As I mentioned earlier, I'm at FCW Events
' CIO Summit and the whole story about VA's stolen data
was quite the buzz, needless to say. And they say that timing is everything, so it was perfect that there was a session today titled "Identity Management: New challenges for managing access and securing staff." The panel featured Rob Brandewie, director of the Defense Manpower Data Center
, and Rich Guida, director of information security for Johnson and Johnson and a former fed who served as chairman of the Federal Public Key Infrastructure Steering Committee.
Both of them spoke of the difficulties of securing data these days because it is potentially so mobile.
I didn't ask them to comment on this case specifically because they don't know the specifics. But I did ask them about securing data.
As far as I understand the VA situation, it isn't even that the laptop was stolen. It was, of course, but the data was on some kind of mobile device.
Here is what the NYT reported this morning
A Congressional aide briefed on the matter, granted anonymity because he was not authorized to speak publicly about it, said the information was on disks. Secretary Nicholson, speaking at the same news conference as Attorney General Gonzales, said the worker had taken the data home to work on a department project. Mr. Nicholson described the worker, who has not been identified, as a longtime employee of the agency. He lives in suburban Maryland, a law enforcement official said.
Brandewie said that it is these precisely these kinds of incidents that keep him up at night.
"Data is so portable," he said.
DMDC has policies that prohibit taking large amounts of data away from the office, but many people don't recognize the dangers until they suffer some kind of incident. "People don't realize the implications of what they're carrying," he said.
Many organizations have focused on encrypting data as it moves, but few focus on encrypting data that is in place, Guida acknowledged.
Johnson and Johnson is working to encrypt data on a laptops of employees that are most at risk, he said. That will tie the data on the laptop to a token so if a laptop was stolen, they would also need the token and password to access the data.
Generally with security, people tend to take the path of least resistance – until they are burned, Guida said.
Of course, I'm sure not so coincidentially, OMB is reminding everybody about securing their data
Posted by Christopher Dorobek on May 23, 2006 at 12:15 PM