Thursday, July 10, 2008

Being vigilant while protecting the money makers

A former engineer with Boeing Company has pleaded guilty to possessing classified information in an unauthorized location. Does anyone want to guess where? Yes, that’s right, his house. He thought he could take the information home with him and work on it there. You can read more about the information in the article Boeing Engineer is found guilty.

While many security managers are focused on good training and may think that they have it in the bag, don’t rest just yet. Chances are that the involved engineer is not the only one breaking the rules of safeguarding classified material. Those who work on classified contracts need to be reminded again and again how to do so while following the laws of our country.

Let’s break this case down. Engineer has access to computer processing. He then down loads the information to a data stick and brings it home with him. Though he probably meant no harm, his actions created tons of it and he will be punished for it.

Chances are, he had attended and understood all security awareness training events. His former employer probably had warning signs and controls in place to remind the engineer of the proper use of classified IT. The probably followed NISPOM requirements to perform random checks, control classified processing, account for classified material and all actions necessary to prevent unauthorized disclosure. However, he still got through.

This serves to remind security professionals to be creative in their risk analysis. This involves thinking like those you support and answering questions like the following: How could an employee sneak or inadvertently remove classified material? Are there any ways to remove, copy, destroy or disclose information without leaving a trail? Can employees be duped into releasing classified, export controlled or proprietary information at a convention?

Find the answers and address them as soon as possible. For example, our engineer downloaded classified information on a data stick. Security managers could return to policies of two person use rules for all tasks requiring the use of classified material, or require each employee to verify verbally that they do not have cameras, data sticks, or recording devices before entering facilities.

Security managers have the tough job of protecting classified material. While many may feel they are in the business alone, professionals create an environment including the whole company in the plan and activities of protecting our nation’s secrets. Security managers have to learn to be as creative as the employees they support to better counter threats of unauthorized disclosure.

No comments: