Via Federal Computer Week, the US DOE inspector general recently performed an IT security audit and found that “the department hadn’t ensured that sensitive data stored on mobile devices, sent in e-mail messages, or sent to off-site backup storage is sufficiently protected by encryption, as appropriate.”
The DOE partially agreed with the findings but added:
…taking adequate steps to ensure that there is no sensitive information on laptops or mobile devices should be sufficient without requiring encryption of all data on all devices.
This seems to rely a great deal on user behavior and will be vulnerable to malicious actions or just poor judgment by employees.
Data Security, Government, Portable Storage
Lost memory sticks continue to be a problem for organizations in the UK including MI6, which had to abandon a major drug operation.
“Our February 2009 industry survey showed that less than 50 per cent of UK public and private sector organisations use any form of data encryption.”
Other recent headlines:
Welsh Council loses children’s data
Loss of patient details prompts warning for five NHS trusts
Data Security, Government, Healthcare, Portable Storage
Past attempts to create centralized security policy have had mixed results. For example, OMB Memo’s regarding portable device encryption (PDF link) were sometimes ignored by individual agencies. Security experts wonder if this time will be different…
“Unless they actually control some purse strings, all they can do is beg, plead, cajole and evangelize,” Schneier said. “They can’t really get anything done and that’s been traditionally the problem with cybersecurity czars.”
Data Security, Government
The UK Ministry of Defence is losing laptops at a rate of one every 12 days. In addition, 20 USB Flash Drives have been reported missing year-to-date.
As quoted at ITPro, Ministry of State Bob Ainsworth claimed that “new processes, instructions and technological aids” were being used to “mitigate” human error. One would hope that these new procedures include embedded hardware-level encryption in all mobile devices.
Data Security, Government
Computing follows up on recent NHS security lapses and notes that “more organisations are waking up to the need to encrypt mobile devices”.
Butler Group’s Kellett added that using the economic downturn as an excuse for non-deployment was very misguided: “OK, we’re in a downturn – but we have to ensure that the business is firing on all cylinders and the last thing we want to be is on the front page of Computing surrounded with bad headlines.”
Data Security, Government, Healthcare
Oklahoma has recently suffered several data breaches involving lost laptops and USB flash drives. Oklahoma is not the only state to struggle with data security, but they are one of only four states that do not have a Chief Information Officer. With budgets shrinking, it will be interesting to see how States weigh the upfront cost of implementing encryption with the potentially higher cost of a data breach.
Tulsa World editorializes here. An Oklahoma State Rep blogs about proposed legislation here.
Data Security, Government
Last week the NHS reported four more data breach incidents, two involving USB flash drives containing sensitive personal info. In one case, someone took the effort to encrypt the data, but then affixed the password with a post-it note. In the other case, the flash drive was unprotected and left at a car wash.
Following an investigation, it became clear that the information contained on the memory stick was only looked at by the car wash attendant before returning it to the hospital.
It’s good to see health care organizations use encryption to protect patient data. Unfortunately, good policy can be defeated with a simple post-it note. Organizations can go a step further by remotely managing their portable devices. With prompt incident reporting, a lost drive can be deleted or disable before the any data can be accessed. And you have the audit logs to prove it.
Data Security, Government, Healthcare
The Kanguru Bio AES encrypted USB Flash Drive has completed FIPS 140-2 certification. FIPS 140-2 is a comprehensive 3rd-party testing process that certifies the encryption module for use in US and Canadian Government applications. The standard is also seen as stamp-of-approval by other Government and Corporate security professionals.
Kanguru Bio AES features a built-in fingerprint sensor for 2-factor authentication (bio and password). Kanguru will offer a FIPS 140-2 version of the drive to both Government and Commercial users. The FIPS certificate and security document are posted by NIST here.
Data Security, Government
PC Magazine has given the Kanguru e-Flash four stars in a recent review.
It excelled even more with eSATA, with a 26.4-MBps write speed—an 86 percent boost in average write speed over USB 2.0. Read speeds jumped 27 percent to 32 MBps over eSATA.
View the speed test results here.
For a round-up of e-Flash reviews, see our previous post. Last year, Kanguru Defender was reviewed with an early version of Kanguru Remote Management Console at Tom’s Hardware.
UPDATE (4/14/09): Government Computer News has also published a review of the Kanguru e-Flash.
Scorecard:
Performance: A+
Ease of Use: B
Features: A
Value: A
It looks ordinary at first but use it to transfer a gigabyte or two of data and you’ll realize that it almost has super powers.
Data Backup, Government
Government entities are leading the way in data breaches so far this year.
According to ITRC, a nonprofit organization whose work is supported by a Justice Department grant, the government and military sector were the chief offenders, accounting for 78 percent of all exposed records with just 22 breaches.
To be fair, the bulk of those records were lost in a single incident at the Arkansas Dept of Information Services. Among other sectors, banking and financial companies did the least amount of damage, with 12 breaches and 288 records exposed.
Data Security, Financial, Government, Healthcare
Follow us on Twitter