“You keep using that word. I do not think it means what you think it means.”

— Inigo Montoya from the movie, The Princess Bride.

NASA had a laptop stolen with about 10,000 employee records on it (remember that number 10,000– it comes up below).  The laptop was not encrypted.  Here is what the NY Times reports NASA’s response was:

Robert Jacobs, a NASA spokesman, said the agency’s data security policy already
adequately protected employees and contractors because it required computers to
be encrypted before employees took them off agency premises. “We are talking
about a computer that should not have left the building in the first place,” Mr.
Jacobs said. “The data would have been secure had the employee followed policy.”

Ok.  It is stating the obvious that controls like encryption are not intended to lower the risk that everyone does everything they are supposed to.  They are for controlling the risk that someone does something they are not supposed to.  It is surprising that Mr. Jacobs did not point out that if the guy who stole the computer had obeyed the law and not stolen another individual’s property the “data would have been secure”.

But is it stating the obvious?  Can anyone believe after this incident that just having a policy to not put sensitive information on unencrypted laptops and then to not take them out of the office is a sufficient control?  After the incident, the FAQ’s on the NASA site stated the following:

“the Administrator and Chief Information Officer have directed that, effective immediately, no NASA-issued laptop containing sensitive information may be removed from a NASA facility unless whole disk encryption software is enabled or sensitive files are individually encrypted. In addition, employees are being directed to review the information contained on their computers to ensure all sensitive information is appropriately encrypted at the file level, and to purge all unneeded sensitive files. Finally, employees are being reminded that sensitive data should not be stored on smart phones or other mobile devices.” (https://answers.nssc.nasa.gov/app/answers/detail/a_id/6270/~/what-are-)

Just a little over a month before the laptop was stolen, NASA sent out a newsletter to its employees reminding them about CyberSecurity best practices.

http://www.nasa.gov/pdf/666064main_ITTalk_JUL2012_final.pdf

And in that newsletter is a mock headline mock-dated November 30, 2011 and it reads “NASA laptop stolen, potential compromise of 10,000 employees’ private information”.  Under that is the caption: What if this were an actual NASA headline?   You just can’t make this stuff up.