Countermeasure: Policy

Weeks after the laptop theft, the Veterans’ Administration issued a recall to all its employees and contractors, ordering them to turn in all laptops, but according to a news article [RAS06], the purpose of the recall was to “ensure that all employees were meeting security policy requirements, such as having the correct software installed on their laptops.” The VA’s inspector general investigated the incident and sharply criticized the department for lax security procedures, including not enforcing security policies and failing to report the theft to department senior management. The analyst who took the laptop home was fired.

Interestingly, the “policy” to which the VA referred in its recall was to ensure that the “correct software” was installed on laptops. It is hard to understand how software is going to counteract theft of a physical device (although encryption software, to be described later in this chapter, could significantly help prevent loss of data confidentiality). Shortly after this theft and other slightly less egregious ones, the U.S. government required software protection for all data on laptop computers. But, as Sidebar 7-2 indicates, organizations have to create security policies that achieve the desired effect.