Why federal agency mandates for laptop security will solve nothing

The White House has come down on federal agencies and mandated that within 45 days, all civilian agencies must comply with two-factor authentication and laptop encryption due to the recent high profile cases of hacking and misplaced information.
Boy. This is another reach by management and public relations types that don’t know how to solve simple issues and running off into left field.


Let’s do a quick breakdown. So far the the Department of Veteran Affairs case was actually someone that was not authorized to take home a computer, that took one home. You can’t stop policy violations but that’s what happened. That person should be fired, but the media hasn’t mentioned anything yet. The VA actually has strict policies about checking out and checking in equipment as do many agencies.
The hack attempts to the other agencies such as the USDA could have been prevented if they actually bothered to concentrate on security in the least little bit.
Last of all, have people that are trained to do what they need to do and quit micromanaging. Most of the issues have resulted either directly or indirectly as a top-down issue. If you hired someone to do security, and then let them perform their duties and don’t tell them what to do. If they screw up, fire them. There’s a very big issue of actually performing just that act in federal government.
Two-factor authentication and laptop encryption is great. But the fact of the matter is that you’re trying to solve issues with solutions that don’t fit the problem. Start handing down pink slips including the management that was in charge at the time. Start thinking about how to secure a network, instead of just writing about how you’re going to do it but keep getting failing grades whenever security checks are performed annually. It’s not really rocket science.
Via SecurityFocus

  • Department of Veteran Affairs laptop found

    It looks like they’ve finally recovered the data (laptop) and the VA employee that apparently didn’t have permission now indeed did have permission. How the heck do you misplace permission forms for that long? And don’t think the whole mandate…

  • Department of Veteran Affairs laptop found

    It looks like they’ve finally recovered the data (laptop) and the VA employee that apparently didn’t have permission now indeed did have permission. How the heck do you misplace permission forms for that long? And don’t think the whole mandate…