GAO: Most sensitive data on government laptops still unencrypted
Watchdog agency says only 30% of such info was encrypted as of last September
IDG News Service - Despite a series of high-profile data breaches at federal agencies in recent years, only about 30% of the sensitive information stored on laptops and mobile devices used by federal workers was encrypted as of last September, according to a report issued by the Government Accountability Office.
The GAO, which released the report to the public today (download PDF), examined the use of encryption technology at 24 major agencies. The federal watchdog defined several types of data as sensitive, including medical records, other personal information, law enforcement records and information deemed to be essential for homeland security purposes.
"While all agencies have initiated efforts to deploy encryption technologies, none had documented comprehensive plans to guide encryption implementation activities," the GAO said in the report. "As a result, federal information may remain at increased risk of unauthorized disclosure, loss, and modification."
The report follows a string of security mishaps involving government-issued laptops. The biggest occurred in May 2006, when the Department of Veterans Affairs reported that a laptop and hard drive containing the personal information of 26.5 million military veterans and active-duty personnel had been stolen from the home of an agency employee. Law enforcement officers recovered the hardware the following month, and the VA began encrypting the data on all of its PCs, handheld devices and smart phones later that year.
But the VA has had plenty of company. Last year, for example, the GAO reported that 490 laptops were lost or stolen from the Internal Revenue Service between early 2003 and mid-2006. Many of those laptops likely contained the personal data of U.S. taxpayers, according to a separate report by an auditor at the IRS.
In another example, the Department of Commerce reported in September 2006 that 1,137 of its laptops had been lost or stolen since 2001, with 249 of them containing some personal data.
The GAO's new report notes that several laws, including the Federal Information Security Management Act of 2002, require agencies to protect their data. In addition, the White House Office of Management and Budget (OMB) first recommended in 2006, then required in May of last year, that agencies encrypt all sensitive data stored on mobile computers.
Following the lead of the VA, federal agencies have been increasing their encryption efforts. But two members of the House Homeland Security Committee said this week that they're disappointed with the progress being made by agencies, based on the GAO's findings.
"Encryption is not an option, it is a mandate," Rep. Bennie Thompson (D-Miss.) said in a statement. "Unfortunately, I'm not surprised that despite mandates by OMB, the federal government is only 30% of the way there." Thompson, the Homeland Security Committee's chairman, added that investing properly in cybersecurity now "will keep us from paying dearly in the long run."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts