Gideon T. Rasmussen, CISSP, CISA, CISM, MVP
Professional
 
 
The VA Stolen Laptop - Lessons Learned

As security professionals most of you know the VA lost control of 26 million social security numbers when a laptop was stolen on May 3rd. Here are the lessons learned from my perspective:

Lesson # 1 - Create a comprehensive remediation plan:

The remediation plan has been identified in OMB directive M-06-16 (http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf):

1. Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing

2. Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access

3. Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity

4. Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.

5. Follow a NIST a checklist for protection of remote information (included within the memo)

These remediations are not adequate. The VA should also:

1. Eliminate the ability for an end user to download a database of social security numbers. Instead, use an application to provide a view into the database one SSN at a time.

2. Treat SSNs like credit card numbers. Use the Payment Card Industry standards as a baseline.

https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

3. Create unique identifiers for new service members. SSNs should be used for social security benefits.

Lesson # 2 - If you have a compromise, notify your customers in a timely manner (and make sure they receive it):

It took over three months to receive notification from the VA! I received a letter today. Apparently the first notification never made it.

http://www.gideonrasmussen.com/docs/va-notification.jpg

Lesson # 3 - Keep your commitments to your customers:

Though an article states that the VA will "honor its promise of free credit monitoring for a year", the letter rescinds that commitment, stating that individual credit monitoring will not be necessary considering the FBI's high degree of confidence that the information was not compromised. Its no surprise that veterans groups have filed a class action suit.

And one last thing... Don't loose control of my SSN again.

Kind regards,

Gideon

Gideon T. Rasmussen
CISSP, CISA, CISM, IAM
Charlotte, NC
http://www.gideonrasmussen.com/contact.html

http://www.ussecurityawareness.org
http://groups.yahoo.com/group/gideons-infosec-list
http://groups.yahoo.com/group/insider-threat

References:
http://www.navy.mil/search/display.asp?story_id=24453
http://www.eweek.com/article2/0,1895,1972946,00.asp

Posted: Wed Sep 13, 2006 2:40 am



Copyright © 2002 - 2007 Gideon T. Rasmussen All Rights Reserved.
Legal Notices