Centene reported that hard drives located in their data center have been removed and can not be located. Their decision to not encrypt their external drives makes us nervous because they did not account for internal theft or attacks. While storing data in the data center is physically secured from an outside threat, the control does not account for internal threats, meaning monitoring employees that are allowed to access the datacenter.
Centene requires an information security management program that focuses on thinking outside the normal. CCTV is another physical control that should have been deployed and would have aided the insurer in locating the missing drives and identified who removed them from the datacenter.
Please contact us for more information!