Information Security & Privacy Regulatory Compliance:
Defense Industries – You Don’t Have to Be Faster Than Bear…
information security strategies, you can learn a lot from the
Department of Defense (DoD) and how it does things. There is no
doubt that the DoD has a genuine and defined threat to their
information, even their unclassified information, and examining how
they structure their security profile might help inform your
The DoD administers
the National Industrial Security Program to help defense contractors
secure the information they were provided. This article examines how
defense contractors are expected to handle and secure unclassified
security is beyond the scope of this article.
In no particular
order of importance, National Industrial Security Program Operating
Manual (NISPOM) lists key controls, all of which need to be in place
in order for a defense contractor to have met the minimum
requirements to handle sensitive but unclassified information.
Testing of controls|
Disaster recovery and
The first of these
mentioned is audit trails.
These audit logs must have sufficient information to be useful, they
need to keep track of logons and logoffs, successful and
unsuccessful accesses to security relevant objects and directories,
changes in user permissions, and tracking of account lockouts.
In addition, the audit trails must be protected from
tampering and reviewed on a regular basis.
In practice, most commercial corporations are terrible at
reviewing their audit trails in any meaningful way.
Next in line is
backup and restoration.
Written procedures, sufficient frequency, secure storage, and
testing of the backups are all required for defense contractors to
ensure the availability of unclassified information.
Most commercial corporation have backup procedures, although
they may not be written down, but few actually make a practice of
testing the procedures to ensure that a restore (or worse, a
catastrophic restore) is possible.
naturally is part of the NISPOM, and any sensitive but unclassified
documents transmitted outside the corporate perimeter need to be
encrypted. Typically, IPSec or other commercial encryption protocols
can be used, however some sensitive but unclassified information can
only be encrypted (commercially) with AES.
For non-DoD entities, the lesson here is that data should be
encrypted while it is being transmitted even if it is simply going
from one building to another. Unless the corporation owns every
switch and router along the data’s route, there is no way to
guarantee the data’s confidentiality or integrity. (And even then….)
Access controls, both physically and logically, play a big part in
NISPOM and should play a big part in private enterprise.
Assigning a specific user to an information object goes a
long way towards tracking how that object is used.
Of course, the sensitivity of the object is important: no one
really cares about what is on the cafeteria menu, but last week’s
sales figures are significantly more sensitive.
Having a way of tracking who has access to sensitive data is
important when reviewing appropriate access limitations. Many
organizations do not have tools that can even show an information
security manager what rights and permissions a particular user has
over the enterprise. This failure leads directly to one of the
biggest ways corporations are compromised: privilege escalation.
Privilege escalation is the process of over granting rights to a
legitimate user, either as temporary permissions that failed to be
removed or indirect granting by including the user in an
receives a lot of space in the NISPOM manual, as well it should.
Authentication is the gateway to your data – all your data.
If your access restrictions are not in place, someone with a
legitimate user name and password is going to be able to wreak havoc
if they are so inclined.
The NISPOM rules for authenticators are extensive, however here are
each user has a
the process for
informing the user of the first password must be
aging of the
history of the
protection of the
parlance, what all this means is that your username and password
should be unique, the password should be unable to be read even if
the password file is stolen, and the creation and deletion of user
ID’s needs to be recorded and approved in a written change
management policy. Invariably for large corporations, when there is
a security audit, auditors will find users on the system that were
terminated months ago from the company. Clearly this is one
corporate area that needs attention.
of controls is required
by NISPOM. To do this, a risk assessment needs to have been
performed that identifies the controls necessary to keep a system
secure. On a regular basis the subject matter expert needs to test
the controls and ensure they are in place.
Most commercial ventures cannot say for certain what controls
are key to protecting their information, and even fewer have
documented them for testing. Of all the controls NISPOM requires
contractors to maintain in order to secure sensitive but
unclassified DoD information, this one is the most neglected
security process in corporate America.
First ask, how can it be protected if we don’t even know what
it is? Thus we need the risk assessment to identify sensitive data.
Second, what controls have we put in place to secure our sensitive
data? Once those controls are in place, how do we ensure they stay
in place? That is the question that NISPOM requires defense
contractors to answer, and it wouldn’t hurt corporate America to
Whole books can be
written on disaster recovery
Suffice to say that in my experience, commercial ventures tend to
pay lip service to this type of contingency planning. If Hurricane
Katrina and New Orleans are any example, most corporations facing
such extreme or catastrophic circumstances will simply close their
doors. Defense contractors don’t have that luxury. Start with a
business impact analysis (BIA) to see if shutting down is really a
viable option, and then build a contingency plan from that.
This has been a
very brief overview of how our nation views information security
controls. Sensitive but unclassified information is the equivalent
of what a commercial enterprise deals with on a daily basis.
If your commercial enterprise isn’t at least at this minimum
level of security, consider what you need to do to reach at least
the levels outlined here.
You don’t want to
be the slowest person running from the hungry bear.
By John Barchie,
John Barchie Biography
Back to Top
Information Request Form
Select the items that apply, and then let us know how to contact you.