The Veterans Affairs Department has suspended use of employee-owned computers for official agency business and has limited telework at one of three major divisions, in an effort to prevent security breaches.Anytime a security breakdown happens, the upper management's ass is on the line so they must appear as if they are doing something to fix the situation.
The agency also is issuing a directive reminding employees that failure to comply with department policy regarding the protection of personal data could result in administrative, civil or criminal penalties, VA Secretary James Nicholson testified Thursday at a House Government Reform Committee hearing. The panel called the hearing to discuss the department's response to the early May theft of sensitive records from the home of a VA employee.
The employee that lost 25 million some-odd records violated VA policy. It's as simple as that. No other security measure that you can implement would prevent data loss if somebody, who has access to the data, violates policy.
Meanwhile, they make life more difficult for the people who were NOT being idiots and violating policy. Heck, they require "cyber security awareness", and "privacy" training every year. It's basically the same course. This time, they've mandated it be completed by June 15 instead of the traditional Sept. 31. What's the net result? Thousands and thousands of people trying to do the web based training right now, and the web servers and network is completely hosed and inoperable.
I just don't get why problems need to be compounded. An employee did a really stupid thing, so lets do more stupid things that won't solve the problem. The problem, of course, is that human beings are stupid and do stupid things, period.
Oh.. and by the way.. nothing will keep sensitive data from getting out. Take it from a guy who writes software for one of the largest systems/databases in the world. It will get out eventually - every single time, no matter what you do.
No comments:
Post a Comment