[ISN] Lab not wiping sensitive data before discarding machines, DOE finds

From: InfoSec News (alerts@private)
Date: Mon Mar 12 2007 - 22:29:44 PST


By Wade-Hahn Chan
March 12, 2007

The Lawrence Livermore National Laboratory in California may not be 
wiping sensitive information from excess computers it disposes of, 
according to a report [1] released by the Energy Departments inspector 
generals office.

The national security research lab has been slow to adopt departmentwide 
policies for wiping information from unneeded computers before donating 
or selling them, a process known as excessing, the report states.

Hard drives and other memory devices on excess machines must be wiped 
clean or physically destroyed, according to DOE policy. The National 
Nuclear Security Administration (NNSA)  which oversees the lab dragged 
its feet in implementing the policy at the lab, the IG said, and as of 
this month, still hasnt fully implemented it. The lab excesses about 
5,300 computers annually.

Lawrence Livermore has its own agencywide policy for excessing 
computers, but the report states that it doesnt fully align with DOEs. 
Lab officials did not check computers for embedded memory devices, didnt 
test hard drives reused by the lab for sanitization and failed to 
provide adequate documentation of wiped memory devices.

Despite the number of problems that we and others have identified over 
the years with the departments efforts to appropriate excess computers 
and other electronic memory devices, major department elements, 
including the NNSA, did not timely implement department policy, said DOE 
Inspector General Gregory Friedman, in a memo attached to the report.

The IG wrote that lab managers did not agree or disagree with the report 
but said that certain corrective actions have been or will be initiated.

In January, Energy Secretary Samuel Bodman fired the NNSA chief 
following serious security breaches at several national laboratories and 
the discovery of a hard drive with classified information at a former 
employee's home.

[1] http://www.ig.energy.gov/documents/IG-0759_.pdf

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Mon Mar 12 2007 - 22:47:42 PST