Yahoo! News is reporting that the Los Alamos nuclear weapons research facility reportedly is missing some 69 computers according to a watchdog group who released an internal memo. Either they have really bad inventory controls, or they have a kleptomaniac running around the lab. Even for a mid-sized organization, this is a lot, especially given the nature of their business. Granted the senior manager says this does not mean there was a breach of classified information, and I guess I should give him the benefit of the doubt, but I have never worked at a company where sensitive information did not flow like water around the organization regardless of policy. The requirement may be to keep classified information off unclassified systems, but unless those systems are audited, how would you know? How could you verify if they are missing.
We talk a lot about endpoint security and and the need to protect laptops, but really, if you work for an organization that deals with incredibly sensitive information (you know, like nuclear secrets) you need to encrypt all of the media regardless of the media being mobile or not. There are dozens of vendors that offer software encryption and most of the disk manufacturers are coming out with encrypted drives. And you are probably aware if you read this blog that we are proponents of DLP in certain cases; this type of policy enforcement for the movement of classified information would be a good example. You would think organizations such as this would be ahead of the curve in this area, but apparently not.