By Jason Miller
March 6, 2007
ORLANDO, Fla. -- In the next month, the Department of Veterans Affairs
will let employees plug into its network only those mobile storage
devices issued by the chief information officers office.
Robert Howard, the departments CIO, said today that although his office
already mandated that these mobile devices, known as thumb drives, be
encrypted, he is taking security a step farther. He is requiring
employees to apply and demonstrate a need for a thumb drive and to have
their supervisors sign off on that need before the office will issue the
drive. Howard will issue only 1G and 2G thumb drives and will not allow
anything larger onto the network unless he approves it.
This effort is to drive down the use of thumb drives, he said after his
speech at the Information Processing Interagency Conference sponsored by
the Government Information Technology Executive Conference. This will
help us eliminate future problems by shutting down an easy way to take
data out of the office.
The mobile storage devices also must be certified under the National
Institute of Standards and Technologys Federal Information Processing
Standard 140-2, he added.
Last May, a laptop and external hard drive containing personal
information on about 26 million veterans was stolen from a VA employees
home. Under intense pressure from lawmakers and the Bush administration,
the VA has instituted new policies, including the one for thumb drives,
to ensure that doesnt happen again.
Besides controlling thumb drives, Howard aims to have a standard
configuration for smart phones and personal digital assistants,
eliminate unencrypted messages that travel on the VAs network and reduce
the number of virtual private networks by the end of fiscal 2007.
The department also is relying more on public-key infrastructure (PKI)
and Microsofts rights management system (RMS) in its Outlook e-mail
system to do a better job of securing e-mail and documents.
We had issued 30,000 digital certificates in the fall and now we have
issued 85,000 PKI certificates, Howard said. RMS is easier to use than
PKI. We will continue to do both.
Although Howard wants to institute all of these changes in the short
term, he is thinking about the VAs long-term security. Earlier this
week, the department issued a request for information for soup to nuts
for data security.
The VAs reorganization is also moving forward. Howard said the agency
will soon send a legislative package to the Office of Management and
Budget to be submitted to Congress. It will promote the VAs five deputy
CIOs to assistant secretaries for different IT functions: information
security, strategic planning, resource management, application
development, and operations and maintenance.
We dont know if we will get that approved, but we want to raise the
title so we can attract the best talent, he said.
While Howard waits for lawmaker approval on the title changes, he has
organized new governance boards: a business needs and investment board,
and a planning, architecture and technology services board.
Each will report to the IT Leadership Board, which in turn reports to
the Strategic Management Board. The deputy secretary leads the strategic
board, which is made up of high-level agency executives.
I would like these new governance boards to only address the big issues
that cant be handled at the action office level, Howard said. The target
is for them to meet once a month, but Im not sure if it will always be
Visit the InfoSec News Security Bookstore