Wednesday, February 14, 2007
Dialing 911 for Laptops
Dialing 911 for Laptops
As the number of stolen laptops increases, CIOs must develop policies to protect against their theft.
By Chandler Harris
Feb 14, 2007
By now, just about every government IT professional has heard the story of the laptop full of valuable data that was stolen from an analyst working for the U.S. Department of Veterans Affairs (VA). But that's not the only government laptop to go missing with sensitive data. Consider the following:
* Last August, a laptop computer used by the Florida Department of Transportation to combat fraud was stolen, putting the personal information of almost 133,000 Florida residents at risk of the criminal activity the agency was trying to guard against, according to an article in the South Florida Sun-Sentinel.
* In March 2005, a thief walked into a University of California, Berkeley, office and swiped a computer laptop containing personal information on nearly 100,000 alumni, graduate students and past applicants, according to the Associated Press.And it's not just happening in the public sector. According to Business Insurance magazine, Electronic Data Systems Corp., Ernst and Young L.L.P. and Boston-based Fidelity Investments have had laptops containing sensitive information on hundreds of thousands of employees and customers lost or stolen.
Laptop computers and mobile technology have spurred a nationwide mobile work force, with an estimated 45.1 million Americans working elsewhere besides their principal office in 2005, according to the International Telework Association and Council.
With the continued growth of a mobile, teleworking work force, embraced and promoted at all levels of government, laptops have become the preferential computer for many workers.
But along with the growing popularity of mobile computing, the threat of losing confidential data to laptop thieves has also increased. In 2003, 73 percent of companies did not have specific security policies for laptop computers, according to the Gartner Group. The highly publicized theft of a laptop from an employee of the VA in 2006, containing the personal information of 26.5 million veterans, revealed how vulnerable personal information is when stored on a laptop.
The laptop was recovered, but the VA suffered two other security breaches within the year. Similar incidents occurring at other government institutions -- including the IRS, the Federal Trade Commission and the Department of Transportation -- made public the ongoing threat to security in the form of unsecured mobile computing.
In 2005, more money was lost from notebook PC theft than from any other crime except computer viruses, according to an FBI computer crime survey of over 2000 public and private organization in four states. According to the same survey, the average financial loss for each stolen laptop amounts to $89,000.
Still, the Government Accountability Office (GAO), the watchdog arm of the government, has published reports that reveal numerous federal agencies don't have proper safeguards or protections for data. According to the GAO, nine federal agencies have not issued policies on wireless networks, and 13 agencies have not established requirements for configuring or setting up wireless networks securely. The GAO also reported 18 agencies don't provide training programs in wireless security for their employees and contractors, and some agencies haven't configured laptops appropriately. In one instance, the GAO found a federal agency had more than 90 laptops that were not configured correctly.
After the well publicized incidents of laptop loss in 2006, OMB deputy director Clay Johnson III issued a memorandum with a security checklist created by the National Institute for Standards and Technology, recommending four actions: use encryption when carrying agency data; use two-factor authentication provided by a device that is separate from the computer (such as a USB token); ensure that users reauthenticate after 30 minutes of inactivity; and verify that all sensitive data is purged within 90 days if no longer required.
The GAO has also recommended limiting the amount of secure data on laptops. When laptops containing secure data are absolutely necessary, the GAO suggests they have security controls such as encryption.
Vontu, a data protection company with Fortune 100 clients, adheres to the belief that reducing the amount of confidential data on laptop computers is the most effective way to avoid data loss. Vontu also recommends that an organization review and strengthen security and privacy policies to include provisions for laptops.
"A good plan will include security policies for laptops, periodic risk assessments, employee education, encryption technologies, data loss prevention software and response, and recovery procedures in case of laptop theft or loss," said Joseph Ansanelli, CEO for Vontu.
Ansanelli believes laptop theft is a symptom of a bigger loss prevention problem that extends to all areas of data security. He recommends all public and private companies consider three questions: Where is confidential data stored? Where is confidential information being sent? Where is the information being copied, such as USB drives, CD-Roms and even MP3 players?
Next Vontu recommends that if a laptop is lost, an organization scope the impact of exposed and confidential data and accurately assess the risk. This helps companies respond quickly and effectively when valuable data is lost.
In Arizona, which has a statewide teleworking program and also the dubious distinction of having the highest rate of identity theft in the country, data protection procedures are an important part of state government protocol. The state has standards for all data security, including wireless connections and any portable drives or laptops used by state employees, said CIO Chris Cummiskey. When the VA laptop theft occurred, Cummiskey met with other agency directors to remind them of the state standards and policies regarding encrypted data.
