It's been just over a year since the U.S Department of Veterans Affairs disclosed that a laptop PC and external hard disk containing personal data on 26.5 million veterans and active-duty military personnel were stolen from the home of a VA employee.
The disclosure sparked widespread concern over the perceived lack of information security controls at the agency. It prompted a sweeping overhaul of the agency's IT organization including top level personnel changes and a centralization of all IT development, operations and maintenance activities at VA.
Both the laptop and disk were later recovered by the FBI which also certified the data to have been untouched. Even so, the massive scope of the compromise and the attention it generated has driven considerable change in information security policies not just at the VA, but governmentwide, analysts and vendor executives said.
"Because of the sheer size of the VA breach, and because it was an issue that related to veterans, it really brought home the issue of security in a way that was not there prior," to the incident, said Geoff Gray, a lobbyist with the Cyber Security Industry Alliance, an industry advocacy group based in Arlington, Va. "If the question is 'what rises to a level to really draw the attention of policy makers' this one did," he said.
Here are five lessons learned and steps taken in the wake of the data breach, according to analysts and vendors.
1. A greater focus on data encryption within government
Since the VA breach, agencies across the government have begun paying more attention to encrypting data on laptops and other mobile devices, said John Pescatore an analyst with Stamford, Conn.-based Gartner Inc.
Pushing agencies in that direction is the White House's Office of Management and Budget (OMB), which shortly after the VA breach disclosure issued a memorandum to all agency heads recommending encryption of all sensitive agency data on mobile systems. The level of compliance with the directive is varied, but most agencies have either already purchased and implemented encryption tools on their mobile devices or are in the process of doing so, Pescatore said.
"Encryption is not the end of all problems, but it solves a very major problem," at government agencies, he said.
2. Stronger breach notification guidelines within agencies
Prior to the VA debacle, few agencies had any formal internal breach notification process, said Howard Schmidt, an independent security consultant and former White House cybersecurity adviser.
When breaches such as those at the VA occurred, there were few formal internal processes for notifying incident response teams and administrators. The VA incident "turned a tremendous amount of attention not just on the VA's own notification policies but across the entire government," Schmidt said. As a result, more agencies today have formal policies and procedures for reporting and responding to all suspected and confirmed information breaches, he said. The OMB's guidelines now require, in most cases, that agencies notify management of data breaches immediately when they happen.
3. More attention to data retention, classification and minimization
The VA breach also led to a governmentwide review of how personally identifiable information is stored, accessed and protected, said Chris Fountain, CEO of SecureInfo Corp., a McLean, Va.-based security services provider mainly to government agencies.
Many of agencies have undertaken or are planning to perform formal privacy impact assessments to understand how their agencies are collecting, using and protecting personal data, Fountain said. They are using such assessments to rate and prioritize their systems and then apply appropriate controls based on the amount of personal data each system contains, he said.
Many agencies are also trying to comply with an OMB directive issued in the wake of the VA breach that requires them to log all data extracts from databases holding sensitive information, Pescatore said. Under the directive, they are also required to verify that the data that has been extracted is erased within 90 days or is still being used for valid purposes, he said.
4. Stronger remote access policies
The VA breach spotlighted the need for better controls on agency data when it is being accessed from remote locations by teleworkers, said Kevin Richards, federal government relations manager for security vendor Symantec Corp.
In a memo soon after the breach, for instance, the OMB instructed all agencies to implement two-factor authentication for controlling remote access to agency networks and data from remote locations. It also asked them to require remote users to re-authenticate themselves after 30 minutes of inactivity.
In addition, the VA breach has also resulted in more focus on securing remote systems via the use of endpoint network admission control tools, he said. Such tools, which are available from a wide variety of vendors, are designed to ensure that any system logging into a network has adequate antivirus and firewall protections, has all the mandated configurations settings and is properly patched.
5. More authority for agency CIOs
Under a bill passed last year, the CIO's post at the VA has been elevated to the rank of an assistant secretary. The move was designed to give the CIO's office more clout and enforcement authority within the agency.
"The VA's CIO and CISO didn't have the authority to force changes to happen," Pescatore said. Now there are "definite signs across government that agencies want to elevate CIO positions," in the same way the VA did, he said.
This story, "Lessons From a Data Breach" was originally published by Computerworld.