Do you know the location of every one of your agency’s notebook computers — right now? Do you know who has them — right now? Do you know when those computers left the building — to the second? Are you positive that they all have valid ID markings?
If you can’t answer “yes” emphatically to all of these questions, then you probably don’t have adequate control of your notebook inventory, say federal and industry security experts. In organizations the size of most agencies, this is admittedly a tough challenge, says Kathryn Maginnis, associate deputy assistant secretary for risk management and incident response at the Veterans Affairs Department.
Take her department, for instance. More than 235,000 employees and 100,000 contractors work at more than 1,300 VA facilities, and nearly 100 percent of them work with health care records in some capacity, she says.
“That’s our landscape,” says Maginnis. “Many people coming and going” at lots of locations make data breaches possible.
But dealing with the physical components of security for mobile workers must take place in tandem with securing the least tangible part of the equation: data. A first step is to disavow yourself of the notion that you can easily create a policy about what does and does not comprise “sensitive” information and then focus security efforts on that data subset.
“You can’t make judgments in advance about what someone is going to think is sensitive — everything will be sensitive to someone,” says Maya Bernstein, privacy advocate for the Health and Human Services Department. Maginnis and Bernstein spoke during a recent American Council for Technology Industry Advisory Council briefing on information assurance.
Encrypt it all and remove extraneous uses of personally identifiable information, Bernstein says. She also suggests that agencies “should be impressing upon people to take the minimum amount of things out of the office to do their work.”
Adds Maginnis, “Because the likelihood of [a data loss] happening is so high, it behooves you to be good girl scouts and boy scouts and be prepared.”
A Just-Enough Approach
A chief rule of thumb for the U.S. Cyber Consequences Unit, a nonprofit security assessment body, is that organizations should view mobile technology as almost disposable. It says agencies should expect equipment to go missing and let that guide the mobile tools they supply to traveling employees and the security practices they demand.
Here are the US-CCU’s recommendations:
- Buy an inexpensive notebook for travel.
- Install only the applications you will need during the trip.
- Place the documents and data files you will need during the trip into a separate, secure, encrypted flash drive that you can carry in your pocket at all times.
- Make sure the notebook has not been accidentally loaded with any documents or data files, stored passwords, authentication cookies, accessories with personal information, or other sensitive settings and data.
- Make sure the travel notebook has a personal firewall, virus protection and the latest security patches.
- Put commercially sold anti-tamper seals over the notebook’s hard drive cover and over some of its case screws.
- Disable all external communications: wireless, infrared, Bluetooth, CD-ROM and USB ports.
- Enable a password to use during booting.
- Disable booting from CDs, USB storage devices or other external drives.
- Learn how to turn specific external connections back on when you need them, such as the USB connection for your secure flash drive.
- Make sure you disable an external connection each time you finish using it.
- When you return, transfer any material you need from your secure, encrypted flash drive to your other computers by sending it from an external computer.
- Have your cybersecurity team examine the notebook for signs of hardware tampering and do a secure wipe and reload of the hard drive.
- In the future, treat this notebook and flash drive as outside devices that should not be directly connected to internal networks.
A 24x7 approach to risk is the direction that information assurance teams are increasingly taking in government, says Thomas Oscherwitz, vice president of government affairs for identity intelligence consultant ID Analytics of San Diego. Agencies are deploying tools that continuously monitor for malicious actions, and then they rank incidents based on expected network behaviors and on data value, he says.
VA has a team whose job is just as Oscherwitz describes: It reviews all reported incidents and does triage to determine the department’s response and remediation plan, according to Maginnis.
A chief benefit of VA drawing so much attention because of the now-infamous data breach of two years ago is that the department created an enterprise incident-reporting process, she says, and it encourages people to report any and all incidents.“It’s not a bad thing to report when things happen,” Maginnis says. It helps people whose data is lost and also helps identify and prevent vulnerabilities. “We need to get away from the stigma that is associated with reporting.”