From the VA to Ohio University, IT pros have lost their jobs over lost data. Businesses, meanwhile, refuse to take security training seriously.
Does everyone at your company know what data shouldn't be stored on laptops or removable storage devices? Do they know where they can and can't take these devices? Is there a clear company policy on data that needs to be encrypted?
Having good answers to these questions about security policy doesn't just help safeguard data. For an IT or security pro, it could mean the difference between keeping his or her job and having to explain to the boss--or worse, law enforcement officers and government officials--the reasons for an embarrassing data breach that could cost big bucks to fix. IT professionals involved in enforcing security at places where data breaches have occurred, including the Veterans Affairs Department and Ohio University in Athens, have learned the hard way how alleged lack of policy enforcement can negatively affect a career.
The theft in May of a laptop containing the names, birth dates, and Social Security numbers of millions of current and former military personnel put a spotlight on the VA's poor security track record and stirred debate over whether there was any policy in place that would have stopped an employee from taking more than 26.5 million unencrypted data records home to work on a project. The laptop was stolen during a burglary of the employee's home. By the time it was turned in to the FBI in late June, Pedro Cadenas Jr., the VA official in charge of information security, had announced his resignation from the department, and Michael McLendon, deputy assistant secretary for policy, had resigned.
Rep. Bob Filner, D-Calif., has said that three VA documents indicate that the employee--a data analyst--was authorized to take a laptop and data home, contradicting an earlier statement by VA Secretary James Nicholson. Filner also criticized the lack of any VA security policy to violate and said in a statement, "That's the real negligence--that there were no policies."
The federal government is working on a number of improved security measures as a result of the VA theft and other data breaches, including security recommendations that the White House Office of Management and Budget has given federal agencies until early August to comply with. Ohio University is likewise overhauling its security policies in the wake of several data breaches in April and May that exposed 367,000 records containing Social Security numbers and other data of current and former students, alumni, and faculty. The university in June suspended its director of communication network services and its manager of Inter-net and systems as part of its investigation.
Moran Technology Consulting, hired by Ohio University to help it improve security management, recommended that the university define the roles and responsibilities of all departments using technology. The school has begun restructuring its IT organization to establish clear roles, responsibilities, and accountability. The university's board of trustees recently granted president Roderick McDavis' request for $4 million to improve IT security and fund an audit by Moran of all server accounts to see if any have been compromised and to verify password enforcement, complexity, and length requirements.
But the best time to review, improve, and communicate security policies is before potential problems surface. "An employee or contractor makes an arbitrary decision to violate security policies so as to make his job easier," Eugene Spafford, professor and executive director of the Purdue University Center For Education and Research in Information Assurance and Security, testified in a House Committee on Veterans' Affairs hearing. "We see this happening all the time," Spafford said, adding that policies aren't enforced as long as the work gets done and nothing bad happens.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.