4.1.1 Case description
“On Wednesday, May 3, 2006, the home of a VA Information Technology Specialist was burglarized resulting in the theft of a personally-owned laptop computer and an external hard drive, which was reported to contain personal information on approxi- mately 26 million veterans and United States military personnel. The employee imme- diately notified Office of Policy, Planning, and Preparedness (OPP&P) management.
He also notified the VA Office of Security and Law Enforcement, which is part of the
51
4.1. VETERANS AFFAIRS (VA) DATA LEAKAGE INCIDENT 2006 52
OPP&P organisation. The employee advised all of them that the stolen personal com- puter equipment contained VA databases and other files containing veterans’ personal identifiers such as name, social security number, military service number, claim num- ber, date of birth, addresses and so on. On June 28, 2006, the stolen laptop computer and external hard drive were recovered intact. Based on all the facts gathered thus far during the investigation, as well as the results of computer forensics examinations, the FBI and OIG are highly confident that the files on the external hard drive were not compromised after the burglary.” [14]
4.1.2 Instance of the Generic Security Template
Step 1: Prepare the goal structure.
We have used the structured category of security requirements in FISCAM, specif- ically the general control section, as the goal structure for this security incident. FIS- CAM provides best practices on security control techniques and audit procedures.
General controls are designed to safeguard data, protect application programs, and ensure continued computer operations in case of unexpected interruptions. It includes security management, access controls, configuration management, segregation of du- ties and contingency planning. For each of these general control areas, it identifies several critical elements and best practices that are essential for establishing adequate controls. These form the goal structure for the VA 2006 data leakage incident.
Step 2: Identify the lessons learned.
Lessons are identified by searching incident reports for security issues and recom- mendations. The analyst needs to identify key learning points. These are then intro- duced into the Generic Security Template using a structured textual format. For the security issue, we recommended to use short<Noun-Phrase>, for example, “Sensitive Information”, as a short description of the security issue. For the recommendation, we recommended the statement to be in the form of <Verb-Phrase> <Noun-Phrase>. For example, “Use encryption, or other effective tool, to protect personally identifiable information stored on removable storage”. The identification of the rest of the security issues and recommendations follows the same approach and can be found in Table 4.1,
4.1. VETERANS AFFAIRS (VA) DATA LEAKAGE INCIDENT 2006 53
Table 4.1: Veterans Affairs (VA) data leakage incident 2006
Security Issues Security Recommendations
Sensitive Information Use encryption, or other effective tool, to protect per- sonally identifiable information stored on removable storage
Position Description Define the position sensitive level.
Security Training Provide linkage to all applicable laws and VA policy as part of the security awareness training.
Incident Handling Enhance incident-response program for promptly identification and thoroughly investigation of the in- cidents.
Administrative Action Take appropriate administrative action against the people involved in this incident for their inappropri- ate actions.
Step 3: Map the lessons learned to the goal structure.
The lessons identified from the security incident are mapped to the goal structure prepared in Step 1. In this case, those lessons are mapped to the security requirements in FISCAM. As is mentioned in section 3.3.3, the lessons contain different levels of details and can be mapped to different levels of the goal structure. The analyst has to identify the relationship between security sub-goals, based on standards, guidelines and policies, and the lessons learned from a previous security incident. For exam- ple, the lesson learned “Incident Handling: Enhance incident-response program on promptly identification and thoroughly investigation of the incidents” is found to be exclusively related to bottom level goal “AC 5.1.1 An effective incident-response pro- gram has been implemented”. Therefore, the lesson learned should be mapped to this related goal. The rest of lessons learned are all found to be exclusively related to the coresponding bottom level goals and the mapping follows a similar method, except for the lesson learned “Position Description: Define the sensitivity level” which could not be mapped to a FISCAM security requirement. This is probably because the existing goals, based on standards, guidelines and policies do not cover all aspects of an inci- dent.