This week, it was reported that just over 35,000 student records were compromised at Riverside Community College District in California when an employee accidentally sent these records to an external email address. As a consequence of this error, students have become anxious about their security and mistrustful of the college administration. To correct the mistake, the college is offering one year of free credit monitoring to any student listed in the leaked database. As with any data breach casualty, Riverside Community College is taking a hit to its reputation and to its budget.
Archive for the ‘Information Spillage’ Category
A few years back my wife and I spent a great deal of time and effort writing a business plan. We researched the market place, analyzed the threat from local competitors and built the financial and resourcing plans that would ensure our success. When we were done, we shared the plan with our potential investors (friends and family).
Happily, when we shared our plan it received an enthusiastic response. Unhappily, it was so well received that one of our friends thought to share our business plan with some of his work colleagues.
On October 7, 2011 President Obama issued an Executive Order (Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information) “in order to ensure the responsible sharing and safeguarding of classified national security information (classified information) on computer networks”. This is as a result of the Wikileaks incident of last year. One of the major focus areas of the Executive order is to reduce the possible threat of insiders leaking classified information out of the government.
Since there are a number of ways to implement Data Loss Prevention (DLP) within an enterprise, it is important to understand the value of different approaches. One approach to DLP is called “Redaction”, which involves blacking out the characters in a message or document, so that future consumers of the document can’t see sensitive portions of the document. The image below shows how a redacted message might look. Redaction has been mostly used in highly sensitive government or military environments for documents, but redaction can also be used in commercial organizations where the loss of sensitive information via email is a concern.
Clearly, in order to effectively redact content, some kind of rules must be applied to determine which portions should be blacked out. Once the sensitive portions have been identified, a number of different actions are usually taken to ensure that the sensitive information is not released. This article focuses on why redaction is an important option to have in an email system, and how it can be automated to help users protect sensitive information.
On June 9, NARA released an implementation guidance document to help agencies prepare to meet Executive Order 13556. The guidance document provides agencies with some key information needed for them to prepare their CUI implementation plans. These plans are due to NARA in early November of this year.
Here are some of the highlights:
- They give guidance on how to handle legacy documents. This has been area of great interest to the government folks that we have been speaking with – they will appreciate the clarity.
- Safeguarding of CUI per existing OMB and NIST direction (a good thing – don’t think anyone wanted new standards).
- De-control dates for each category (welcome for various open government advocates).
- View into marking format: CUI//Authorized Category-Subcategory. Everyone’s been waiting for this one!
- They encourage portion marking. Portion marking refers to applying paragraph level markings that may be different than other markings within the same document or email. Portion marking is widely used across the intelligence and DoD community. It will be interesting to see this leveraged on the civilian side of things – end user training and education will be paramount to successful adoption.
Overall, this helps set the stage for what is to come. Expect to see more guidance issued as we get closer to the registry live date (November 2011, if they keep on track). The registry will hold all the approved CUI markings and be available to the public.
The guidance can be found at: http://www.fas.org/sgp/cui/guidance.pdf
Once upon a time… (that’s the way all good stories start, don’t they!?)
Anyway, once upon a time, actually just a few weeks ago, there was an employee. This employee was not malicious, wasn’t trying to cause any harm, but was simply trying to get some ‘work-related assistance’ from someone outside of their organization, and inadvertently emailed a file containing all of the names and social security numbers of all of the employees of that organization to someone outside of the organization.