Time for Agencies to 'Converge' Security

The recent IRS inspector general's s report concluding that the Internal Revenue Service had lost at least 490 computers between January 2003 and June 2006, exposing possibly thousands of Americans' personal tax information to possible theft, is yet another reminder that many agencies have yet to heed security experts' advice that physical security of information is part of an overall cybersecurity plan.

According to the IRS IG report, many of the losses occurred because employees left their laptops in unlocked vehicles, on buses, trains, at airports, or checked their computers as airline baggage, according to a Washington Post article. "The report attributes the newly identified shortcomings at IRS offices 'to a lack of emphasis by management,'" the Post reported.

The lack of management attention to physical IT security is widespread throughout the federal government. IRS joins a growing list of other agencies having reported lost or stolen laptops. As a reminder, here are some of the others: Last spring, a Veterans Affairs Department laptop containing personal information on 26.5 million people was stolen from a VA analyst's home. That was followed by laptop losses at the Navy and the Government Accountability Office, the Energy Department, the Transportation Department, the Education Department and then just about every agency according to a House report.

A couple of months after the VA's chief information Officer Robert Howard said that another data breach was unlikely, the VA lost a hard drive at a Birmingham, Ala., Veterans Affairs Department facility containing highly sensitive information on nearly all U.S. physicians and medical data for about 535,000 VA patients. The case is still under investigation.

As security experts have advised for years, physical security of data, such as keeping track of laptops or encrypting data, is a significant part of any cybersecurity plan. It's called convergence.