Recurring Themes of Security Breaches
July 25, 2006
The Inspector General of the Department of Veterans Affairs recently released a 78-page report, “Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans”. The findings underscore key data security issues which simply must be addressed by any organization which handles sensitive or proprietary information. In the VA case, issues like authorization, management oversight, policies, reviews, and audits all come into play as weak links in the security breach which led to the theft of the personal data of 26.5 million veterans.
Stephen Barr’s July 14 Federal Diary column in The Washington Post sums up the three key themes of the Inspector General’s report as “Bad judgment. Poor communication. Office politics.” Well said. Unfortunately, those of us in the telework industry see these recurring themes among too many agencies and businesses that allow employees to work from home without first implementing a “formal” telework program. When formal telework policies and security procedures are not in place, well-meaning employees or managers often make poor judgements simply because they have no guidelines — an employee taking home a non-encrypted laptop with sensitive data on it is a prime example of “bad judgment.”
When no telework program is in place, there is often a lack of communications among managers, IT personnel , HR execs, and the employees who work remotely. Managers often don’t have the tools and policies in place to help them guide their teleworking employees’ work practices and when security breaches occur, there is a knee-jerk reaction to blame telework. In truth, the practice of telework is not to blame — it is the unplanned, unmanaged practice of teleworking by certain individuals, offices or organizations that is most often at fault.
The VA security breach did not have to happen. Had the Administration implemented basic standard policies and procedures for teleworking, the system would not have allowed any employee with access to sensitive data to download that data to a laptop that did not have proper encryption and security. Had the laptop been configured for this type of sensitive telework, it would have been of no more use to the thieves than a brick. Telework procedure and policies developed in conjunction with the Agency’s IT department would likely have also been able to make the sensitive data accessible remotely through a VPN–with proper security, of course–eliminating the need to download such sensitive data in the first place.
In order to fulfill COOP requirements, employees need to be able to do their work anywhere, including home. The tools and technology are available to make this possible while ensuring that sensitive data is not compromised. It’s vital that IT and management work together to examine what is required to fulfill an angency’s mission, and then deploy the correct tools, procedures, and policies to achieve that mission, regardless of what man or nature may throw into the equation. Had such a formal telework program been in place, complete with encrypted laptops and procedures for working with sensitive data from a remote location, the VA breach would never have occurred.
As we announced last week, Telework Consortium now provides detailed assessments to help organizations develop sound telework strategies. We evaluate workflow, work culture, IT infrastructure, and HR policies in order to recommend a custom program that will enable more employees to work efficiently, productively, and securely from home. Indeed, telework is not the problem with workplace security issues — ultimately, it can be a key part of the solution!
Rita Mace Walston
General Manager, The Telework Consortium
