List and describe the security weakness at the Department of Veterans Affairs
There are a number of factors that constitute a weak security at the Dept of Veterans Affair that makes it vulnerable to threats and risk of misuse of its data
The first and foremost important weakness seen at VA information technology department is that employees could have large amounts of critical data on their laptops. Many firms especially that deal with sensitive data do not permit the storage of company data in laptops and recommend all data be in the central database.
The second issue being that the employees could take laptops home and there was no audit trail or approval necessary to do so from the immediate superiors. This put not only the employee taking the company laptop home at risk of being negligent but also exposed the lack of security to monitor data going in and out of the company.
The department had no mechanism of an audit control of all the company hardware and as a result was not aware of the stolen laptop until 13 days after the incident occurred. Ideally hardware issued to employees is tagged with an electronic ID which helps firms take a real-time stock of the company’s inventory
Usually firms install 2 levels of password control to access laptops first being the login access authentication and a hard disk access authentication. This ensures that even if the laptop is stolen the unauthorized user cannot break into the hard disk to access data.
The third major weakness was that VA had no strict IT security policies and service level agreements in place with its IT vendors who dealt with VA’s critical data. Firms like VA should ensure and perform security audits and mandate secured IT workspace from its vendors and also require background check and security clearance for all its contractors and vendors.
Last but not the least VA did not have a central IT security governance and left it to individual departments to oversee and regulate security issues.
How effectively did the VA deal with these problems?
The theft of the company laptop having sensitive veteran’s data from an employee’s home exposed the poor security policies and its mandates.
In October 2005, VA had a major reorganization in which its IT operations to centralize IT programs and activities. Congress also passed a bill that gave a single executive control over the entire department’s IT spending.
Such centralized IT security governance could ensure proper data access rules and maintain better access controls and monitor fraud efficiently and detect intrusions faster.
No comments:
Post a Comment