Re: The VA Stolen Laptop - Lessons Learned

["Saqib Ali" <docbook.xml () gmail com>]

Gideon,

This mandate was discussed on Security Basics ML a while back,
especially the first bullet. See the following URL for the whole
thread:
http://www.full-disc-encryption.com/lurker/message/20060706.162817.48461b51.en.html


On 9/12/06, lists () infostruct net <lists () infostruct net> wrote:
> As security professionals most of you know the VA lost control of 26
> million social security numbers when a laptop was stolen on May 3rd. Here
> are the lessons learned from my perspective:
>
> Lesson # 1 - Create a comprehensive remediation plan:
>
> The remediation plan has been identified in OMB directive M-06-16
> (http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf):
>
> 1. Encrypt all data on mobile computers/devices which carry agency data
> unless the data is determined to be non-sensitive, in writing, by your
> Deputy Secretary or an individual he/she may designate in writing
>
> 2. Allow remote access only with two-factor authentication where one of the
> factors is provided by a device separate from the computer gaining access
>
> 3. Use a "time-out" function for remote access and mobile devices requiring
> user re-authentication after 30 minutes inactivity
>
> 4. Log all computer-readable data extracts from databases holding sensitive
> information and verify each extract including sensitive data has been
> erased within 90 days or its use is still required.
>
> 5. Follow a NIST a checklist for protection of remote information (included
> within the memo)
>
> These remediations are not adequate. The VA should also:
>
> 1. Eliminate the ability for an end user to download a database of social
> security numbers. Instead, use an application to provide a view into the
> database one SSN at a time.
>
> 2. Treat SSNs like credit card numbers. Use the Payment Card Industry
> standards as a baseline.
>
> https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
>
> 3. Create unique identifiers for new service members. SSNs should be used
> for social security benefits.
>
> Lesson # 2 - If you have a compromise, notify your customers in a timely
> manner (and make sure they receive it):
>
> It took over three months to receive notification from the VA! I received a
> letter today. Apparently the first notification never made it.
>
> http://www.gideonrasmussen.com/docs/va-notification.jpg
>
> Lesson # 3 - Keep your commitments to your customers:
>
> Though an article states that the VA will "honor its promise of free credit
> monitoring for a year", the letter rescinds that commitment, stating that
> individual credit monitoring will not be necessary considering the FBI's
> high degree of confidence that the information was not compromised. Its no
> surprise that veterans groups have filed a class action suit.
>
> And one last thing... Don't loose control of my SSN again.
>
> Kind regards,
>
> Gideon
>
> Gideon T. Rasmussen
> CISSP, CISA, CISM, IAM
> Charlotte, NC
> http://www.gideonrasmussen.com/contact.html
>
> http://www.ussecurityawareness.org
> http://groups.yahoo.com/group/gideons-infosec-list
> http://groups.yahoo.com/group/insider-threat
>
> References:
> http://www.navy.mil/search/display.asp?story_id=24453
> http://www.eweek.com/article2/0,1895,1972946,00.asp
>
>
> --------------------------------------------------------------------
> mail2web - Check your email from the web at
> http://mail2web.com/ .
>
>
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence
> in Information Security. Our program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Using interactive e-Learning technology, you can earn this esteemed degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------


--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------