VA tool patrols the network
In the wake of a massive data breach in 2006, the Veterans Affairs Department was forced to improve the way it handles sensitive data and breaches.
'We needed to expand our data response capability,' said Laura Nash, VA's director of risk assessment services.
The impetus for change was the theft in May 2006 of a laptop PC containing information on more than 26 million veterans and more than 2 million active-duty military, National Guard and Reserve personnel.
The laptop was recovered, and it did not appear the data was compromised, but the Office of Management and Budget issued new guidance on the handling of identifiable personal information.
And the pressure was on VA to institute a departmentwide, standardized and repeatable process for collecting data on security incidents, evaluating their severity and responding to them.
VA had a Security Operations Center, to which all security incidents must be reported within an hour of their discovery under the new OMB requirements. But, 'the SOC was originally developed to monitor and report on cyberattacks and cyberincidents,' Nash said. As the 2006 breach showed, there are other avenues of risk and exposure, and this outward-facing posture no longer was adequate. 'We needed to expand the SOC capability to include data breach analysis and response,' she said.
An integrated project team composed of security and privacy officers from VA's various agencies came up with the Formal Event Review and Evaluation Tool (FERET) to report all security incidents to the newly named Network Security Operations Center.
As its acronym implies, the tool is used to ferret out significant incidents from the noise of routine reports generated daily across the large department.
'FERET was 100 percent developed from scratch,' said VA information technology specialist Martin DeLeo. 'We added on the incident reporting process' to an existing help-desk application.
'We're trying to quantify security incidents as they are reported.'
FERET was developed using the Remedy Action Request System, or Remedy ARS, a platform from BMC Software for rapidly designing and developing automated workflow tools.
'One of the common uses for it is help-desk applications,' said Chris Olson, technical manager, BMC Public Sector.
Remedy ARS works with third-party databases from all the major vendors and provides code directing applications in handling data and interacting with users. An open application programming interface enables custom development.
The system includes forms for entering and viewing data, links to direct workflow, filters to enforce business rules, and escalations to move data on a timely basis. These functions can be bundled into applications.
'It's an intuitive environment to develop in' and has drag-and-drop tools, Olson said.
VA privacy and security officers report security breaches and incidents to the network SOC through FERET, which is accessed on the department's intranet.
In making the report, they answer a set of 54 questions to quantify the risk. The questions concern the type of data involved; physical, technical and administrative factors of the incident; the number of people involved; and mitigating factors.
'We have a weighting table behind the questions' that is used to compute a risk score, DeLeo said.
FERET has been in place since June 1. 'It's working well,' he said. 'We're coming up with a Version 2.'
The next version, due this year, will fine-tune the questions that reporting officers must wade through, DeLeo said.