Recently in IT Asset Security Category

It's getting really scary out there: another organization has lost documentation containing Personally Identifiable Information.

The Federal Energy Regulatory Commission (FERC) reported the loss of a binder containing the Personally Identifiable Information (PII) of over 2,800 former employees.  The binder was last used in late February and was reported missing in early March - presumed to be lost during an office move while Human Resources employees cleaned out and disposed of old files from a locked office.

An investigation revealed that the binder was most likely thrown out, therefore a low probability exists that the information within was compromised.  Officials are taking steps to protect the identities and credit information of the people listed within the binder.

So why does this matter to us property people?  Though a binder with paperwork is not normally something we would track in our property control systems, (see FAR 45.101), certainly the fact that the binder contained PII makes it worth keeping special tabs on.  It was in a locked office - great - but it seems like it was a little too easy to just throw away.

In reading this article, I kept thinking about Brandon Kriner's presentation at the recent NOVA chapter seminar.  Though his presentation focused on the importance of having property people work with IT people to track Sensitive Data Storage Devices (e.g. thumb drives), this is essentially the same thing.  In this case, however, it was a binder not an IT device; and it would be the property people working with the HR people to track.  Several questions come to mind here: 

• Who was ultimately responsible for this binder?
• Who had access to this locked office?
• Who made decisions about what got thrown away and what didn't?
• Was there a policy in place whereby people normally had to check out this binder and check it back in?

If I could guess, I would say no one had good answers to these questions.  Had there been a property person who knew what kind of information was kept in that office and what should have happened with that binder, this could have possibly been averted.  I talk to groups of property people often about keeping themselves out of the newspapers by taking pains to track the stuff they care about - surely this binder, with all its PII, fell under that category.

The Washington Post reported today that a government laptop belonging to the National Institutes of Health (NIH) was stolen last month while in the possession of an NIH employee. The laptop apparently contains sensitive medical data on 2,500 patients who were enrolled in a confidential NIH study, which was not encrypted. This incident highlights the necessity that organizations take steps necessary to ensure the security of highly sensitive or confidential information, or Personally Identifiable Information (PII.) IT security is an issue that is becoming more and more relevant as cases of identity theft continue to increase.

In 2006, after a laptop containing PII of veterans and active-duty service members was stolen belonging to the Department of Veteran's Affairs (VA), the Office of Management and Budget issued a recommendation that all portable IT devices be loaded with encryption software. One year later, this recommendation became a requirement for any portable device that may contain sensitive information.

The article also states that a recent study conducted by The Government Accountability Office (GAO) found that this month alone, at least 19 of 24 government agencies reviewed had experienced at least one breach that could potentially expose PII to identity theft. These findings illustrate the need for organizations, public or private, to place the highest priority on accounting for sensitive data, which now more than ever reside on portable, even hand-held devices. The theft of a desktop computer is not likely....the theft or loss of a laptop, a PDA, or a Blackberry is almost an inevitability. Organizations must ensure that property management procedures are in place to prevent PII falling into the wrong hands not only by encrypting sensitive data, but more importantly, by placing a much higher priority of accountability on devices that are portable or that may contain sensitive data. Equally as important, they must ensure that staff is knowledgeable about and fully compliant with those procedures.

An article in the "Metro" Section of today's Washington Post iterated the importance, should there be any debate, of the existence of a well-maintained and administered property management system to account for property from the "cradle to the grave", or procurement to disposal. Two servers belonging to the D.C. Office of Tax and Revenue, possibly containing personally identifiable information (PII) of D.C. taxpayers, were found in a trash compactor in northwest D.C. It was only a few months ago that this same District office was the focus of the largest corruption scandal in the city, which resulted in the arrests of 10 people for involvement in an alleged embezzlement of over $20 million in property tax refunds.

