I just read an exceptionally interesting post at the ClearNet Security Blog. It explains the Certification and Accreditation (C&A) process implemented by the US Department of Veteran's Affairs. Yes, those are the same guys who lost that laptop with my Air Force records. Consider this blog excerpt:
Right about this time the second bomb shell went off.... The guy up front promptly says that all test results we collect are to be given to the VA. This makes sense as it is their computers and they are entitled to our analyzed results right? Wrong! The guy corrects himself and says that the results are not to be analyzed by the auditors but by VA personnel. Hmm...so at this point I am not touching a computer nor am I analyzing the results for risk or what is wrong. Something seems very broken about this process at this point.
Please read the whole post for the entire story. I hope CNS continues to share their experiences.