Wednesday, February 14, 2007
Dialing 911 for Laptops
Dialing 911 for Laptops
As the number of stolen laptops increases, CIOs must develop policies to protect against their theft.
By Chandler Harris
Feb 14, 2007
By now, just about every government IT professional has heard the story of the laptop full of valuable data that was stolen from an analyst working for the U.S. Department of Veterans Affairs (VA). But that's not the only government laptop to go missing with sensitive data. Consider the following:
* Last August, a laptop computer used by the Florida Department of Transportation to combat fraud was stolen, putting the personal information of almost 133,000 Florida residents at risk of the criminal activity the agency was trying to guard against, according to an article in the South Florida Sun-Sentinel.
* In March 2005, a thief walked into a University of California, Berkeley, office and swiped a computer laptop containing personal information on nearly 100,000 alumni, graduate students and past applicants, according to the Associated Press.And it's not just happening in the public sector. According to Business Insurance magazine, Electronic Data Systems Corp., Ernst and Young L.L.P. and Boston-based Fidelity Investments have had laptops containing sensitive information on hundreds of thousands of employees and customers lost or stolen.
Laptop computers and mobile technology have spurred a nationwide mobile work force, with an estimated 45.1 million Americans working elsewhere besides their principal office in 2005, according to the International Telework Association and Council.
With the continued growth of a mobile, teleworking work force, embraced and promoted at all levels of government, laptops have become the preferential computer for many workers.
But along with the growing popularity of mobile computing, the threat of losing confidential data to laptop thieves has also increased. In 2003, 73 percent of companies did not have specific security policies for laptop computers, according to the Gartner Group. The highly publicized theft of a laptop from an employee of the VA in 2006, containing the personal information of 26.5 million veterans, revealed how vulnerable personal information is when stored on a laptop.
The laptop was recovered, but the VA suffered two other security breaches within the year. Similar incidents occurring at other government institutions -- including the IRS, the Federal Trade Commission and the Department of Transportation -- made public the ongoing threat to security in the form of unsecured mobile computing.
In 2005, more money was lost from notebook PC theft than from any other crime except computer viruses, according to an FBI computer crime survey of over 2000 public and private organization in four states. According to the same survey, the average financial loss for each stolen laptop amounts to $89,000.
Still, the Government Accountability Office (GAO), the watchdog arm of the government, has published reports that reveal numerous federal agencies don't have proper safeguards or protections for data. According to the GAO, nine federal agencies have not issued policies on wireless networks, and 13 agencies have not established requirements for configuring or setting up wireless networks securely. The GAO also reported 18 agencies don't provide training programs in wireless security for their employees and contractors, and some agencies haven't configured laptops appropriately. In one instance, the GAO found a federal agency had more than 90 laptops that were not configured correctly.
After the well publicized incidents of laptop loss in 2006, OMB deputy director Clay Johnson III issued a memorandum with a security checklist created by the National Institute for Standards and Technology, recommending four actions: use encryption when carrying agency data; use two-factor authentication provided by a device that is separate from the computer (such as a USB token); ensure that users reauthenticate after 30 minutes of inactivity; and verify that all sensitive data is purged within 90 days if no longer required.
The GAO has also recommended limiting the amount of secure data on laptops. When laptops containing secure data are absolutely necessary, the GAO suggests they have security controls such as encryption.
Vontu, a data protection company with Fortune 100 clients, adheres to the belief that reducing the amount of confidential data on laptop computers is the most effective way to avoid data loss. Vontu also recommends that an organization review and strengthen security and privacy policies to include provisions for laptops.
"A good plan will include security policies for laptops, periodic risk assessments, employee education, encryption technologies, data loss prevention software and response, and recovery procedures in case of laptop theft or loss," said Joseph Ansanelli, CEO for Vontu.
Ansanelli believes laptop theft is a symptom of a bigger loss prevention problem that extends to all areas of data security. He recommends all public and private companies consider three questions: Where is confidential data stored? Where is confidential information being sent? Where is the information being copied, such as USB drives, CD-Roms and even MP3 players?
Next Vontu recommends that if a laptop is lost, an organization scope the impact of exposed and confidential data and accurately assess the risk. This helps companies respond quickly and effectively when valuable data is lost.
In Arizona, which has a statewide teleworking program and also the dubious distinction of having the highest rate of identity theft in the country, data protection procedures are an important part of state government protocol. The state has standards for all data security, including wireless connections and any portable drives or laptops used by state employees, said CIO Chris Cummiskey. When the VA laptop theft occurred, Cummiskey met with other agency directors to remind them of the state standards and policies regarding encrypted data.
"Now we're pushing hard to make sure the directors of all the agencies know that they're responsible for making sure that their employees are adhering to the encryption standards," Cummiskey said. "We're experiencing good compliance in those areas. It's not to say it's a hundred percent, but we're working toward that on a daily basis."
Arizona is also implementing a statewide information security and privacy office. The office will work with state agencies to comply with state security standards and handle incident responses.
In Silicon Valley, where laptop use is high, Santa Clara County, Calif., is drafting a security policy for laptops and other mobile devices. The county requires all Windows-based laptops and mobile devices have hard disc encryption. The county has a security program that "inundates" employees with security information including brochures, online security programs and IT security bulletins issued with paychecks.
"We're taking it very seriously and the county executive is becoming more aware of our concerns and the risks the county has, so we're very supported in pushing out standards and getting departments to put appropriate software and procedures in place," said Joyce Wing, interim CIO for Santa Clara County.
Hopefully the rest of public-sector CIOs are taking laptop security just as seriously.
