CANADA IT SECURITY IN GOVERNMENT IN QUESTIONITBusiness.ca
To catch a public sector thief

10/19/2004 5:00:00 PM - Looks like the federal government has an IT asset management problem

by Shane Schick


This would be a great week to steal a computer from the federal government.

If they aren't already walking the picket lines as part of the PSAC strike, many public sector employees are probably attending GTEC, the annual conference on government IT projects. With no one at their desks,
there are plenty of valuables there for the taking. And if you're at GTEC, they might be carrying laptops and handhelds as well. After all, recent evidence suggests the government is something of an easy mark.

According to a series of access-to-information requests made by Vancouver immigration lawyer Richard Kurland, at least 330 computers have been pilfered in the last year from the Justice Department, the Refugee Board, the Financial Transactions and Reports Analysis Centre and Public Works, among other departments. Kurland told the Globe and Mail the equipment was worth about $1.1 million and consisted mostly of notebooks and desktop PCs. The tally of losses indicate that, instead of a public sector where security is tighter than Fort Knox, we are living in something more like Fort Why Not?

I wish I could say I was as shocked as Kurland, who couldn't believe the government doesn't pool information on what gets stolen after it's been reported to the police. I first got an inkling of how lax measures were more than a year ago, when a laptop containing all kinds of income tax records was stolen from a Canada Customs and Revenue Agency office in Quebec. Despite the amount of citizen data which had been compromised, the spokesperson I called sounded like we were making a mountain out of a molehill.

"Our policy is to keep such servers that contain the data locked up in a special room with extra security measures," he said. "On this particular night the server was not in a locked room." In other words, mobile computing sometimes means you bring the goods straight into the arms of the thieves.

Mitch Kabay, director of education at the International Computer Security Association, once told me there was an appalling degree of absent-mindedness among government employees that would be considered inexcusable in the private sector.

"There have been government agents who have left their laptops in airplanes, ministers who have forgotten them in the back of cars," he said. Citizens are within their rights to wonder whether people who can't look after valuable technology products can be trusted with more important responsibilities.

Having recently attended the sixth annual IT Asset Management Conference and Solutions Showcase in Toronto, it's clear to me that what's plaguing the government is not really a security problem. This is what happens when inventory is not properly tracked and monitored, whether through a central database or through a more manual reporting process. The government claims it has recovered many of the stolen items, but had the information been recorded en masse -- something that Kurland has proved is easy enough to do after the fact -- the government might have realized that additional training in the proper care and security of IT assets is necessary.

Asset management, at its most basic level, means you are aware of what's being used in your organization and where it's being used at any given time. Like any corporate policy, it's something that has to be spread throughout the ranks from the most senior to the most junior employee, so that the technology is only a means of backing up standard procedures. As one executive at the asset management event put it, you can do with a so-so database, but not a so-so process.

The government might argue that it is too complex, too distributed to adopt a consistent asset management approach, but I don't believe this should be beyond the talents of our best and brightest strategists. This year, instead of celebrating all the IT problems that have been successfully overcome at GTEC, why not use this meeting of the minds to start solving the one that clearly needs more attention?