One year later: Five lessons learned from the VA data breach

Massive breach drives security reforms governmentwide

1 2 3 Page 3
Page 3 of 3

4. Stronger remote access policies

The VA breach spotlighted the need for better controls on agency data when it is being accessed from remote locations by teleworkers, said Kevin Richards, federal government relations manager for security vendor Symantec Corp.

In a memo soon after the breach, for instance, the OMB instructed all agencies to implement two-factor authentication for controlling remote access to agency networks and data from remote locations. It also asked them to require remote users to reauthenticate themselves after 30 minutes of inactivity.

In addition, the VA breach has resulted in more focus on securing remote systems via the use of endpoint network admission control tools, he said. Such tools, which are available from a variety of vendors, are designed to ensure that any system logging into a network has adequate antivirus and firewall protections, has all the mandated configurations settings and is properly patched.

5. More authority for agency CIOs

Under a bill passed last year, the CIO's post at the VA has been elevated to the rank of an assistant secretary. The move was designed to give the CIO's office more clout and enforcement authority within the agency.

"The VA's CIO and CISO didn't have the authority to force changes to happen," Pescatore said. Now there are "definite signs across government that agencies want to elevate CIO positions" in the same way the VA did, he said.

Copyright © 2007 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon