I knew it wouldn't take long: re - stolen VA Records official the fault of GWB

[GotZoom]

I can't believe you people expect so little in regards to information security.

While those of us not working for the government are securing data and resecuring data, the government is ignoring its own lack of security.

For all the ex-military around here... I find it hard to believe that anyone of you can ever remember passing a billboard that didn't have a flyer on it that said something to the effect of, "Lock It Up, Preventing Theft Is Your Responsibility" which then had some silly cartoon padlock with a smiley face on it.

I don't know about you, but if I failed to lock my doors and some criminal walked in and stole from me... I'd feel some of the responsibility for not LOCKING MY SH*T UP! But, I guess everyone here believes that there are no criminals and no shortcut-takers so there's no reason to have strong security measures in places where millions of veterans' personal information is accessible. A simple "don't take it home" is "security" enough in your eyes?

Ludicrous.

And stupid.

Do you speed on the freeway? Do you steal things out of the grocery store?

 

[theHawk]

I can't believe you people expect so little in regards to information security.

While those of us not working for the government are securing data and resecuring data, the government is ignoring its own lack of security.

For all the ex-military around here... I find it hard to believe that anyone of you can ever remember passing a billboard that didn't have a flyer on it that said something to the effect of, "Lock It Up, Preventing Theft Is Your Responsibility" which then had some silly cartoon padlock with a smiley face on it.

I don't know about you, but if I failed to lock my doors and some criminal walked in and stole from me... I'd feel some of the responsibility for not LOCKING MY SH*T UP! But, I guess everyone here believes that there are no criminals and no shortcut-takers so there's no reason to have strong security measures in places where millions of veterans' personal information is accessible. A simple "don't take it home" is "security" enough in your eyes?

Ludicrous.

And stupid.

Such data centers are "locked up". But there is nothing you can do about the employees themselves. If someone wants to steal such information when they access to it, they probably can. Thats why most people in such positions undergo security background checks (which costs alot of money). Like I said, I have no doubt there was/is good security measures already at the place this happened at. Point is it was a human from the inside that deliberately broke the rules, there is just not much we can do about that as far as trying to prevent it. All we can really do is send such people to jail.
The government is not some omnipotent power that can control everything, such as most liberals believe. Its full of holes, incompetence, and in many instances bereft of any logic. And I doubt even in the private sector if someone working in the computer field really wanted to, wouldn't be able to find a way around sneaking data out of their secure area.

 

[theHawk]

By the way Jasen you are stealing that sig from David2000, another liberal who used to troll these boards alot and couldn't stand the fact that you can't spell Liberals without Lies :teeth:

 

[dmp]

All we can really do is send such people to jail.

No - we could raise taxes and throw MONEY at the problem...right??

 

[theHawk]

No - we could raise taxes and throw MONEY at the problem...right??

Hehe yea in Billy-World.

 

[theHawk]

Quote:
Originally Posted by jasendorf
I A..m...

Ludicrous.

And stupid.

Yes...

Best, most usefull post of the day! :rotflmao:

 

[jasendorf]

Such data centers are "locked up". But there is nothing you can do about the employees themselves. If someone wants to steal such information when they access to it, they probably can. Thats why most people in such positions undergo security background checks (which costs alot of money). Like I said, I have no doubt there was/is good security measures already at the place this happened at. Point is it was a human from the inside that deliberately broke the rules, there is just not much we can do about that as far as trying to prevent it. All we can really do is send such people to jail.

The government is not some omnipotent power that can control everything, such as most liberals believe. Its full of holes, incompetence, and in many instances bereft of any logic. And I doubt even in the private sector if someone working in the computer field really wanted to, wouldn't be able to find a way around sneaking data out of their secure area.

So, "Ho Hum, oh well, so sorry" is how we hold the government accountable? That's how we weed out the holes and the incompetence? There is no way to convince me that 26 million records can be on a laptop which an employee then takes home and tell me there were proper infosec measures in place.

And, I have yet to see anyone even suggest that he was "sneaking" the data out. If this guy was some spy who was selling the info to the Russian mob... I could then say, "OK, it's this guy and this guy alone... he scammed the security." But, that's not the case... this is purely bad security complete with some rose-colored glasses.

Who should answer for it?
the employee-fired at least

his manager-if determined that he knew these records were on the employee's laptop, fired... if not then reprimanded for not knowing what his employees were doing or not properly training his employees

the infosec manager-reprimanded or fired for not putting in place measures strong enough to prevent the loss of this data

And that's about as far as I think it should go...






