How do you defend yourself against 'good' employees?
Policies on taking data from the office need to have teeth
Much has been made of the theft last month of computer equipment containing personal data from the home of a Veterans Affairs Department employee, but less attention has been given to the fact that the real breach occurred when the employee carried that data out of his office. The burglary was just a footnote.
VA has proved more aggressive in controlling information about the data theft than it had been in controlling the data itself; officials will not say exactly how the data left the office.
Apparently there was a policy against it. But policy by itself is not enough.
'A good policy is one that is enforceable in a practical way,' said Andrew Klungness, an attorney specializing in intellectual property with the Los Angeles law firm Bryan Cave LLP.
Klungness said he was dumbfounded by the ease with which the employee violated VA policy on such a grand scale'he had been taking data home for several years.
'There are many technical solutions you can use,' he said. 'I think the government can do better than that.'
Unfortunately, the experience of organizations that have tried to implement access control systems has shown it is a complex task. Off-the-shelf products usually need to be heavily customized, and the identity management component, on which access privileges are based, is especially difficult to develop and maintain.
But technology, although complex and not adequate by itself, is essential to support policies and ensure that insiders who have a legitimate need to access sensitive data do not misuse that access. This requires an entirely different skill set than protecting IT systems from outsiders. It probably is more practical for large organizations such as VA to implement a system because it can spread costs and benefits widely across the enterprise.
Dennis Hoffman, a vice president for information security for EMC Corp. of Hopkinton, Mass., hit the nail on the head when testifying before the House Veterans' Affairs Committee about the missing data.
'How do we solve the problem of protecting data as opposed to protecting the IT infrastructure?' he said. 'The solution to this problem lies in people, processes and technology, where technology is actually the minor piece.'
Hoffman outlined three broad steps necessary for protecting data: First, define and understand what data is sensitive and how it is being used. Second, use rights management tools to control how this data can be used, copied and exported.
Third'and this is key'produce an audit trail of authorized access and unauthorized access attempts.
To tie all of this together, there must be consequences for misbehaving with other people's data. In case there is any confusion, 'consequences' should be read as a euphemism for 'fired.'
An audit trail by itself will not prevent misbehavior, but providing a permanent record that can be acted upon when misbehavior is spotted can be a powerful disincentive.
'The employees are less motivated to violate a policy if they know that what they are doing will be preserved,' Klungness said.GCN senior writer William Jackson writes the Cybereye column. E-mail him at firstname.lastname@example.org.