Veterans Affairs Secretary Jim Nicholson heard nothing but the din of condemnation following a massive loss of veterans’ data last year. But little did Nicholson know that the misfortune of millions of veterans and his response would shake up the federal government and scare many federal executives into making data security a top priority.
Watching Nicholson in the hot seat last year sent a clear message, said Alan Paller, research director at the SANS Institute, which offers training for network and system administrators. The fear of public embarrassment that accompanies the loss or exposure of personal data got executives to act.
“What they have is the Nicholson effect, because it was his testimony, his picture on TV and in publications that awakened the rest of the executive class — the secretaries, deputy secretaries and CEOs — that this is going to be an area of personal embarrassment,” Paller said. “What it’s done,” he added, “is shifted the priority from, ‘Do it when you get around to it’ to ‘Do it now and make sure it gets done so I know it got done.’ ”
Since then federal executives all the way up to President Bush have pressed to make protection of personally identifiable data a priority, especially when that data leaves federal premises. But the spotlight remains fixed on the Veterans Affairs Department, and inside the agency on Bob Howard.
Nicholson issued the directives that ordered VA to strengthen information technology security and later to centralize IT authority. But it is Howard, the agency’s chief information officer, who leads departmentwide efforts to improve data security. Howard has initiatives under way to secure data stored on mobile devices, including laptop PCs and external hard drives, the types of equipment stolen in May 2006 from the home of a VA employee. Howard also is working to fill gaps in the agency’s practices and procedures that could lead to further unauthorized personal data disclosures.
New technical measures should be in place departmentwide by September, Howard said recently. Meanwhile, VA is testing them in its northeast region, Region IV. Engineers are testing measures for encrypting removable media and storage, securing network transmissions, providing better security for remote access and protecting e-mail and documents, Howard said.
Digg
De.licio.us
Slashdot
Technorati
