Apps can expand security scrutiny

On the heels of the Office of Management and Budget’s June call for wider use of encryption to protect sensitive data when it leaves agency premises or is accessed remotely, agencies are taking several approaches.The Veterans Affairs Department has encrypted its laptops at the hard drive, said VA CIO Robert Howard.“If you have a VA laptop and it is stolen, it turns into a brick,” he said.VA doesn’t yet have a detailed plan about how to deal with non-VA equipment, such as when non-VA physicians who treat veterans generate and use veterans’ health data on their own computers. Department officials hope to devise a plan during the current fiscal year for those who are authorized to work remotely and use the VPN, he said.“It will more than likely involve the issuing of some government-furnished equipment, which we can control,” Howard said.In the interim, VA has reminded all users that they must adhere to VA directives on data security and encrypting sensitive data outside of VA facilities. For example, the physician working part time for VA using his own laptop should purchase hard-drive encryption software for his computer, Howard said.“We have clearly sent the message that the onus is on you, the user, to take care of that. You must comply with the directive, just as part of doing business or volunteering with VA,” he said.Agencies can automatically test how well contractors secure sensitive data, said Alan Paller, research director of the SANS Institute in Bethesda, Md. For example, an agency can require in its contract that the vendor use automatic configuration testing software and deliver the report to the agency. “The contract should call for a quarterly report that the computer generates,” Paller said.The Housing and Urban Development Department uses enterprise rights management software, which provides from a central location what rights the user has on the computer, and sets up and deletes passwords, said HUD CIO Lisa Schlosser.