Security at the VA

As some of my readers know I have just left a job doing research at the Department of Veterans Affairs. How and why I ended up there is a topic for another day. Today InfoWorld ran an article on the improved security at the VA. During my tenure there I have witnessed many security initiatives. One is security education which is still lacking and primitive. The main failing as I see it is creating a draconian process that is very inflexible and creates problems for many people doing their jobs. For instance the Web is a critical decision support platform for doctors. There have been several attempts over the years to filter the internet and I honestly do not know where that now lies.

To think that the VA is going to become the “gold standard” in data security is an idea that I find patently ludicrous. I know that the laptop was stolen and I am not referring to that. Doing security right requires infrastructure that is built from the ground up. It also requires that people be given the tools that they need to do their job. The VA in my opinion falls short in both.

Some ISOs talk about approving a product which usually means someone showing them a login screen and talking about password security. I have never watched someone ask about the security engineering in the development process.

While I think that it is good for the VA to take security seriously I have little hope that they can be the “gold standard”.

Technorati Tags: ,

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>