Rolling out new software to a few thousand users is an involved process for any organization. But installing software that affects hundreds of thousands of PCs as part of response to a data breach while under embarrassing scrutiny is a task that would challenge even the most well-managed IT departments. And, apparently, the Office of Information Technology (OIT) at the Department of Veterans Affairs’ answer to that challenge was to sweep it under the rug.

After removable hard disks containing unencrypted personal identifying information of 26 million military veterans were stolen from the home of a VA employee in 2006, then-Secretary of Veterans Affairs R. James Nicholson mandated that the VA’s Office of Information Technology install encryption software on all of the department’s notebook and desktop computers. But while the VA purchased 400,000 licensees for Symantec’s Guardian Edge encryption software, more than 84 percent of those licenses—worth about $5.1 million, including the maintenance contracts for them—remain uninstalled, a VA Inspector General’s audit has found.

The VA’s OIT purchased 300,000 licenses and maintenance agreements for Guardian Edge in 2006, and continued to pay for maintenance on those licenses for the next five years. And in 2011, the VA purchased 100,000 more software licenses from Symantec and extended maintenance on all 400,000 licenses for two years.

Read 2 remaining paragraphs | Comments

via Ars Technica » Technology Lab http://feeds.arstechnica.com/~r/arstechnica/technology-lab/~3/mzV5vtCYhLA/

Advertisements