[ISN] VA to control, restrict use of mobile storage devices

From: InfoSec News (alerts@private)
Date: Tue Mar 06 2007 - 22:19:18 PST


By Jason Miller
March 6, 2007

ORLANDO, Fla. -- In the next month, the Department of Veterans Affairs 
will let employees plug into its network only those mobile storage 
devices issued by the chief information officers office.

Robert Howard, the departments CIO, said today that although his office 
already mandated that these mobile devices, known as thumb drives, be 
encrypted, he is taking security a step farther. He is requiring 
employees to apply and demonstrate a need for a thumb drive and to have 
their supervisors sign off on that need before the office will issue the 
drive. Howard will issue only 1G and 2G thumb drives and will not allow 
anything larger onto the network unless he approves it.

This effort is to drive down the use of thumb drives, he said after his 
speech at the Information Processing Interagency Conference sponsored by 
the Government Information Technology Executive Conference. This will 
help us eliminate future problems by shutting down an easy way to take 
data out of the office.

The mobile storage devices also must be certified under the National 
Institute of Standards and Technologys Federal Information Processing 
Standard 140-2, he added.

Last May, a laptop and external hard drive containing personal 
information on about 26 million veterans was stolen from a VA employees 
home. Under intense pressure from lawmakers and the Bush administration, 
the VA has instituted new policies, including the one for thumb drives, 
to ensure that doesnt happen again.

Besides controlling thumb drives, Howard aims to have a standard 
configuration for smart phones and personal digital assistants, 
eliminate unencrypted messages that travel on the VAs network and reduce 
the number of virtual private networks by the end of fiscal 2007.

The department also is relying more on public-key infrastructure (PKI) 
and Microsofts rights management system (RMS) in its Outlook e-mail 
system to do a better job of securing e-mail and documents.

We had issued 30,000 digital certificates in the fall and now we have 
issued 85,000 PKI certificates, Howard said. RMS is easier to use than 
PKI. We will continue to do both.

Although Howard wants to institute all of these changes in the short 
term, he is thinking about the VAs long-term security. Earlier this 
week, the department issued a request for information for soup to nuts 
for data security.

The VAs reorganization is also moving forward. Howard said the agency 
will soon send a legislative package to the Office of Management and 
Budget to be submitted to Congress. It will promote the VAs five deputy 
CIOs to assistant secretaries for different IT functions: information 
security, strategic planning, resource management, application 
development, and operations and maintenance.

We dont know if we will get that approved, but we want to raise the 
title so we can attract the best talent, he said.

While Howard waits for lawmaker approval on the title changes, he has 
organized new governance boards: a business needs and investment board, 
and a planning, architecture and technology services board.

Each will report to the IT Leadership Board, which in turn reports to 
the Strategic Management Board. The deputy secretary leads the strategic 
board, which is made up of high-level agency executives.

I would like these new governance boards to only address the big issues 
that cant be handled at the action office level, Howard said. The target 
is for them to meet once a month, but Im not sure if it will always be 

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Tue Mar 06 2007 - 22:34:37 PST