Security bytes
Nearly 200 computers, tablets lost: Audit
One federal department lost 199 laptops, tablets and USB keys, an internal audit found.
Lapses at the Department of Infrastructure included a “lost bag with potential secret documents” and IT checks so haphazard that staff had no real idea how much equipment was misplaced or stolen, according to Blacklock’s Reporter.
“Not all security incidents are properly identified, recorded, assessed, mitigated and reported,” said the internal audit of departmental security.
“It is important to report security violations in a timely manner so that corrective action can be taken before a security breach or serious security incident occurs.”
Auditors said while management put up security posters and surveillance cameras in parking garages — “none of the security risks identified were classified as a ‘show-stopper,’” the report said — serious errors were found in IT security.
“Several potential security incidents were noted in department documents, but were not recorded as security incidents,” said the report.
The audit counted 199 laptops, USB keys and tablets listed as inventory that had vanished. The items had “an unknown owner and location,” said the report.
The report did not estimate the value of the lost equipment. The department owned 1,580 cellphones, 689 tablets, 490 laptops and 340 encrypted USB keys.
“The department has not conducted a physical review of its inventory of IT assets for several years,” said the report. “As a result, the current inventory records contain a number of inaccuracies and it is difficult to assess how many items could have been lost, misplaced or stolen.”
The department’s 593 employees at offices in Ottawa and Montreal were also required to take security courses, though a third never did. Even among those who passed their training, “recent security sweeps continue to reveal a large number of security violations,” according to
Blacklock’s Reporter.
Of 135 offices audited, 41% were not in compliance with security rules. “Infractions found included unsecured documents,” including files stamped confidential or secret. Other examples were lost office keys and misuse of encrypted USB keys.
The department had not updated its log of legitimate computer users even in cases where employees left or died and “no longer require access to parts of the system,” wrote auditors.