Friday, October 10, 2008

An idea about violations

I was just thinking about the myriad security violations that could have been prevented by using good operations security, communication between cleared co-workers and practicing lessons learned during security training. Once of the biggest culprits of a well rounded security program is the lack of available security violation statistics. There are resources for discovering spy stories or data on espionage, but as far as information about the most common types of violations, mistakes, oversights, etc. the data does not seem to be there. We can’t learn from mistakes if we don’t know what the mistakes are.

Good security managers have data of security breaches, violations, reports of compromise or suspected compromise. However, this data rarely leaves their office. Because of the sensitive nature, it is held closely either for fear of retribution or fear of embarrassment. In truth, there is no retribution for security violation reports and information contained could be very valuable for security awareness.
Take for example that a security manager discovers a security violation with employees leaving the safe unlocked too many times, or leaves a closed area without setting the alarms. The security manager will probably have information detailing the frequency of violations, the persons committing the violations, resolutions and training to correct the behavior. This security manager could use the information to specifically train the business unit to inform them of the infraction, as well as provide meat for the annual security awareness training.

However, this information could be stripped of all identifying information and sent to a collection point for access by other security managers in the industry. Such an effort would only serve to strengthen OPSEC and the managing of security measures to protect classified information.

In the spirit of sharing, I will contribute a few violations I have investigated or have personally experienced.

• Transmission-Worker 1 reported with workers 2 and 3 to the communication center to pick up a classified device for encrypting information. Worker on carried a thin plastic shopping bag and the communications center loaded four heavy devices into the bag. The three workers then walked a quarter of a mile over urban terrain to their work areas. Upon arrival, worker 1 noticed a hole in the bag and one of the devices missing. Workers 1-3 conducted a search to no avail and reported the loss. Fortunately, the device had been found and turned in to the proper authorities.

• Violation of “Need to Know”-Worker 1 and Worker two shared an office where classified work could be performed. They each worked on two different programs, but at the same security level. Worker 1 had to run to the restroom and asked Worker 2 (same clearance level) to watch their classified documents. Worker 2 received a phone call, forgot about the classified material, and left the office and the material sitting unattended. Upon returning, both workers realized the classified material was left unattended and reported the violation to security. Security provided security awareness training emphasizing not to leave classified material unattended to Worker 2. However, Worker 1 received training on leaving material with a cleared employee not having “need to know”.

These are just two experiences of security violations discovered, addressed, and now shared for your use. No person or company is identified, so there is no retribution. Please feel free to include in your upcoming training.

No comments: