In an unprecedented move to improve security at the Department of Energy, a ban on certain types of removable storage media went into effect Monday at some of the department's sites.
Known as controlled removable electronic media, or CREM, the technology includes hard disks and removable storage disks that contain classified information.
The decision, ordered by Energy Secretary Spencer Abraham, follows the discovery earlier this month that Los Alamos National Laboratory employees misplaced two Zip disks that held classified information.
The Energy Department is searching through thousands of vaults and safes to find the missing media. The Los Alamos lab has been virtually shut down since news of the lost disks broke.
Late last week, 19 employees were suspended at Los Alamos for security violations. In a statement, Secretary Abraham said that while there wasn't any evidence of similar security lapses at other Energy Department sites, "we have a responsibility to take all necessary action to prevent such problems from occurring at all. Therefore, I have directed that we stand-down all operations involving so-called controlled removable electronic media."
The CREM ban will stay in effect until each site has provided "appropriate" training, conducted a review of security features, completed an inventory of assets, and arranged for a system that provides complete and accountable "custodial responsibility" of the removable media.
The department outlined the following plan to keep CREM secure:
-- Each site will conduct a 100% initial physical inventory of accountable CREM and weekly inventories thereafter.
-- After operational restart is approved, sites will formally enter all CREM containing secret-restricted data or data with higher security classifications into accountability.
-- All accountable CREM will be maintained in approved repositories under the direct control of authorized and trained custodians.
-- A formal checkout process for all accountable CREM will be initiated. Access to repositories storing accountable CREM will be strictly limited to authorized custodians.
-- Before restarting, an independent validation team will verify that the protocols are in effect.
-- Exceptions will be allowed only under extraordinary circumstances. All exceptions and restarts will be approved by the Deputy Secretary of Energy personally.
-- The department's Office of Independent Oversight and Performance Assurance will verify the adequacy of the procedures once they're implemented.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.