DHS Learns a Lesson: “What Happens on the Internet, Stays on the Internet!”
In response to the recent inadvertent TSA exposure of an improperly redacted PDF document containing highly detailed information on Passenger Screening procedures used by TSA officials at U.S. airports, several lawmakers have apparently asked Department of Homeland Security Secretary Janet Napolitano to review any legal remedies available to stop Web Sites from reposting the leaked security manual.
First a couple reminders:
- ”What Happens on the Internet, Stays on the Internet”
- The US legal system does not have jurisdiction over all of the Internet
Perhaps the same lessons being taught to students regarding the dangers of posting personal information or photographs of themselves online should be relayed to government employees with access to the Internet. Once that information is out there, it is highly unlikely you will ever get it back…just like there is no “UNSEND” button to click after you sent an e-mail you did not mean to send.
What we really need are real solutions that address these and other real life issues. This incident reveals the real and critical need for awareness and accountability across all levels of government. All personnel should be provided with “situational awareness” and “customized training” to ensure all appropriate personnel understand:
- What types of information can be shared or not shared
- How to properly share information
- Who information can be shared with
- How to protect/redact sensitive information
- And many other situational awareness issues that all appropriate personnel need to know
TSA Launches Review – Implementing Lessons Learned
The Transportation Security Administration said it is launching a “full review” of an incident in which the agency posted on the internet a sensitive manual outlining security procedures for law enforcement officers, diplomats, prisoners, federal air marshals and others.
Yet another Lesson Learned in 2009. We all need to use Lessons Learned from others so they become Lessons Implemented to ensure better safety and better results in TSA…and most every other organization.
2009 has provided hundreds of lessons learned and the majority of them reveal a widening gap involving a lack of awareness, a lack of accountability and a lack of oversight.
Blaming the administration or calling it an honest mistake or brain fade are not solutions. What organizations really need are better solutions and better tools to keep up with mounting risks, escalating regulations, constant changes and updates to situational awareness and a growing need to securely share information.
Organizational leaders need better management and oversight tools to “connect the dots” and implement lessons learned so we can eliminate gaps and weak links and achieve better results.
Aligning Security and Company Risk – Lessons Learned from Others’ Mistakes
Excellent Lessons Learned from Major Incidents
There is a saying that no leader will live long enough to learn from their own mistakes, so great leaders learn from other people’s mistakes too.
As I was reviewing titles from the November issue of Security Management (an ASIS publication) and on the lookout for lessons learned, I came across the following title: Aligning Security and Company Risk
I clicked on the link and read an article that featured two major security/compliance incidents and what steps leaders from General Dynamics Corporation and Providence Health & Services took after major incidents occurred at their organizations.
The article really got my attention when I read the first paragraph:
After a major incident, companies often decide that they need to purchase new security products to prevent a recurrence of the problem. But sometimes the solution may be nontechnical: to better align security and business risks and to enforce existing policies.
The article offers lessons learned from two organizational leaders who realized their security, compliance and business management efforts needed to be better aligned and that no technology solution was going to “fix” their problems, gaps and weaknesses.
Are you organization’s security, compliance and risk management efforts aligned?
Does your organization have policies and procedures that help all appropriate personnel understand how your organization’s business processes are aligned?
Do all appropriate personnel understand their specific roles, responsibilities and obligations with respect to Security Management? Compliance Management? Risk Management? Reputation Management?
Does your organization need to modernize outdated, fragmented or manually intensive efforts that are making your organization vulnerable to expensive risks or a major incident?
In my experiences performing risk, vulnerability, compliance, safety and continuity assessments…most organizations can definitely learn from other leaders’ and other organizations’ mistakes sooner than later.
House Ethics Committee Standards Breach – Lessons Learned Part Two
Teachable Moments vs. Ongoing Awareness Reminders
As a follow up to the previous blog regarding the sensitive ethics document from the Committee on Standards that ended up in the hands of The Washington Post, I wanted to take a look at teachable moments vs. ongoing awareness reminders.
If you go to the Committee on Standards of Official Conduct web site and look up their training requirements for 2009 you will see an example of once-a-year training requirements and you will see individual training requirements are based on pay scales. This seems ironic to me since the Committee on Standards blamed a low-level staffer for the unauthorized access to the sensitive ethics document.
One thing we know from years and years of data is that people do not do things because they are taught…people do things because they are reminded.
What is the lesson learned here? Once-a-year training is not effective.
What are other lessons learned? To be effective, once-a-year training should be complemented with ongoing reminders about:
- Situational Awareness
- Risks
- Threats
- Best Practices
- Regulations
- Technology Usage
- Information Sharing Guidelines
- Information Handling Requirements
- Legal Due Diligence
- And other related issues
What other lessons learned or questions does this Committee on Standards incident reveal?
- Should “low-level staffers” receive different training based on salary?
- Should detailees, fellows, unpaid interns, or any other individuals who are employed by an organization and paid for less than 60 days be exempt from training?
- Should new employees be allowed to work with sensitive information before training has been completed or be given 60 days to attend live or online training?
- If live training is provided, will individuals remember everything that was blasted at them via the “megaphone training approach”?
Interestingly enough, the previous questions are directly related to existing guidelines on the Committee of Standards of Official Conduct web site regarding 2009 Ethics Training.
This incident seems to be a great teachable moment about the importance of lessons learned questions that need to be answered and updates that need to be provided to all appropriate individuals as ongoing awareness reminders.
House Ethics Committee Standards Breach – Lessons Learned
Low-Level Staffer Blamed for Committee on Standards Breach
In case you missed the story last week, multiple lessons learned and teachable moments have emerged from an incident involving a sensitive ethics committee document that ended up in the hands of the Washington Post. The ethics document exposed numerous ongoing investigations into the conduct of more than two dozen House members.
Most articles seem to be blaming the unauthorized access to the sensitive ethics document on a low-level staffer working from home on their personal laptop using a peer-to-peer file-sharing program which provided unauthorized access to the ethics document.
Asking good questions can be a great way to identify Lessons learned and teachable moments, for example:
- How many employees/contractors have access to sensitive and confidential information?
- How many employees/contractors in your organization work from home?
- How many employees/contractors in your organization use a personal laptop for organization related purposes?
- How many employees/contractors in your organization use peer-to-peer file sharing programs?
Do you have clear policies and procedures and enforcement and consequences defined for each of these situations?
Do you have the ability to track and document awareness and accountability at the individual-level? (Or as the Ethics Committee defines it – low-level staffers?)
How do you keep all appropriate individuals updated on new risks, new regulations, new policies and new teachable moments?
Next lessons learned blog will look at teachable moments and ongoing reminders and which works better…
Ohio Storage Bins Stolen – One Man’s Trash Is Another Man’s….
We have all heard the wise old saying….’One man’s trash is another man’s treasure’ and potentially we have yet another lesson learned for organizations who are obligated to protect their client’s personal information.
In this lesson learned from Ohio, three large storage bins were stolen from outside of three different bank branches in three different cities. Each of the three large storage bins contained paper that was waiting to be shredded and at least one of the storage bins contained personal documents of bank customers.
A few questions this incident brings to mind:
- Should personal data be stored outside of buildings?
- Should trash/storage bins be removable?
- Should trash/storage bins be monitored by video cameras?
- How should data waiting to be shredded be handled and secured?
- Does your organization have policies and procedures for data waiting to be shredded?
- Does your organization have information handling agreement with shredder vendors?
When it comes to protecting customers’ personal information, many other questions come to mind and many risks and issues have been discussed in previous Lessons Learned Blog entries.
Oh! And don’t forget this lesson learned provides yet another ‘red flag’ that should be added to your FACTA Red Flag Rule program and communicated to all appropriate personnel.
Common Elements of Failed Financial Institutions (FDIC)
Yes, I admit it…I was surfing the FDIC web site this past weekend and I was spending some time reviewing past Financial Institution Letters that the FDIC releases to advise the banking industry of supervisory changes and guidelines.
I came across a Financial Institution Letter for Newly Insured FDIC-Supervised Depository Institutions that included the new changes, as well as a list of common elements from troubled or failed institutions.
The list offers some potential lessons learned for organizational leaders (board of directors, executive management, compliance and others) and so I thought I would share the list.
- Rapid growth
- Over-reliance on volatile funding, including brokered deposits
- Concentrations without compensatory management controls
- Significant deviations from approved business plans
- Noncompliance with conditions in the deposit insurance orders
- Weak risk management practices
- Unseasoned loan portfolios, which masked the potential deterioration during an economic downturn
- Weak compliance management systems leading to significant consumer protection problems
- Involvement in certain third-party relationships with little or no oversight
The list identifies the difficulties and complexities of “connecting the dots” and reminds bank leaders about many different types of “dots” that need better management to ensure better results.
If you are an organizational leader in the financial sector, this is good information!
UCLA Stabbing Puts Focus on College Students’ Mental Health
Could stabbing have been prevented?
A recent article discussing the brutal stabbing of a UCLA student in chemistry lab has raised difficult questions asking why disturbed students are allowed to remain at school despite red flags and obvious warning signs.
Since Virginia Tech, campuses across the Nation have been working to identify troubled students and potential warning signs of mental illness, violence or other problems. However, identifying red flags and connecting the dots across multiple people (students, faculty, dorm advisors, mental health, law enforcement, etc.) can be extremely difficult and seemingly very complex.
- Students and faculty members said that the UCLA attacker had exhibited erratic and delusional behavior in the past.
- One professor notified campus authorities about paranoid and accusatory e-mails the UCLA attacker had sent to him.
- Other professors made similar individual reports about the UCLA attacker.
- The UCLA attacker also received counseling at the Student Affairs office.
Were any of these incidents enough of a concern to force the student into treatment? Had each of these dots been connected, could the stabbing have been prevented?
It may be impossible to know for sure, but schools could definitely implement more proactive steps to connect the dots. For example, school leadership should ensure that all faculty, school administrators, school security officers, school resource officers, counselors, parents, and students understand their roles and responsibilities for reporting suspicious incidents and behavioral red flags. Would anyone disagree that prevention efforts are more effective and less expensive than recovery efforts?
30,000 Hotmail Passwords Posted Online…and growing
Did you see the headlines…10,000 webmail passwords were posted online?
Did you see the headlines…20,000 webmail passwords were posted online?
Did you see the headlines…30,000 webmail passwords were posted online?
Where does this end?
The headlines offer valuable lessons learned that every organization should be utilizing to help their people (board members, managers, employees, partners, contractors, vendors, service providers, etc.) to be better prepared for phishing threats and attacks.
The fact that 20,000 or 30,000 people (or more) were social engineered and gave away their personal webmail password is alarming. So what is your organization doing to make sure your people are not giving away their password to organizational mail accounts?
Awareness is vital. Accountability is critical. Lessons Learned must become Lessons Implemented.
Is your organization prepared?
