Case Study: VA Laptop Theft

1. List and describe the security weaknesses at the Department of Veterans Affairs.

-Slow response to theft: The cases states that the department did not report the theft to law enforcement until two weeks after the burglary. This is way too long! An effective recovery effort would have been much easier had authorities been notified earlier.
-Employee taking sensitive information home: Why is it okay for an employee to take a laptop full of personal data that is very sensitive to their home? Burglary is only one reason this should not be allowed. What if a friend is over and is using the computer and accidentally changes something or deletes something. This type of information should be kept in a controlled environment where the only people coming near it are accountable for its security.
-Failure to encrypt data: With effectively encrypted data it seems the VA would not have had to worry about the theft of the laptop. If the data was inaccessible other then by the person to which the laptop was owned, it would not have been a real issue. The only reason it was of such importance was because there was a threat that the thief could access all of the sensitive data.
-Decentralized data: If the data had all been in one on site location (not on an individual's laptop) this problem could have been avoided. Even if the employee had been accessing the data through a secure network connection, the VA would not have had to worry about the contents of the laptop, the data would have been all on the central server.

3. How effectively did the VA deal with these problems?
In short; not very. The VA had known their information system had issues for some time. In 2004 an audit was done which brought about many findings one of which was the recommendation to centralize information security. This recommendation was not implemented successfully. In addition, former CIO Robert McFarland resigned because he was frustrated with the implementation of new IT management software. This makes it quite obvious that there are IS issues within the company. As if these were not enough, just after authorities arrested the thieves of the laptop, another computer with sensitive personal information was stolen from a Unisys Corp building in Virgina. This time the information of 38,000 veterans was leaked and further proved that the VA had not done an effective job of centralizing their information.

4. What solutions would you suggest to prevent these security problems?
I would suggest a centralized server containing all veteran's information with a strong security protocol. I would give access via log in and password, only to individuals who need such privledges. In addition I would implement a nationwide effort to travel to all locations that currently have information (such as Unisys) and support them in the installation of software to access the server if needed and also ensure the destruction of all old files on hard drives in the building. It wouldn't do much good to centralize the information, but allow hard drives that still have sensitive information on them to still be used. I would also conduct biannual IS audits and place high priority on all findings. This would hopefully allow issues to be caught and dealt with before another disaster like this could happen again.