Government Laptop Compromisedon October Its631 Cu

Government Laptop Compromisedon October Its631 Cu

Find at least 2 articles relating to the case study described below Dark Reading is a good site for security-related articles). In a minimum of 250-words, summarize the policy and process failures that allowed the breach to occur. Address the impact to an organization when this type of breach occurs, and discuss the steps that you would have taken to ensure that this type of breach wouldn’t occur in your organization.

Government Laptop Compromised

On October 31, 2012, NASA notified its employees that a laptop containing personal infor- mation on more than 10,000 employees was stolen. The theft occurred when a laptop containing the information was taken from a locked car. The laptop had a password, but the hard drive was not encrypted. The NASA announcement included a statement that the IT security policies and practices were under review. Additionally, several immediate actions were undertaken, including requiring that all laptops that leave NASA facilities be encrypted.

While the details of the theft are unclear, what is clear is that the laptop was left unattended in a locked car. At many organizations, that would be considered a violation of acceptable use policy. Leaving a laptop with sensitive information unattended is not good practice. Typically, such policies require someone to maintain physical possession of devices when they are brought into public spaces, and to carry them into airline cabins rather than leave them in checked bags.

Also, full disk encryption is commonplace in the industry. For NASA not to require full disk encryption and to permit sensitive information to be placed on a laptop is to be out of compliance with industry norms.

In this case, this was a failure of policy as much as individual actions. Had the laptop been fully encrypted, the loss would have been limited to the device itself. Although the theft probably indicated a violation of acceptable use policy, the actual damage resulting in employees having their personal information stolen and the impact on NASA’s reputation could have been avoided.