Triware Networld Systems 

27 Years Of Around The Clock Superior Network Systems Service & Support!


   Back ] Up ] Next ]



Information Security & Privacy Regulatory Compliance: Defense Industries – You Don’t Have to Be Faster Than Bear…

When reviewing information security strategies, you can learn a lot from the Department of Defense (DoD) and how it does things. There is no doubt that the DoD has a genuine and defined threat to their information, even their unclassified information, and examining how they structure their security profile might help inform your company’s efforts.

The DoD administers the National Industrial Security Program to help defense contractors secure the information they were provided. This article examines how defense contractors are expected to handle and secure unclassified documents.  Classified security is beyond the scope of this article.

In no particular order of importance, National Industrial Security Program Operating Manual (NISPOM) lists key controls, all of which need to be in place in order for a defense contractor to have met the minimum requirements to handle sensitive but unclassified information.  These are:

bullet Audit trails
bullet Backup and restoration
bullet Encryption
bullet Access controls
bullet Authentication
bullet Testing of controls
bullet Disaster recovery and planning

The first of these mentioned is audit trails. These audit logs must have sufficient information to be useful, they need to keep track of logons and logoffs, successful and unsuccessful accesses to security relevant objects and directories, changes in user permissions, and tracking of account lockouts.  In addition, the audit trails must be protected from tampering and reviewed on a regular basis.  In practice, most commercial corporations are terrible at reviewing their audit trails in any meaningful way.

Next in line is backup and restoration. Written procedures, sufficient frequency, secure storage, and testing of the backups are all required for defense contractors to ensure the availability of unclassified information.  Most commercial corporation have backup procedures, although they may not be written down, but few actually make a practice of testing the procedures to ensure that a restore (or worse, a catastrophic restore) is possible.

Encryption, naturally is part of the NISPOM, and any sensitive but unclassified documents transmitted outside the corporate perimeter need to be encrypted. Typically, IPSec or other commercial encryption protocols can be used, however some sensitive but unclassified information can only be encrypted (commercially) with AES.  For non-DoD entities, the lesson here is that data should be encrypted while it is being transmitted even if it is simply going from one building to another. Unless the corporation owns every switch and router along the data’s route, there is no way to guarantee the data’s confidentiality or integrity. (And even then….)

Access controls, both physically and logically, play a big part in NISPOM and should play a big part in private enterprise.  Assigning a specific user to an information object goes a long way towards tracking how that object is used.  Of course, the sensitivity of the object is important: no one really cares about what is on the cafeteria menu, but last week’s sales figures are significantly more sensitive.  Having a way of tracking who has access to sensitive data is important when reviewing appropriate access limitations. Many organizations do not have tools that can even show an information security manager what rights and permissions a particular user has over the enterprise. This failure leads directly to one of the biggest ways corporations are compromised: privilege escalation. Privilege escalation is the process of over granting rights to a legitimate user, either as temporary permissions that failed to be removed or indirect granting by including the user in an inappropriate group.

Authentication receives a lot of space in the NISPOM manual, as well it should. Authentication is the gateway to your data – all your data. If your access restrictions are not in place, someone with a legitimate user name and password is going to be able to wreak havoc if they are so inclined.  The NISPOM rules for authenticators are extensive, however here are some highlights: 

bullet each user has a unique ID
bullet the process for informing the user of the first password must be documented
bullet aging of the authenticator
bullet history of the authenticator
bullet protection of the authenticators

In commercial parlance, what all this means is that your username and password should be unique, the password should be unable to be read even if the password file is stolen, and the creation and deletion of user ID’s needs to be recorded and approved in a written change management policy. Invariably for large corporations, when there is a security audit, auditors will find users on the system that were terminated months ago from the company. Clearly this is one corporate area that needs attention.

Regular security testing of controls is required by NISPOM. To do this, a risk assessment needs to have been performed that identifies the controls necessary to keep a system secure. On a regular basis the subject matter expert needs to test the controls and ensure they are in place.  Most commercial ventures cannot say for certain what controls are key to protecting their information, and even fewer have documented them for testing. Of all the controls NISPOM requires contractors to maintain in order to secure sensitive but unclassified DoD information, this one is the most neglected security process in corporate America.  First ask, how can it be protected if we don’t even know what it is? Thus we need the risk assessment to identify sensitive data. Second, what controls have we put in place to secure our sensitive data? Once those controls are in place, how do we ensure they stay in place? That is the question that NISPOM requires defense contractors to answer, and it wouldn’t hurt corporate America to follow suit.

Whole books can be written on disaster recovery and planning.  Suffice to say that in my experience, commercial ventures tend to pay lip service to this type of contingency planning. If Hurricane Katrina and New Orleans are any example, most corporations facing such extreme or catastrophic circumstances will simply close their doors. Defense contractors don’t have that luxury. Start with a business impact analysis (BIA) to see if shutting down is really a viable option, and then build a contingency plan from that.

This has been a very brief overview of how our nation views information security controls. Sensitive but unclassified information is the equivalent of what a commercial enterprise deals with on a daily basis.  If your commercial enterprise isn’t at least at this minimum level of security, consider what you need to do to reach at least the levels outlined here. 

You don’t want to be the slowest person running from the hungry bear.

By John Barchie, Senior Information Security Governance Fellow

John Barchie Biography

John Kenneth Barchie, CISM, CISSP, CNE, MCSE is an Information Technology and Information Security Expert with over 15 years in the high-tech and financial industries. John has been engaged to manage, audit, review and improve over 200 information technology departments and to charter corporate security functions.

Back to Top

Sign up for TNS News Letter

Information Request Form

Select the items that apply, and then let us know how to contact you.

Request a Senior Partner contact me
Request a Web Meeting and / or Web Demo
Refresh >>
Enter code

Business Partners


© Copyrights Triware Networld Systems, L.L.C. ® 1991-2018