"Now we're pushing hard to make sure the directors of all the agencies know that they're responsible for making sure that their employees are adhering to the encryption standards," Cummiskey said. "We're experiencing good compliance in those areas. It's not to say it's a hundred percent, but we're working toward that on a daily basis."
Arizona is also implementing a statewide information security and privacy office. The office will work with state agencies to comply with state security standards and handle incident responses.
In Silicon Valley, where laptop use is high, Santa Clara County, Calif., is drafting a security policy for laptops and other mobile devices. The county requires all Windows-based laptops and mobile devices have hard disc encryption. The county has a security program that "inundates" employees with security information including brochures, online security programs and IT security bulletins issued with paychecks.
"We're taking it very seriously and the county executive is becoming more aware of our concerns and the risks the county has, so we're very supported in pushing out standards and getting departments to put appropriate software and procedures in place," said Joyce Wing, interim CIO for Santa Clara County.
Hopefully the rest of public-sector CIOs are taking laptop security just as seriously.
As the number of stolen laptops increases, CIOs must develop policies to protect against their theft.
By Chandler Harris
Feb 14, 2007
By now, just about every government IT professional has heard the story of the laptop full of valuable data that was stolen from an analyst working for the U.S. Department of Veterans Affairs (VA). But that's not the only government laptop to go missing with sensitive data. Consider the following:
* Last August, a laptop computer used by the Florida Department of Transportation to combat fraud was stolen, putting the personal information of almost 133,000 Florida residents at risk of the criminal activity the agency was trying to guard against, according to an article in the South Florida Sun-Sentinel.
* In March 2005, a thief walked into a University of California, Berkeley, office and swiped a computer laptop containing personal information on nearly 100,000 alumni, graduate students and past applicants, according to the Associated Press.And it's not just happening in the public sector. According to Business Insurance magazine, Electronic Data Systems Corp., Ernst and Young L.L.P. and Boston-based Fidelity Investments have had laptops containing sensitive information on hundreds of thousands of employees and customers lost or stolen.
Laptop computers and mobile technology have spurred a nationwide mobile work force, with an estimated 45.1 million Americans working elsewhere besides their principal office in 2005, according to the International Telework Association and Council.
With the continued growth of a mobile, teleworking work force, embraced and promoted at all levels of government, laptops have become the preferential computer for many workers.
But along with the growing popularity of mobile computing, the threat of losing confidential data to laptop thieves has also increased. In 2003, 73 percent of companies did not have specific security policies for laptop computers, according to the Gartner Group. The highly publicized theft of a laptop from an employee of the VA in 2006, containing the personal information of 26.5 million veterans, revealed how vulnerable personal information is when stored on a laptop.
The laptop was recovered, but the VA suffered two other security breaches within the year. Similar incidents occurring at other government institutions -- including the IRS, the Federal Trade Commission and the Department of Transportation -- made public the ongoing threat to security in the form of unsecured mobile computing.
In 2005, more money was lost from notebook PC theft than from any other crime except computer viruses, according to an FBI computer crime survey of over 2000 public and private organization in four states. According to the same survey, the average financial loss for each stolen laptop amounts to $89,000.
Still, the Government Accountability Office (GAO), the watchdog arm of the government, has published reports that reveal numerous federal agencies don't have proper safeguards or protections for data. According to the GAO, nine federal agencies have not issued policies on wireless networks, and 13 agencies have not established requirements for configuring or setting up wireless networks securely. The GAO also reported 18 agencies don't provide training programs in wireless security for their employees and contractors, and some agencies haven't configured laptops appropriately. In one instance, the GAO found a federal agency had more than 90 laptops that were not configured correctly.
After the well publicized incidents of laptop loss in 2006, OMB deputy director Clay Johnson III issued a memorandum with a security checklist created by the National Institute for Standards and Technology, recommending four actions: use encryption when carrying agency data; use two-factor authentication provided by a device that is separate from the computer (such as a USB token); ensure that users reauthenticate after 30 minutes of inactivity; and verify that all sensitive data is purged within 90 days if no longer required.
The GAO has also recommended limiting the amount of secure data on laptops. When laptops containing secure data are absolutely necessary, the GAO suggests they have security controls such as encryption.
Vontu, a data protection company with Fortune 100 clients, adheres to the belief that reducing the amount of confidential data on laptop computers is the most effective way to avoid data loss. Vontu also recommends that an organization review and strengthen security and privacy policies to include provisions for laptops.
