VA to control, restrict use of mobile storage devices

ORLANDO ' In the next month, the Veterans Affairs Department will let employees plug into its network only those mobile storage devices issued by the CIO's office.

Robert Howard, VA CIO, yesterday said while his office already mandated these mobile devices, known as thumb drives, be encrypted, he is taking security a step further. He is requiring employees to apply and demonstrate a need for a thumb drive, and have their supervisor sign off on that need before the CIO's office will issue the thumb drive. Howard is going even farther by issuing only 1G and 2G thumb drives and not allowing anything larger onto the network unless he approves it.

'This effort is to drive down the use of thumb drives,' he said after his speech at the Information Processing Interagency Conference sponsored by the Government Information Technology Executive Conference. 'This will help us eliminate future problems by shutting down an easy way to take data out of the office.'

The mobile storage devices also must be certified under the National Institute of Standards and Technology's Federal Information Processing Standard 140-2, he added.

Last May, a VA employee took home personal information on 26 million veterans. Subsequently, the hardware that contained the information was stolen. Under great pressure from the Hill and the administration, VA has instituted a number of new policies, including the one for thumb drives, to ensure this doesn't happen again.

Besides controlling thumb drives, Howard by the end of the fiscal 2007 aims to have a standard configuration for smart phones and personal digital assistants, eliminate unencrypted messages that travel on VA's network and reduce the number of virtual private networks.

VA also is relying more on public-key infrastructure and Microsoft Corp.'s rights management system in its Outlook e-mail system to better secure e-mail and documents.

'We had issued 30,000 digital certificates in the fall and now we have issued 85,000 PKI certs,' Howard said. 'RMS is easier to use than PKI. We will continue to do both.'

While Howard wants to institute all of these changes in the short term, he also is thinking about long-term security. Earlier this week, VA issued a request for information for 'soup to nuts for data security.'

VA's reorganization also is moving forward. Howard said the agency shortly will send a legislative package to the Office of Management and Budget to be submitted to the Hill to promote VA's five deputy CIOs to assistant secretaries for different IT functions, such as information security, strategic planning, resource management, application development, and operations and maintenance.

'We don't know if we will get that approved, but we want to raise the title so we can attract the best talent,' he said.

While Howard waits for lawmaker approval on the title changes, he has organized new governance boards: a business needs and investment board; and a planning, architecture and technology services board.

Each will report to the IT Leadership Board, which in turn reports to the Strategic Management Board. The strategic board is led by the deputy secretary and made up of high-level agency executives.

'I would like these new governance boards to only address the big issues that can't be handled at the action office level,' Howard said. 'The target is for them to meet once a month, but I'm not sure if it will always be necessary.'

inside gcn

  • security compliance

    Security fundamentals: Policy compliance

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group