[ISN] GAO Finds Data Protection Lagging

From: InfoSec News (alerts@private)
Date: Wed Feb 27 2008 - 04:05:57 PST


By Christopher Lee
Washington Post Staff Writer
February 26, 2008

Despite a steady stream of embarrassing computer security breaches, many 
major federal agencies still are doing too little to safeguard the 
sensitive personal information in their possession, according to 
congressional investigators.

Only two of 24 agencies studied by the Government Accountability Office 
in a report released last week had implemented all five security 
measures recommended by the Office of Management and Budget to protect 
personal information.

The top performers included the Treasury Department and the Department 
of Transportation. The worst were the Small Business Administration and 
the National Science Foundation, neither of which had adopted any of the 
measures, according to Sen. Norm Coleman (R-Minn.), one of two senators 
who requested the study. But officials at both agencies said yesterday 
that they had completed most or all of the recommended measures since 
GAO investigators last visited them in October.

"Since that report, we've followed OMB directives, and we are now up to 
speed," said Christine Mangi, an SBA spokeswoman.

Coleman and Sen. Susan Collins (R-Maine) asked the GAO to look into how 
agencies were handling security in 2006 after the disclosure that a 
Department of Veterans Affairs external hard drive containing Social 
Security numbers and other personal information on millions of veterans 
had been stolen from the home of a VA employee. The drive eventually was 
recovered by police.

"The findings released in this report are very troubling -- indicating 
that agency after agency has failed to make securing citizens' personal 
information a high priority," Coleman said in a statement. "We need to 
know when the agencies are going to have the protections in place to 
stop the numerous data breaches we have seen over the past few years."

The loss or theft of personal data can inconvenience or embarrass the 
people whose information is compromised, but the biggest concern is the 
potential for identity theft and other fraud. In 2006, identity theft of 
all varieties -- not merely cases associated with federal data breaches 
-- accounted for $49.3 billion in losses to people and organizations 
nationwide, according to the GAO report.

At least 19 federal agencies have experienced at least one data breach 
that could expose employees or members of the public to identity theft, 
according to the GAO. In March 2006, for instance, a portable data 
storage device with personal information on more than 207,000 Marines 
was lost. In July of that year, a laptop was stolen from the car of an 
employee of the DOT inspector general's office, putting the personal 
information of 133,000 Florida pilots and other residents at risk.

Agencies are supposed to take steps such as encrypting all data on 
laptop computers and mobile devices; limiting remote access to 
authorized users with two methods of authenticating their identity; and 
documenting when sensitive information is downloaded and by whom.

Most of the 24 agencies examined by the GAO had adopted two or three of 
the security measures, but few had implemented them all.

George Strawn, chief information officer for the National Science 
Foundation, said that, contrary to the GAO report, his agency has 
implemented all or part of all five measures.

"We have been working on this diligently for two or three years and are 
in pretty good shape," he said. "There will always be more to do and the 
crooks will always try to get ahead of you, but we have been paying a 
lot of attention to it and we don't intend to lower our vigilance."

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Feb 27 2008 - 04:12:17 PST