As security professionals most of you know the VA lost control of 26
million social security numbers when a laptop was stolen on May 3rd. Here
are the lessons learned from my perspective:
Lesson # 1 - Create a comprehensive remediation plan:
The remediation plan has been identified in OMB directive M-06-16
(http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf):
1. Encrypt all data on mobile computers/devices which carry agency data
unless the data is determined to be non-sensitive, in writing, by your
Deputy Secretary or an individual he/she may designate in writing
2. Allow remote access only with two-factor authentication where one of the
factors is provided by a device separate from the computer gaining access
3. Use a ?time-out? function for remote access and mobile devices requiring
user re-authentication after 30 minutes inactivity
4. Log all computer-readable data extracts from databases holding sensitive
information and verify each extract including sensitive data has been
erased within 90 days or its use is still required.
5. Follow a NIST a checklist for protection of remote information (included
within the memo)
These remediations are not adequate. The VA should also:
1. Eliminate the ability for an end user to download a database of social
security numbers. Instead, use an application to provide a view into the
database one SSN at a time.
2. Treat SSNs like credit card numbers. Use the Payment Card Industry
standards as a baseline.
https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
3. Create unique identifiers for new service members. SSNs should be used
for social security benefits.
Lesson # 2 - If you have a compromise, notify your customers in a timely
manner (and make sure they receive it):
It took over three months to receive notification from the VA! I received a
letter today. Apparently the first notification never made it.
http://www.gideonrasmussen.com/docs/va-notification.jpg
Lesson # 3 - Keep your commitments to your customers:
Though an article states that the VA will "honor its promise of free credit
monitoring for a year", the letter rescinds that commitment, stating that
individual credit monitoring will not be necessary considering the FBI's
high degree of confidence that the information was not compromised. Its no
surprise that veterans groups have filed a class action suit.
And one last thing... Don't loose control of my SSN again.
Kind regards,
Gideon
Gideon T. Rasmussen
CISSP, CISA, CISM, IAM
Charlotte, NC
http://www.gideonrasmussen.com/contact.html
http://www.ussecurityawareness.org
http://groups.yahoo.com/group/gideons-infosec-list
http://groups.yahoo.com/group/insider-threat
References:
http://www.navy.mil/search/display.asp?story_id=24453
http://www.eweek.com/article2/0,1895,1972946,00.asp
--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/CISSP-Discuss/
<*> Your email settings:
Individual Email | Traditional
<*> To change settings online go to:
http://groups.yahoo.com/group/CISSP-Discuss/join
(Yahoo! ID required)
<*> To change settings via email:
mailto:CISSP-Discuss-digest@yahoogroups.com
mailto:CISSP-Discuss-fullfeatured@yahoogroups.com
<*> To unsubscribe from this group, send an email to:
CISSP-Discuss-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
