1) List and describe the security weaknesses at the Department of Veteran Affairs.-lack of appropriate data security policies in place/disregard for privacy rights of veterans:When policies are developed with proper foresight and safety considerations, they are typically the most important step to preventing undesirable occurrences from happening. In the case of the stolen laptop from a Veteran Affairs (VA)data analyst's home, there were very loose security policies which allowed for this security breach to occur. More specifically, the data analyst was allowed to take a laptop home containing data from millions of veterans for approximately three years. Furthermore, he was allowed to use at-home software to access and manipulate millions of veterans' social security numbers, addresses, phone numbers, etc. For lack of a better word, this ignorant decision demonstrates the VA's lack of foresight and demonstrates a disregard for the privacy of veteran's rights. There are many obvious risks with removing sensitive data from a secure location and taking it to someones home, such as an unauthorized person tampering and/or stealing data, deletion of data, acquiring a virus, etc. I am sure that none of those VA staff or management would want their personal data being taken home regularly and without proper security features to a stranger's home. It doesn't take a genius to realize that there is a risk posed by allowing laptops with personal data to be removed from the building and taken to employee's homes. This was a case of failed leadership to protect data and policies should have been in place disallowing this type of activity.
-delayed reaction to theft of sensitive identity data:The VA Inspector General was not informed of the incident promptly after its occurrence and he found out about seven days after the fact, through"office gossip," that the burglary took place. Furthermore, the Secretary of Veteran Affairs, Jim Nicholson, did not find out about the burglary until 13 days after it occurred. This type of delay can inhibit the FBI and Justice Department's investigative process and prevent them from solving the case. Luckily, the thieves were not extremely computer savvy and did not access the data. Also, they were eventually caught but had it been a computer savvy hacker, all that personal data may have been stolen and used within a matter of days and could have created huge financial losses.
-decentralization of IT security systems:Apparently, an audit conducted in 2004 of the VA's IT system revealed that a centralized management system should be implemented to improve information security at the VA. The current decentralized system in place at the VA made it difficult to implement necessary changes/updates to their systems and made them more susceptible to delays and performance failures. The VA's chief information security officer lacked direct authority to enforce security policies and mandates.
-weak information security program:Sensitive data held in the laptop that was stolen, did not have adequate access control features. Data on the computer was not encrypted and there were no biometric authentication programs linked to their large database of confidential data. Theft, in general, whether at home or at the workplace is often difficult to prevent, but with stringent security features in place protecting the personal data, it would limit any unauthorized exposure and limit damages.
2)What management, organization, and technology factors contributed to these weaknesses?It is clear that the stolen data was a result of failure on many levels. From a management perspective, the VA failed to implement adequate security policies to protect the privacy rights of the veterans. An important role of a manager is to be able to recognize risks to an organization and its stakeholders. In addition, managers should demonstrate solid judgement and foresight when making decisions. The decision to allow unprotected, confidential data to leave the VA premises on a laptop and into an employee's home for three years demonstrated poor judgement from management. With regards to organizational factors that led to the VA's weakness, I would claim that their decentralized management structure made it difficult as an organization to swiftly recognize potential threats and implement change. In this type of organizational structure, information systems security has to clear many levels and reach multiple approvals prior to its implementation. A more direct, centralized organizational structure may have allowed for a more secure IT environment. Finally, in terms of technological factors which led to the VA's weaknesses, they lacked up-to-date access controls which protected the data from unauthorized access. Whether the data was stolen from home or the workplace, there should be both biometric authentication controls and encryption controls protecting the data.
3)What solutions would you suggest to prevent these security problems?I would propose the following three suggestions to prevent the VA's security problems:
1)The VA must update their corporate security policies and specify on each position's job descriptions, proper guidelines regarding what data they can access, to complete work on intrusion detection systems and immediately prohibit the removal of confidential data, whether by laptop or flash drive, etc., from the main server computers.
2) Implement access controls which encrypt data and install biometric authentication devices on computers which would need access to confidential data. This would protect data from unauthorized exposure in the event of a theft and would make it nearly impossible for unauthorized access to be gained into personal records.
3) Development of a centralized management structure with less levels of bureaucracy in the VA's IT department. As the two former CIO's, McFarland and Gauss, suggested, it would be beneficial for the VA to appoint a chief information security officer with direct authority to monitor IT security and enforce security policies and mandates swiftly.
