Thursday, September 18, 2008

ATF Knows Where the Explosive Devices Are, But Laptops Are a Different Story

Via arstechnica.com -

The Department of Justice (DOJ) Office of the Inspector General (OIG) recently released the results of a 59-month audit (PDF) on the Bureau of Alcohol, Tobacco and Firearms (ATF) and its penchant for losing weapons and laptops; the report's findings are damning.

The stated purpose of the audit was to assess "(1) the adequacy of the ATF's actions taken in response to weapons, laptop computers, ammunition, and explosives identified as lost, stolen, or missing; and (2) the effectiveness of ATF's internal controls over weapons, laptop computers, ammunition, and explosives."

The OIG's audit was unusually long and broad in scope thanks to previous issues at the ATF. A 2002 investigation (back when the bureau was part of the Department of the Treasury) found significant problems with how the ATF protected and accounted for laptops, firearms, and ammunition. The ATF agreed with all of the recommendations of that earlier audit and implemented new policies that it claimed would cut the losses. Put simply, these new policies have not worked.

The new audit states: "Over the 59-month period we tested, 76 weapons and 418 laptop computers were lost, stolen, or missing from ATF. ATF's rate of weapons loss per month has nearly tripled since Treasury's 2002 audit, and the rate of loss per month for laptop computers was 50 times higher than what the 2002 audit revealed. According to ATF officials, the much higher rate of laptop computer losses resulted primarily from adjustments ATF made to its inventory records to correct inaccurate data accumulated over several years." (emphasis mine).

The ATF lost an average of 7.08 laptops per month over 59 months, but it's very important to understand how that number is derived. Based on the rules of the OIG's audit process, a laptop that has not been properly logged as decommissioned is considered "lost," even if it wasn't stolen or misplaced. In the ATF's case, a lack of proper documentation did significant harm.

"274 ATF laptops were identified as missing during periodic inventories. These losses represent approximately 66 percent of all lost, stolen, or missing ATF computers... The primary reason was that managers believed the computers were returned to the supplier, exchanged for newer models, or donated to schools after becoming obsolete. However, managers could not demonstrate that this had occurred, because they could not produce the required documentation for such returns, exchanges, or donations."

The bureau was also unable to produce information on whether or not the laptops in question were wiped clean prior to being returned or donated.


[...]

The report classifies ATF's control over weapons and laptops as "not adequate," for a number of reasons, many of which we've already discussed. The OIG did find that the ATF adequately tracked and monitored its inventory of explosive devices, but that's small comfort considering the low marks for laptops, firearms, and ammunition.

--------------------------------

Losing laptops is one thing....esp if they are encrypted (not that the ATF laptops are)...but not being able to determine if donated laptops have been wiped, seem like a very serious oversight.

This is much easier than making sure people don't lose their laptops...this is Corporate Computer Dontation 101 folks...seriously.

No comments:

Post a Comment