given 'top-notch training'.
Those are your words.
Post by BaldurFor the sake of conversation, allow me to ask you a question,
please. If you
Post by Baldurare participating or doing business with a company you know
and trust, and
Post by Baldurfor some reason they asked you to fax your SS number to them
on a form where
Post by Baldurother service-related criteria was also needed in a hurry,
would you do it
Post by Baldurand why or why not?
A fax is far more secure than unencrypted TCP, but I'd still
resist.
On the other hand, private businesses are not constrained by the
Privacy Act; only government agencies are required to give you a
disclosure notice.
If you're trying to close on a house and the broker demands your
SSAN (by phone or fax), s/he can prevent your closing without
violating any law.
But I'd make sure I initiated the call to a number I knew.
On my laptop (in fact, on all of my personal computers), all my
sensitive information is encrypted with OTFE.
Unfortunately, computer security rules prohibit me from
installing OTFE (or any programs) on my government laptop.
Besides, the VA has compromised my SSAN now, anyway.