As the number of stolen laptops increases, CIOs must develop policies to protect against their theft.
By Chandler Harris
Feb 14, 2007
By now, just about every government IT professional has heard the story of the laptop full of valuable data that was stolen from an analyst working for the U.S. Department of Veterans Affairs (VA). But that's not the only government laptop to go missing with sensitive data. Consider the following:
* Last August, a laptop computer used by the Florida Department of Transportation to combat fraud was stolen, putting the personal information of almost 133,000 Florida residents at risk of the criminal activity the agency was trying to guard against, according to an article in the South Florida Sun-Sentinel.
* In March 2005, a thief walked into a University of California, Berkeley, office and swiped a computer laptop containing personal information on nearly 100,000 alumni, graduate students and past applicants, according to the Associated Press.And it's not just happening in the public sector. According to Business Insurance magazine, Electronic Data Systems Corp., Ernst and Young L.L.P. and Boston-based Fidelity Investments have had laptops containing sensitive information on hundreds of thousands of employees and customers lost or stolen.
Laptop computers and mobile technology have spurred a nationwide mobile work force, with an estimated 45.1 million Americans working elsewhere besides their principal office in 2005, according to the International Telework Association and Council.
With the continued growth of a mobile, teleworking work force, embraced and promoted at all levels of government, laptops have become the preferential computer for many workers.
But along with the growing popularity of mobile computing, the threat of losing confidential data to laptop thieves has also increased. In 2003, 73 percent of companies did not have specific security policies for laptop computers, according to the Gartner Group. The highly publicized theft of a laptop from an employee of the VA in 2006, containing the personal information of 26.5 million veterans, revealed how vulnerable personal information is when stored on a laptop.
The laptop was recovered, but the VA suffered two other security breaches within the year. Similar incidents occurring at other government institutions -- including the IRS, the Federal Trade Commission and the Department of Transportation -- made public the ongoing threat to security in the form of unsecured mobile computing.
In 2005, more money was lost from notebook PC theft than from any other crime except computer viruses, according to an FBI computer crime survey of over 2000 public and private organization in four states. According to the same survey, the average financial loss for each stolen laptop amounts to $89,000.
Still, the Government Accountability Office (GAO), the watchdog arm of the government, has published reports that reveal numerous federal agencies don't have proper safeguards or protections for data. According to the GAO, nine federal agencies have not issued policies on wireless networks, and 13 agencies have not established requirements for configuring or setting up wireless networks securely. The GAO also reported 18 agencies don't provide training programs in wireless security for their employees and contractors, and some agencies haven't configured laptops appropriately. In one instance, the GAO found a federal agency had more than 90 laptops that were not configured correctly.
After the well publicized incidents of laptop loss in 2006, OMB deputy director Clay Johnson III issued a memorandum with a security checklist created by the National Institute for Standards and Technology, recommending four actions: use encryption when carrying agency data; use two-factor authentication provided by a device that is separate from the computer (such as a USB token); ensure that users reauthenticate after 30 minutes of inactivity; and verify that all sensitive data is purged within 90 days if no longer required.
The GAO has also recommended limiting the amount of secure data on laptops. When laptops containing secure data are absolutely necessary, the GAO suggests they have security controls such as encryption.
Vontu, a data protection company with Fortune 100 clients, adheres to the belief that reducing the amount of confidential data on laptop computers is the most effective way to avoid data loss. Vontu also recommends that an organization review and strengthen security and privacy policies to include provisions for laptops.
"A good plan will include security policies for laptops, periodic risk assessments, employee education, encryption technologies, data loss prevention software and response, and recovery procedures in case of laptop theft or loss," said Joseph Ansanelli, CEO for Vontu.
Ansanelli believes laptop theft is a symptom of a bigger loss prevention problem that extends to all areas of data security. He recommends all public and private companies consider three questions: Where is confidential data stored? Where is confidential information being sent? Where is the information being copied, such as USB drives, CD-Roms and even MP3 players?
Next Vontu recommends that if a laptop is lost, an organization scope the impact of exposed and confidential data and accurately assess the risk. This helps companies respond quickly and effectively when valuable data is lost.
In Arizona, which has a statewide teleworking program and also the dubious distinction of having the highest rate of identity theft in the country, data protection procedures are an important part of state government protocol. The state has standards for all data security, including wireless connections and any portable drives or laptops used by state employees, said CIO Chris Cummiskey. When the VA laptop theft occurred, Cummiskey met with other agency directors to remind them of the state standards and policies regarding encrypted data.
"Now we're pushing hard to make sure the directors of all the agencies know that they're responsible for making sure that their employees are adhering to the encryption standards," Cummiskey said. "We're experiencing good compliance in those areas. It's not to say it's a hundred percent, but we're working toward that on a daily basis."
Arizona is also implementing a statewide information security and privacy office. The office will work with state agencies to comply with state security standards and handle incident responses.
In Silicon Valley, where laptop use is high, Santa Clara County, Calif., is drafting a security policy for laptops and other mobile devices. The county requires all Windows-based laptops and mobile devices have hard disc encryption. The county has a security program that "inundates" employees with security information including brochures, online security programs and IT security bulletins issued with paychecks.
"We're taking it very seriously and the county executive is becoming more aware of our concerns and the risks the county has, so we're very supported in pushing out standards and getting departments to put appropriate software and procedures in place," said Joyce Wing, interim CIO for Santa Clara County.
Hopefully the rest of public-sector CIOs are taking laptop security just as seriously.
Labels: FL Dept. of Transportation
# posted by raveneye @ 5:05 PM 
