Saturday, 2/17/07, it was widely reported that the U.S. Veterans Affairs (VA) was suspending “activities at seven specialized research centers across the country after an unprotected computer hard drive disappeared from one of the facilities in Alabama last month.”
The VA Secretary, Jim Nicholson, is requiring the programs to be halted until security certification is obtained.
“Writing to VA’s top management on Thursday, Nicholson also said the department would begin unannounced inspections at VA sites nationwide. “It is now clear to me that there are still too many VA employees, both in senior positions and elsewhere, who either still do not comprehend the seriousness of this issue, or who consciously disregard its seriousness,” he wrote.
Nicholson has come under sharp criticism on Capitol Hill in the past year over a series of computer security failures that put sensitive personal information for millions of veterans at risk. In the latest incident, a backup hard drive containing data such as Social Security numbers for up to 1.8 million veterans and physicians was reported missing Jan. 22 from a research site in Birmingham, Ala. As a federal investigation proceeds, officials have remained tightlipped about the case. But in the letter, Nicholson wrote that the employee was a research assistant and the hard drive may have been stolen. The VA acknowledged earlier this week that the hard drive was not encrypted, a violation of the department’s policy.”
There WAS a policy requiring the data to be encrypted, however, the data was NOT encrypted as required. Policies were not being enforced.
Think about all the organizations where this is also true. So many businesses create information security policies just to say they have policies, but then do nothing to support the policies through procedures, tools, audits, or business leader example and executive support.
“In auditing the department’s security procedures last year, federal investigators found weak management and lax rules.”
Policies are all too often not followed.
When employees, business partners, and the public in general know that an organization has policies but does not enforce them, that opens their door of opportunity to exploit this huge vulnerability and steal personally identifiable information (PII), disrupt operations, and commit fraud and other crime.
Tags: awareness and training, encryption, government, Information Security, IT compliance, policies and procedures, privacy, privacy breach, VA privacy breach