Posted by: David Scott
acceptable use, content management, data breach, data security, IT security, Security Plan, security policy, WikiLeaks
I can’t ignore this story. It seems an 11-page U.S. Government document, calling for “assessments” of vulnerabilities and “formulation of plans” in closing gaps, for the express purpose of preventing data leaks – has itself been leaked to MS-NBC. Understand that the following information is “out there” now. I’m not widening this leak – it’s an open pipe.
However, I would like to help. I was a Federal Employee once upon a time (U.S. Army). My own career benefited through training and education that was either conducted, or paid for, by Uncle Sam. Let’s examine (what we could call) this Anti-Leak leaked document – oh the irony:
The document’s language is arcane. For example:
Assess what your agency has done or plans to do to address any perceived vulnerabilities, weaknesses, or gaps on automated systems in the post-WikiLeaks environment.
Assess all security, counterintelligence, and information assurance policy and regulatory documents that have been established by and for your department or agency.
Assess your agency’s plans for changes and upgrades to current classified networks, systems, applications, databases, websites, and online collaboration environments as well as for all new classified networks, systems, applications, databases, websites or online collaboration environments that are in the planning, implementation, or testing phases – in terms of the completeness and projected effectiveness of all types of security controls called for by applicable law and guidance (including but limited to those issued by the National Security Staff, the Committee on National Security Systems, the National Institute for Standards and Technology).
And then assess the mess some more, I guess. Hey, we’re assessed! In examining this – what?… – cure?… fix?… stall?… blather?… we can see where clear thinking and plain language are far overdue.
You know what should have been “Bullet One” on this doc?
Within 30 days of receipt, all agencies will conduct Security Training Refreshers for all staff for the secure handling and distribution of classified and sensitive information, and the secure use of all associated systems, in accordance with… *.
*Here would be referenced all pertinent existing policies and security directives (hardly lacking, I can assure you).
Following bullets could indicate a subsequent review by the doc’s originating agency – presumably a controlling agency to all the other recipients. Further, a simple overarching scenario for security upgrades in accordance with best business practices shouldn’t be too difficult. From there, you can assess and review and implement to your heart’s content – but the U.S. Government doesn’t lack for documentation, regulation and control. But it does lack something else – consider:
It lacks, at present, proper execution of prudent security activity. The Wiki dump was a human act of willful disobedience to laws and regulations – by an individual.
When an individual, particularly one with a security clearance, is bent on doing harm to content, no amount of law, or regulation, or systems’ security controls are likely to stop that person – absent a paired human oversight and strong managerial control.
In addition to security refreshers, shrewd assessments of personnel, and allied system controls, there must be a strong exposure to all concerned regarding the simple peril in breaching data: For government, you’ll go to prison. In business, you’ll be fired – and maybe yet go to prison.
They caught PFC Manning. Security refreshers shouldn’t be shy about legal sanctions against transgressors – and further, reviews should state plainly that wrong-doers will be caught. (Whether you’re fully confident of that or not).
There is a lesson to business and IT here. Secure your organization’s content – get ahead of any potential breach. For all personnel: Train, review, train, review, train, review… find the schedule that suits your organization best in terms of affordability and returns – monthly, quarterly, semi-annually.
Constantly review systems, and survey for enhancements to security. Query vendors and value-added-remarketers. Then, take a break; it’s lunch-time here.
NP: Kinks, You Really Got Me, original ’64 Reprise LP. I could listen all day and all of the night.