"A good plan will include security policies for laptops, periodic risk assessments, employee education, encryption technologies, data loss prevention software and response, and recovery procedures in case of laptop theft or loss," said Joseph Ansanelli, CEO for Vontu.
Ansanelli believes laptop theft is a symptom of a bigger loss prevention problem that extends to all areas of data security. He recommends all public and private companies consider three questions: Where is confidential data stored? Where is confidential information being sent? Where is the information being copied, such as USB drives, CD-Roms and even MP3 players?
Next Vontu recommends that if a laptop is lost, an organization scope the impact of exposed and confidential data and accurately assess the risk. This helps companies respond quickly and effectively when valuable data is lost.
In Arizona, which has a statewide teleworking program and also the dubious distinction of having the highest rate of identity theft in the country, data protection procedures are an important part of state government protocol. The state has standards for all data security, including wireless connections and any portable drives or laptops used by state employees, said CIO Chris Cummiskey. When the VA laptop theft occurred, Cummiskey met with other agency directors to remind them of the state standards and policies regarding encrypted data.
"Now we're pushing hard to make sure the directors of all the agencies know that they're responsible for making sure that their employees are adhering to the encryption standards," Cummiskey said. "We're experiencing good compliance in those areas. It's not to say it's a hundred percent, but we're working toward that on a daily basis."
Arizona is also implementing a statewide information security and privacy office. The office will work with state agencies to comply with state security standards and handle incident responses.
In Silicon Valley, where laptop use is high, Santa Clara County, Calif., is drafting a security policy for laptops and other mobile devices. The county requires all Windows-based laptops and mobile devices have hard disc encryption. The county has a security program that "inundates" employees with security information including brochures, online security programs and IT security bulletins issued with paychecks.
"We're taking it very seriously and the county executive is becoming more aware of our concerns and the risks the county has, so we're very supported in pushing out standards and getting departments to put appropriate software and procedures in place," said Joyce Wing, interim CIO for Santa Clara County.
Hopefully the rest of public-sector CIOs are taking laptop security just as seriously.
Labels: FL Dept. of Transportation
Thursday, August 24, 2006
U.S. DOT laptop with personal data on 133,000 Floridians stolen
U.S. DOT laptop with personal data on 133,000 Floridians stolen
Todd R. Weiss
August 10, 2006 (Computerworld) A laptop computer with the names, addresses, birthdates and Social Security numbers of about 133,000 Florida residents was stolen late last month from a government vehicle that was being used by an agent of the U.S. Department of Transportation's Office of Inspector General (OIG) in Miami.
In an announcement yesterday (download PDF), the OIG's office said the laptop was taken from the parked vehicle on July 27. Investigators said they do not believe it was taken for the personal information that it contained.
OIG spokesman David Barnes said today in an e-mail reply to questions that the agent's government-owned vehicle was parked and locked outside a restaurant in Doral, Fla., when the theft occurred. "The agent noticed the laptop was missing at the end of the day when he returned home and picked up the computer case, which felt light," Barnes said. "He opened it and discovered that the Dell Latitude laptop and its charger [were] missing. He searched his home and office. When he and his supervisor subesquentluy inspected the vehicle, they found that one of the door locks had been tampered with."
According to the OIG, the laptop was password-protected and contained four databases with personal information on about 42,792 Florida pilots, 80,667 Miami-Dade County commercial driver's license (CDL) holders and 9,496 people who received their driver's licenses and/or CDLs from the Largo, Fla., licensing examining facility near Tampa. No financial or medical information was on the laptop, the OIG said.
The data was being used by the agency in connection with multiagency task forces focusing on the use of fraudulent information to obtain CDLs or airman certificates, according to the agency. The Tampa-area driver's licensing data was used as part of an ongoing investigation involving fraud at the licensing facility.
"We are making every effort to recover the stolen laptop and resecure the data it contains," Acting Inspector General Todd J. Zinser said in a statement. "We seriously regret this matter and take our responsibilities seriously. We have taken action and will continue to take steps necessary to prevent this from happening again."
A reward has been offered by the OIG for the return of the stolen laptop.
The agency said it is now taking measures to ensure that no other OIG laptops or portable devices assigned to field offices and headquarters employees contain such data. It is also tightening policies regarding laptop computer use.
Todd R. Weiss
August 10, 2006 (Computerworld) A laptop computer with the names, addresses, birthdates and Social Security numbers of about 133,000 Florida residents was stolen late last month from a government vehicle that was being used by an agent of the U.S. Department of Transportation's Office of Inspector General (OIG) in Miami.
In an announcement yesterday (download PDF), the OIG's office said the laptop was taken from the parked vehicle on July 27. Investigators said they do not believe it was taken for the personal information that it contained.
OIG spokesman David Barnes said today in an e-mail reply to questions that the agent's government-owned vehicle was parked and locked outside a restaurant in Doral, Fla., when the theft occurred. "The agent noticed the laptop was missing at the end of the day when he returned home and picked up the computer case, which felt light," Barnes said. "He opened it and discovered that the Dell Latitude laptop and its charger [were] missing. He searched his home and office. When he and his supervisor subesquentluy inspected the vehicle, they found that one of the door locks had been tampered with."
According to the OIG, the laptop was password-protected and contained four databases with personal information on about 42,792 Florida pilots, 80,667 Miami-Dade County commercial driver's license (CDL) holders and 9,496 people who received their driver's licenses and/or CDLs from the Largo, Fla., licensing examining facility near Tampa. No financial or medical information was on the laptop, the OIG said.
The data was being used by the agency in connection with multiagency task forces focusing on the use of fraudulent information to obtain CDLs or airman certificates, according to the agency. The Tampa-area driver's licensing data was used as part of an ongoing investigation involving fraud at the licensing facility.
"We are making every effort to recover the stolen laptop and resecure the data it contains," Acting Inspector General Todd J. Zinser said in a statement. "We seriously regret this matter and take our responsibilities seriously. We have taken action and will continue to take steps necessary to prevent this from happening again."
A reward has been offered by the OIG for the return of the stolen laptop.
The agency said it is now taking measures to ensure that no other OIG laptops or portable devices assigned to field offices and headquarters employees contain such data. It is also tightening policies regarding laptop computer use.
Labels: FL Dept. of Transportation
DOT says it has lost two laptops with agency data this year
DOT says it has lost two laptops with agency data this year
Linda Rosencrance
August 17, 2006 (Computerworld) The U.S. Department of Transportation (DOT) this week reported that one of its laptops was stolen from a conference room in a Florida hotel in April. That theft preceded one that occured last last month, meaning the agency has lost track of two of its laptops this year.
The DOT had acknowledged last week that a laptop with the names, addresses, birthdates and Social Security numbers of about 133,000 Florida residents was stolen in late July from a government vehicle being used by an agent of the U.S. Department of Transportation's Office of Inspector General (OIG) in Miami.
The first laptop was stolen on April 24, from a conference room in a hotel in Orlando, said Clayton Boyce, a spokesman for the OIG.
Boyce said that laptop was being used by a Transportation Department special agent from the Miami office who was there to present an anti-fraud conference. The agent told police she had left the laptop in a locked room but it was missing when she returned 45 minutes later, according to another OIG spokesman.
The laptop contained fraud case files involving government contracts and grants, according to the spokesman.
"We continue to take further steps to control security of the laptops and the sensitive information contained on them," Boyce said. "If there's sensitive information on employee laptops that they don't need, it's being removed -- and if they do need it then it's being encrypted."
While he wasn't sure whether the information on the laptop stolen in April was encrypted, the data on the one stolen in July was encrypted -- at least initially.
"Because of a problem with files being moved to a new server the information wasn't encrypted at time of the July theft, but it was protected by password," Boyce said.
Linda Rosencrance
August 17, 2006 (Computerworld) The U.S. Department of Transportation (DOT) this week reported that one of its laptops was stolen from a conference room in a Florida hotel in April. That theft preceded one that occured last last month, meaning the agency has lost track of two of its laptops this year.
The DOT had acknowledged last week that a laptop with the names, addresses, birthdates and Social Security numbers of about 133,000 Florida residents was stolen in late July from a government vehicle being used by an agent of the U.S. Department of Transportation's Office of Inspector General (OIG) in Miami.
The first laptop was stolen on April 24, from a conference room in a hotel in Orlando, said Clayton Boyce, a spokesman for the OIG.
Boyce said that laptop was being used by a Transportation Department special agent from the Miami office who was there to present an anti-fraud conference. The agent told police she had left the laptop in a locked room but it was missing when she returned 45 minutes later, according to another OIG spokesman.
The laptop contained fraud case files involving government contracts and grants, according to the spokesman.
"We continue to take further steps to control security of the laptops and the sensitive information contained on them," Boyce said. "If there's sensitive information on employee laptops that they don't need, it's being removed -- and if they do need it then it's being encrypted."
While he wasn't sure whether the information on the laptop stolen in April was encrypted, the data on the one stolen in July was encrypted -- at least initially.
"Because of a problem with files being moved to a new server the information wasn't encrypted at time of the July theft, but it was protected by password," Boyce said.
Labels: FL Dept. of Transportation