Not to say that I wouldn't mind seeing the guy who hired the guy who hired the guy who hired the guy who hired the infosec director fired too

 

[jasendorf]

By the way Jasen you are stealing that sig from David2000, another liberal who used to troll these boards alot and couldn't stand the fact that you can't spell Liberals without Lies :teeth:

Well, I hope you're flattered.

 

[GotZoom]

Do you speed on the freeway? Do you steal things out of the grocery store?

*insert sound of crickets*

 

[theHawk]

So, "Ho Hum, oh well, so sorry" is how we hold the government accountable? That's how we weed out the holes and the incompetence? There is no way to convince me that 26 million records can be on a laptop which an employee then takes home and tell me there were proper infosec measures in place.

And, I have yet to see anyone even suggest that he was "sneaking" the data out. If this guy was some spy who was selling the info to the Russian mob... I could then say, "OK, it's this guy and this guy alone... he scammed the security." But, that's not the case... this is purely bad security complete with some rose-colored glasses.

Yes, it was sneaking data out. As a government empoyee I can guarantee you he was BRIEFED he was not supposed to do that. Putting the data on a laptop and walking out of his workplace taking it to his home was illegal, and he had to know it, hence we can say he was "sneaking" it. It doesn't mean he had to tip-toe past some security guard patrolling the exit of the building with his eyes looking for employees trying to sneak laptops out. Now tell me again since you still haven't, what brilliant idea do you have for the government to prevent its own employees from taking data out of their work centers? Want to pay for security guards to strip seach evey singly government employee at every single government facility with computers? In this case it was a laptop he took out, but it just as easily been data on an external hard drive, discs, or hell he could of emailed it out to an external account, or just remoted in and downloaded from home...or....get the point? There are a hundred different ways to transfer data. No amount of "security" is ever going to prevent employees, especially Network administrators from doing so IF THEY WANT TO.

Who should answer for it?
the employee-fired at least

his manager-if determined that he knew these records were on the employee's laptop, fired... if not then reprimanded for not knowing what his employees were doing or not properly training his employees

the infosec manager-reprimanded or fired for not putting in place measures strong enough to prevent the loss of this data

And that's about as far as I think it should go...

Sounds like we agree

 

[GotZoom]

Do you speed on the freeway? Do you steal things out of the grocery store?

Since you are hesitant to answer my questions El Dorfo...allow me.

Do I speed on the freeway? Of course I do. Everyone does.

Do I steal things from a grocery store? Of course not. Stealing is wrong.

Thanks for answering El Dorfo.

Who is to blame for your speeding? Is it your fault because you have the choice of following the law or breaking it? Or is it the fault of the car manufacturers because they did not take proper precautions (limited engine HP, governor on acceleration, etc) to ensure you remain under a certain speed limit?

Stealing is wrong. I'm glad you recognize that. You have a decision to make, everytime you walk into a place of business. Do the right thing and pay for your purchases. Or do the wrong thing, what you know is unacceptable, and steal.

Just as the guy who took the information home. We all know he received briefings outlining his job responsibilities. And we know that he was told that he was not to take certain parts (or all) of his work home.

But he did. He chose to. Just as you choose to speed, you take your chances on getting caught. He got caught.

And just as you choose to not steal, he had the same ability to pick between what was right and wrong.

"Do I take this home or not? I know I shouldn't...it is wrong."

"But I will anyway."

Let me throw a couple of words at you. Personal responsibility.

HIS FAULT.

 

[jasendorf]

Since you are hesitant to answer my questions El Dorfo...allow me.



Thanks for answering El Dorfo.

Who is to blame for your speeding? Is it your fault because you have the choice of following the law or breaking it? Or is it the fault of the car manufacturers because they did not take proper precautions (limited engine HP, governor on acceleration, etc) to ensure you remain under a certain speed limit?

Stealing is wrong. I'm glad you recognize that. You have a decision to make, everytime you walk into a place of business. Do the right thing and pay for your purchases. Or do the wrong thing, what you know is unacceptable, and steal.

Just as the guy who took the information home. We all know he received briefings outlining his job responsibilities. And we know that he was told that he was not to take certain parts (or all) of his work home.

But he did. He chose to. Just as you choose to speed, you take your chances on getting caught. He got caught.

