Audit: VA sidestepped security standards in iPhone, iPad deployments
The VA may have circumvented compliance standards when getting iPads into the hands of its clinicians.
The Department of Veteran Affairs (VA) has been one of the federal government's leading drivers of technological innovation in recent years, from the implementation of electronic health records to the expansion of employee mobility programs. However, an audit triggered by one worker's anonymous tip has revealed that the agency may not have conducted its due diligence in satisfying data protection standards when deploying iOS devices.
In a report compiled by VA assistant inspector general for audits and evaluation Linda Halliday, she explained that her office received an employee complaint through its confidential hotline in September 2011 that suggested the agency may have been circumventing provisions contained in the Federal Information Security Management Act (FISMA). In cooperation with guidelines supplied by the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST), mandates in the legislation dictate a clear set of best practices for implementing new components into VA information systems.
"The complaint alleged that VA was using Apple mobile devices without adhering to Federal Information Processing Standards, Security Requirements for Cryptographic Modules (FIPS 140-2), to protect sensitive information stored on the devices," the audit stated.
As the VA simultaneously began to discuss an ambitious vision for mobility that included the purchase of approximately 100,000 iPads, Senator Jon Kyl requested a similar evaluation of how the department planned to embrace the new technology without sacrificing data security in the process.
Auditors have now concluded that the allegations regarding the VA's hasty implementation of iOS devices are "partially substantiated." The VA did indeed deploy more than 200 iPhones and iPads with encryption mechanisms that were not FIPS 140-2 compliant. However, the agency did utilize an ad hoc mobile device management solution that encrypted application data found in calendars, emails, phonebooks and other sensitive device utilities. Additionally, all applications used to access or store data on the iPhone or iPad were diligently vetted and FIPS-approved.
Security vs. compliance
By the letter of the law, auditors did find fault with the way VA officials were managing iOS rollouts. However, regulators candidly expressed their opinion that the VA approach delivered the intended level of data protection in the end. Ultimately, the report did not chastise government IT administrators for their noncompliance but rather provided recommendations for refining their nuanced technique.
"We noted that the VA could improve security controls and systems management by ensuring an accurate inventory and consistent configuration for the mobile devices deployed enterprise-wide," Halliday wrote.
This process has raised several important questions for stakeholders relying on the wisdom of FISMA mandates. From a government perspective, the fact that auditors could respond to Senator Kyl's inquiry by affirming the ultimate strength of the VA's data security demonstrates a fundamental misalignment of legislation. The agency was out of compliance with FIPS requirements yet still managed to find an alternative route to satisfy the standards and spirit of broader FISMA mandates. This revelation will likely inspire a reconsideration if not reform of the compliance framework as time goes on.
On the operational side of the equation, administrators are once again reminded of the complicated relationship between compliance and security. While agencies generally have every intention of satisfying regulatory standards, static legislation is inherently prone to weaknesses when governing an arena as dynamic as cybersecurity.
As a result, chastising efforts to go outside of the accepted compliance framework may be counterproductive. Without new concepts and ideas pushing the envelope, servers and software could become sitting ducks hoping against hope that regulators have closed any gaps opened up by cybercriminals.
Security News from SimplySecurity.com by Trend Micro
Spotlight
Cloud Computing
- Cloud security group develops third-party certification program
- US makes large investment in cyber weaponry
- Wall Street has data security concerns over Bloomberg reporting
- Security in backups means more than just encryption
Virtualization
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Internet Safety
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Vulnerabilities & Exploits
CTO Insights
First Line of Defense
Newsletter
Stay up to date with the latest news and information on online threats.
Recent News
- DHS needs better sharing plan, experts say
- Cloud security group develops third-party certification program
- US makes large investment in cyber weaponry
- SEC may ask for more information after cyberattacks
Tag Cloud
cloud cloud computing cloud computing security Cloud Security Compliance & Regulations Consumerization Current News cybercrime Data Privacy data security Encryption Government Policy Internet Protection Internet Safety Internet Safety - DO NOT USE Internet Security Malware Mobile Security Mobility Policy Policy - DO NOT USE Privacy Privacy & Policy Private Cloud Public Cloud Reports Research Spotlight threat intelligence threat research Trend Labs Underground Economy virtualization Vulnerabilities Vulnerabilities - DO NOT USE web security web threats
Comments
No comments yet