GovernmentExecutive.com

Proponents of policies allowing federal employees to work away from the office are fighting recent claims that teleworking puts sensitive agency data at an unnecessary risk for theft or loss.

In an attempt to avert future security breaches and to assuage lawmakers' concerns, Veterans Affairs officials have said they are reviewing the department's guidelines on remote use and access to agency information, following the theft of personal data on more than 26 million veterans from an employee's home.

VA Secretary James Nicholson told House lawmakers Thursday that he is attempting to determine how many agency employees telecommute because of the potential damage they could do, not mischievously, but because "they are negligent."

"This is an enormously troubling situation," Nicholson said. "We have people telecommuting all over this country, and we need to get our arms around who these people are and what they're like."

Nicholson said he has directed the VA Office of Information and Technology to publish revisions to the document governing security guidelines for remote access. He has also said the agency is reviewing employee access to sensitive data, which includes telework, and requiring new background checks.

But government officials and telework advocates say the data breach is not a telework issue. Rather, it stems from the mishandling of sensitive materials and the failure of an employee to follow basic security procedures, they say.

Agency officials acknowledged that the employee had been taking sensitive data home for work purposes since 2003 even though he was not authorized to do so. The data also was not encrypted per agency policy. The agency has since announced that it has started the process of dismissing the employee, and is replacing the leadership of the division in which he worked.

Chris Mihm, managing director of strategic issues at the Government Accountability Office, said if agencies have not established solid policies and procedures for data security and access, employees should not be allowed to telework.

"I think it's a wake-up call in the sense that it underscores the importance of the security of government information," Mihm said.

But Paul Kurtz, executive director of the Cyber Security Industry Alliance, said agencies should not respond to this incident by "hunkering down into a brick and mortar mentality."

"Data by its essence is portable," Kurtz said. "We don't want to have data resting within four walls and nobody can take it out."

Kurtz said sensitive data can easily be encrypted, but a better option is requiring employees to access that data over secure Internet connections.

Data access and security policies long have been listed among the best practices for agency telework policies. A 2003 report from the Office of Personnel Management cited information security as the most frequently identified problem related to telework.

In response to questions regarding the security of teleworking in the aftermath of the VA breach, the Office of Management and Budget asked the General Services Administration to post a link on the GSA telework Web page to National Institute of Standards and Technology recommendations published in August 2002 on the special security needs for teleworking.

A July 2003 GAO report (GAO-03-679) on teleworking in federal agencies found that the VA had fully addressed issues relating to remote access to agency systems and data.

But the basic violation of agency policies, such as taking sensitive data out of the office and failing to encrypt the information, goes beyond telework policies and into the realm of fundamental security practices, said William Mularie, chief executive officer of the Telework Consortium of Herndon, Va.

Placing the blame on teleworking "smells like an excuse for a lack of strong policies," Mularie said. "They're linking portability with security and it's not linked."

If the data on the stolen VA computer had been encrypted, it would have been no "more useful than a brick," Mularie said.

Chuck Wilsker, president and CEO of the Telework Coalition, said the incident helps emphasize the need for agencies to establish a formal telework program and oversee and ensure adherence to policies, particularly dealing with data security.

"How stupid can you be to take all that stuff home?" Wilsker said. "But do I think this is bad for telework? Not really."

COMMENTS

• The teleworker certainly messed up taking the data outside the VA against agency policy. But, we all seem to be missing the root cause to all these data theft problems. It is how organizations do remote access. Anyone should be able to gain access to a VPN external connection from any location or system, government owned or not. The external connection should be equipped with a robust and closely monitored Intrusion Prevention System (IPS) and once proper credentials are provided, any internal access should be gained through additional credentials with applications and data being served up via a thin client session with no remote client interaction (no copy/paste to local system or local drive connections). This way no data is ever on the remote systems used for access and we would not have all these ridiculous data theft headlines in the news. Bottom line: It is poor IT architecture causing users to come up with work-arounds to IT shortfalls. GovExec.com reader Posted June 14, 2006 7:45 PM
• Well Mr. Taxpayer, at least we agree here. Federal managers should manage better and not be glorified analysts who micromanage their employees and who are not properly trained. Where we disagree is over your utopian vision of the private sector. You think folks are fired in the private sector but not the public sector for mistakes. I disagree. And I doubt very much that private sector managers fire over mistakes -- they fire on productivity grounds. You can make all the mistakes in the world in a law firm but if you bring in the billable hours and make profit everything is forgiven -- the whole private sector based on profit is like that. And let us all not forget those brilliant managers at Enron, Worldcom, and dozens of other private sector bastions of good management who can in the future be managing their cellmates! HR specialist in the federal government GovExec.com reader Posted June 9, 2006 5:31 PM
• FYI, I have been in management as president of a company, as executive vice president of a company and as a senior vice president of a very large company. I guarantee you that if any employee of mine violated data security they would have been fired immediately. I understand that government managers do not believe this is possible (however, it is - they just do not want to do the paper work necessary). Also, the government managers I see are nothing but glorified analysts that are expected to "do the daily work" at a higher level. However, managers should manage. They do not even know what management is! They need to staff the operation correctly (the right talent in the right place at the right time), they need to evaluate performance (therefore they need to establish what the performance is and how it will be measured -- then they need to measure it), they need to delegate to subordinates (they tend to keep the important things for their own work so they look important). A good manager should know what talents are needed, when to use them, where to send issues within the organization (not try to do everything), and how to recruit, train and evaluate their employees. In my government experience I have not seen a single manager that managed! They don't care about their employees, they do little to reward or punish their employees and they just fill slots (usually with someone they know and like rather than with the proper talents). Often they rate poor employees highly so that the employee can move to another job and out of the hair of the so-called manager. If you thing this crap would fly in the private sector you have no idea what managers do and are expected to do. It may come as a big surprise but a good manager does not have to know the technical detail of their employees’ jobs! They simply need to know how to use those talents and employ them for the good of the organization. Problem with government managers is that they generally do not know what is good for the organization - they do what is good for them. Just like Congress does to get votes and contributions - give away money for projects and services that do not provide significant benefits for the people of the United States. Taxpayer Posted June 9, 2006 7:58 AM