His supervisors did not notify the Veterans Affairs Secretary until 16 May 2006. On 17 May 2006, the Veterans Affairs Secretary notified the FBI, who began to work with the Montgomery County police to investigate the theft. Results and Conclusions: Issue 1: The VA employees had authorization to access and use the VA databases for performance of official duties. He was not, however, authorized to take it home as he had no official need to have the data at home. The private data was not properly safeguarded. He failed to password protect (at the very minimum) and encrypt it (Offer, 2006).
For this, he receives the highest honors in the idiot category. Issue 2: The response of managers and senior executives regarding the notification of stolen data was inappropriate and not timely. They failed to determine the magnitude of the data loss. There was a failure to notify appropriate law enforcement entities of the potential impact on VA programs and operations (Offer, 2006). Issue 3: There was a lack of urgency in notifying the Secretary of Veterans Affairs by his immediate staff. They did not notify the Secretary until 16 May 2006 – a full 13 days after the theft of data.
This was not clearly identified as a high priority incident and there was a failure to follow up on the incident until after they received a call from the Inspector General (Offer, 2006). Issue 4: Information Security officials failed to effectively trigger appropriate notifications and begin an investigation of the stolen data. The information security official’s incident report contained omissions and significant errors. This resulted in missed opportunity to re-create the contents of the opt and external drive and to recognize the severity of the potential loss of data.
The subjectivity operations officials failed to ensure a timely investigation and notifications were made regarding the severity of the lost data (Offer, 2006). Issue 5: VA Policies, procedures and practices were not easy to identify, were not current, nor were they complete. The VA policies and procedures for safeguarding against disclosure of private information were inadequate with regard to preventing the data loss incident. The policies and the procedures for porting and investigating lost or stolen private data was not well-defined in the VA policies (Offer, 2006).
Recommendations: 1 . Implement a centralized Agency-Wide Information Technology (IT) security program. 2. Implement a patch management program to ensure programs and applications are up-to-date with security patches. 3. Implement effective monitoring of networks through the use of electronic scanning in order to proactively identify and correct security vulnerabilities. 4. Deploy and install Intrusion Detection Systems (IDS). 5. Implement and use Configuration Management. . Utilize application program/operating system change controls. 7.
Install more stringent physical access controls. 8. Utilize penetration testing to test the security of the wireless network. 9. Encrypt sensitive, personal and proprietary data on VA networks. 10. Implement training for VA employees and contractors by utilizing training modules which are up-to-date (Offer, 2006). 11. Establish one concise and clear VA policy on safeguarding protected data when stored and not stored on a VA automated system. Ensure this policy is easily and readily accessible to employees. Hold employees accountable for non-compliance (Offer, 2006).