The first of these mentioned is audit trails. These audit logs must have sufficient information to be useful, they need to keep track of logons and logoffs, successful and unsuccessful accesses to security relevant objects and directories, changes in user permissions, and tracking of account lockouts.  In addition, the audit trails must be protected from tampering and reviewed on a regular basis.  In practice, most commercial corporations are terrible at reviewing their audit trails in any meaningful way.

Next in line is backup and restoration. Written procedures, sufficient frequency, secure storage, and testing of the backups are all required for defense contractors to ensure the availability of unclassified information.  Most commercial corporation have backup procedures, although they may not be written down, but few actually make a practice of testing the procedures to ensure that a restore (or worse, a catastrophic restore) is possible.

Encryption, naturally is part of the NISPOM, and any sensitive but unclassified documents transmitted outside the corporate perimeter need to be encrypted. Typically, IPSec or other commercial encryption protocols can be used, however some sensitive but unclassified information can only be encrypted (commercially) with AES.  For non-DoD entities, the lesson here is that data should be encrypted while it is being transmitted even if it is simply going from one building to another. Unless the corporation owns every switch and router along the data’s route, there is no way to guarantee the data’s confidentiality or integrity. (And even then….)

Access controls, both physically and logically, play a big part in NISPOM and should play a big part in private enterprise.  Assigning a specific user to an information object goes a long way towards tracking how that object is used.  Of course, the sensitivity of the object is important: no one really cares about what is on the cafeteria menu, but last week’s sales figures are significantly more sensitive.  Having a way of tracking who has access to sensitive data is important when reviewing appropriate access limitations. Many organizations do not have tools that can even show an information security manager what rights and permissions a particular user has over the enterprise. This failure leads directly to one of the biggest ways corporations are compromised: privilege escalation. Privilege escalation is the process of over granting rights to a legitimate user, either as temporary permissions that failed to be removed or indirect granting by including the user in an inappropriate group.

Authentication receives a lot of space in the NISPOM manual, as well it should. Authentication is the gateway to your data – all your data. If your access restrictions are not in place, someone with a legitimate user name and password is going to be able to wreak havoc if they are so inclined.  The NISPOM rules for authenticators are extensive, however here are some highlights: 

In commercial parlance, what all this means is that your username and password should be unique, the password should be unable to be read even if the password file is stolen, and the creation and deletion of user ID’s needs to be recorded and approved in a written change management policy. Invariably for large corporations, when there is a security audit, auditors will find users on the system that were terminated months ago from the company. Clearly this is one corporate area that needs attention.

Regular security testing of controls is required by NISPOM. To do this, a risk assessment needs to have been performed that identifies the controls necessary to keep a system secure. On a regular basis the subject matter expert needs to test the controls and ensure they are in place.  Most commercial ventures cannot say for certain what controls are key to protecting their information, and even fewer have documented them for testing. Of all the controls NISPOM requires contractors to maintain in order to secure sensitive but unclassified DoD information, this one is the most neglected security process in corporate America.  First ask, how can it be protected if we don’t even know what it is? Thus we need the risk assessment to identify sensitive data. Second, what controls have we put in place to secure our sensitive data? Once those controls are in place, how do we ensure they stay in place? That is the question that NISPOM requires defense contractors to answer, and it wouldn’t hurt corporate America to follow suit.

Whole books can be written on disaster recovery and planning.  Suffice to say that in my experience, commercial ventures tend to pay lip service to this type of contingency planning. If Hurricane Katrina and New Orleans are any example, most corporations facing such extreme or catastrophic circumstances will simply close their doors. Defense contractors don’t have that luxury. Start with a business impact analysis (BIA) to see if shutting down is really a viable option, and then build a contingency plan from that.

This has been a very brief overview of how our nation views information security controls. Sensitive but unclassified information is the equivalent of what a commercial enterprise deals with on a daily basis.  If your commercial enterprise isn’t at least at this minimum level of security, consider what you need to do to reach at least the levels outlined here. 

You don’t want to be the slowest person running from the hungry bear.

By John Barchie, Senior Information Security Governance Fellow

Back to Top