Data breach: ATF = Another Total Failure?

6:33 am on November 3, 2008 | By Jim Allison | In data breach, data encryption, information security, risk management, security policy |

In September, the Washington Post reported on a five-year study of the ATF’s handling of government computers and firearms and found that the agency had misplaced over 400 laptops, many of which had sensitive information. While this study focuses on the ATF, the sad truth is that the loss of computers and the often confidential information that they contain has become commonplace in both the public and private sectors. To a great degree, as a reading public we’ve become anesthetized to this news, at least until it impacts us - or our networks….

Of even more concern in the article was that in most cases, the ATF had absolutely no idea of what data might have been compromised and as a result, who the loss might directly impact. Since employees often don’t comply with stated data security policy, it is inevitable that data will find its way to the network’s edge - and be mobile.

It is insufficient that an organization set a data security policy without putting in place the instrumentation and systems to ensure its compliance. Furthermore, that compliance can not depend upon the end-user’s conscious adherence to manual process - it just does not work. Managed solutions must be put in place that can ensure the end user’s compliance with corporate data security policy, without requiring their active participation.

It is critical that data be encrypted - at a minimum - only then can we be assured that data losses will not easily put ourselves and others at unnecessary risk. However, encryption by itself that is not enough.
When the inevitable loss occurs, it is equally necessary to be able to ascertain the risk associated with the loss and to determine the necessary corrective action. Some may feel that plausible deniability is an effective approach to addressing this problem. “If you don’t understand the impact of the loss, you don’t need to consider it as serious.”

I think this is both wrong, and short-sighted. Assuming you have the ability to respond wouldn’t it be better to fully understand your risk so that an appropriate counteraction could be chosen? File and folder cataloging on devices within control of an organization’s IT department should be an integral part of an effective PC data security solution. This feature can be used in many ways, including:

• risk assessment, by identifying the devices that contain particular sensitive data
• risk amelioration, by surgically destroying data that is found on unauthorized devices
• policy management, by identifying and establishing policies on the retention of sensitive data throughout an organization
• data forensics, by understanding the full extent of the impact of any data losses

Tools that can both assess and eliminate risk represent a much better data security strategy than either ignorance or hope.

Share/Save/Bookmark

 

No Comments yet »

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>