The million-dollar question now is whether or not those servers were "purposely" disposed of in an incorrect manner (local government offices commonly do not trash large pieces of IT equipment in neighborhood dumpsters) in an effort to hide any information that might be incriminating to those involved in the corruption scandal. Even if that is found not to be the case, this event identifies some serious issues around the accountability for property in government offices. Authorities will need to find out who had access to these servers, what sort of equipment was connected to them, and ultimately, who retained accountability for them. And although a representative from the District's CFO's office maintains that office policy is to wipe confidential data from any drives before giving the machines to another D.C. agency or public school or disposing of them, he can't say whether or not that occurred with these servers, or why their tax office labels were not removed before disposal. The Office of Tax and Revenue may well be able to provide an explanation for the appearance of these items in a trash repository, but it will also need to explain why they seem to have disappeared from the office in a manner that is clearly not in line with standard operating procedures, assuming those procedures actually do exist, and are tightly monitored by property management personnel. 

The Washington Post reports today that employees from the D.C. Office of Property Management were instrumental in helping the Chief Technology Officer for the District of Columbia crack down on violations of the D.C. government's computer use policy.  Nine District employees were using work computers to view a high volume of inappropriate content-over 200 times per day.  The CTO's office launched the investigation that uncovered these abuses after receiving a tip from the Office of Property Management.

This is a concrete example of the critical role that property managers can play in promoting information security and policy compliance in their organizations.

We've all heard the horror stories: a laptop, hard drive or other piece of IT equipment is stolen from a government agency, university or large company, placing the personally identifiable information (PII) of thousands at risk.  These unfortunate incidents are usually not the work of hackers or determined thieves, but rather are crimes of opportunity that result from lax physical accountability for the assets that store an organization's most sensitive data. These tales of woe are all too common in today's technology-saturated environment; a glance through the Chronology of Data Breaches for the past three years shows that virtually no organization is safe from information security lapses. 

To be certain, protecting PII and other sensitive data is everyone's responsibility, but property managers are uniquely situated in many organizations to have a significant impact on information security.  Property managers, the guardians of physical asset accountability,  often act as gatekeeper between the organization's IT department- responsible for making information available- and property custodians or end users of the devices that store sensitive data.  While the IT department is responsible for ensuring the use of data-level security efforts (encryption, VPNs, etc.) property management is responsible for ensuring the physical security of these assets.

Flash drives, external hard drives and laptops have become ubiquitous in today's office environment due to their decreasing cost and increased storage capacity.  Many of these items fall far below traditional property accountability thresholds, and many property managers are reluctant to place a barcode tag on something as tiny as a flash drive.  Yes, accounting for these devices may be challenging, but the risks of a data security breach make these measures well worth the effort.  The theft of PII can be as dangerous to the public as the theft of weapons or hazardous material.  Consider what could have happened to the identities, security and livelihoods of the 26.5 million Americans affected by the May 2006 data security breach at the U.S. Department of Veterans' Affairs.

So what can property managers do?  Here are some steps that you can take to increase data security in your organization and protect your colleagues and customers:
 

• Maintain records for all organization-issued property capable of storing computer-readable data in your property control system- accurate records can help recover stolen assets in the event of a theft
  
• Flag these sensitive data storage devices as sensitive in the property system to quickly distinguish them from other kinds of property and to provide a complete picture of your organization's exposure to risk from sensitive assets
• Issue and check property passes for all data and storage devices taken out of a secure organization location
  
• Conduct physical inventories of sensitive assets more frequently than inventories of non-sensitive assets to ensure the prompt discovery of missing items.
  
• Sensitive assets that are not found during inventory should be subject to a formal internal inquiry process before being written off.
  
• File a police report in the jurisdiction of the theft as soon as reasonably possible if an asset is reported lost or stolen by an employee.
  
• Overwrite, degauss or destroy hard drives or flash drives prior to donation, sale, or abandonment.
  

In today's world, the nature of sensitive assets has changed, but the mission is still the same: provide accountability and control for the proper use and care of property. Property professionals now have the opportunity to provide a crucial line of defense against a devastating leak of sensitive data. We must do more than simply keep our organizations out of the headlines. Our obligation is to protect the well being of thousands of people who depend on us to keep their information safe. Protecting property is necessary, but protecting people is the most important responsibility of all.