And just as you choose to not steal, he had the same ability to pick between what was right and wrong.

"Do I take this home or not? I know I shouldn't...it is wrong."

"But I will anyway."

Let me throw a couple of words at you. Personal responsibility.

HIS FAULT.

Sorry about that... I was banned for a while there and never made it back to this thread. I was reminded about it when my wife just called me to let me know that I got a letter from the VA saying my records were part of the "lost data."

The problem with your analogy is twofold. First, the police are charged with enforcing speed limits. The speed limits aren't some kind of "honor system"... and I certainly don't speed in places where I think there might be a speed trap. Secondly, when speeding increases, deaths increase, people get mad, the police up their enforcement.

I want to know is why this guy wasn't fearful of being caught in a data loss prevention "speed trap" and what they're going to do to up their enforcement.



Can't wait to read this letter I got when I get home.

 

[GotZoom]

Sorry about that... I was banned for a while there and never made it back to this thread. I was reminded about it when my wife just called me to let me know that I got a letter from the VA saying my records were part of the "lost data."

The problem with your analogy is twofold. First, the police are charged with enforcing speed limits. The speed limits aren't some kind of "honor system"... and I certainly don't speed in places where I think there might be a speed trap. Secondly, when speeding increases, deaths increase, people get mad, the police up their enforcement.

I want to know is why this guy wasn't fearful of being caught in a data loss prevention "speed trap" and what they're going to do to up their enforcement.



Can't wait to read this letter I got when I get home.

Letter isn't anything to get excited about. What to do if you suspect your info is being used, blah blah blah.

Analogy is just fine. It comes down to personal responsibility.

It doesn't matter what safeguards are or aren't in place, if you know you shouldn't do "wrong", then you won't do it.

Again, I could have taken all kinds of classified material out of my work place but I knew it was wrong. The reason I didn't do it was out of fear I would get caught, just as the reason I dont' steal isn't because I'm afriad of getting caught.

It's not the right thing to do.

Personal responsibility.

You ask why this guy wasn't afraid of getting caught. I'm thinking that when he was younger, perhaps even a very young child, he wasn't disciplined by his parent(s) and taught the difference between right and wrong.

I'm guesssing his parent(s) probably made excuses for many things, and never took personal responsibility for their own actions either.

 

[jasendorf]

Relying on employees' sense of personal responsibility isn't an effective security measure. It's as simple as that. Never has been, never will be. While I find the idea quaint, out here in the real world we use more realistic measures to protect employees' and customers' data. We're just going to have to agree to disagree I guess.

And, you were right about the letter... I did find what I was looking for though.

Answers to Frequently Asked Questions
7 - What is the Department of Veterns Affairs doing to ensure that this does not happen again?

The Department of Veterans Affairs is working with the President's Identity Theft Task Force, the Department fo Justice and the Federal Trade Comission to investigate this data breach and to develop safeguards against similar incidents. The Department fo Veterans Affairs has directed all VA employees complete the "VA Cyber Security Awareness Training Course" and complete the seperate "General Employee Privacy Awareness Course" by June 30, 2006. In addition, the Department of Veterans Affairs will immediately be conducting an inventory and review of all current positions requiring access to sensitive VA data and require all employees requiring access to sensitive VA dta to undergo an updated National Agency Check and Inquiries (NACI) and/or a Minimum Background Investigation (MBI) depending on the level of access required by the responsibilities associated with their position. Appropriate law enforcement agencies, including the Federal Bureau of Investigations and the Inspector General of the Department of Veterans Affairs, have launched full-scale investigations into this matter.

Any typos in the above are mine

Wish someone would have done the above BEFORE my data was stolen...

 

[GotZoom]

Relying on employees' sense of personal responsibility isn't an effective security measure. It's as simple as that. Never has been, never will be. While I find the idea quaint, out here in the real world we use more realistic measures to protect employees' and customers' data. We're just going to have to agree to disagree I guess.

And, you were right about the letter... I did find what I was looking for though.



Any typos in the above are mine

Wish someone would have done the above BEFORE my data was stolen...

Being naive does not become you. You honestly think that the VA hasn't had any safeguards in place before this to ensure classified or sensitive/personal information isn't taken home?

All the classes, courses, background checks, etc...in the world will not prevent someone from doing something they aren't suppose to.

Personal Responsibility. Plain and simple.

If it's wrong. Don't do it.