Information Security News: Encrypt data stored off site, warns Louisiana agency

[InfoSec News <alerts () infosecnews org>]

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9044122

By Brian Fonseca
October 25, 2007 
Computerworld

The loss of unencrypted storage media from an Iron Mountain Inc. vehicle 
last month renewed calls for IT managers to better protect data stored 
off site.

The Louisiana Office of Student Financial Assistance (LOFSA) said the 
unencrypted data lost from the vehicle of its contractor on Sept. 19 
included the names, birth dates and Social Security numbers of thousands 
of state residents.

The state agency, based in Port Allen, La., administers several state 
scholarship programs as well as the states 529 College Savings Plan.

Sue Boutte, assistant executive director and chief operating officer of 
the agency, this week declined to say whether the unencrypted data was 
stored on tape or disk drives. However, she conceded, If you trust your 
data to a courier, then obviously something like this can happen.

According to Boutte, the incident occurred while the agency was working 
on a plan to encrypt all backup data stored off site.

LOFSA was in the process of developing our disaster and recovery plan, 
but [the loss] occurred before we could get it in place and establish it 
as a standard plan, she said.

In a statement, Boston-based Iron Mountain blamed the loss of the device 
on a driver [who] did not follow established company procedures when 
loading the container onto his vehicle. The statement also noted that 
the company encourages its customers to encrypt backup data.

In a recent interview, Iron Mountain CEO Richard Reese said his firm is 
working hard to eliminate human error by its employees. For example, the 
company announced this summer that it is retrofitting its fleet of 
trucks with a new self-designed security and tracking system.

A similar incident two years ago prompted TD Ameritrade Inc. to encrypt 
all of its backup data, said a spokesman for the Omaha, Neb.-based 
financial services firm.

The backup tapes, later recovered, fell off a conveyor belt and became 
lost in a shipping facility of an undisclosed contractor. Those tapes 
contained personal data on 200,000 Ameritrade clients.

At the time we re-evaluated our [backup] processes and procedures, and 
from that point forward, we encrypted [all data] and have taken that 
extra level of protection, the spokesman said.

Brian Babineau, an analyst at Milford, Mass.-based Enterprise Strategy 
Group Inc., said that IT managers who dont encrypt data are not doing 
their jobs. Organizations need to understand that encryption is a 
necessity and not a luxury anymore.

This would be the equivalent of not locking your luggage when you travel 
overseas or leaving your wallet exposed in your back pocket, he added.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com