|
By Laura Wilson, Information-Security-Resources
This week's revelation that the Transportation Safety Administration exposed its rules for airport security screening online is outrageous.
As holiday travel ramps up, the possibilities and repercussions are horrifying. Coupled with the huge rise in information security breaches across many sectors of society and rampant identity theft, the TSA's breach sets the stage for potential disaster.
Information-Security-Resources editors have been raising the warning flag for some time, that it is inevitable these pervasive information security breaches will be used for, among other things, terrorism. The FBI, the Center for Strategic and International Studies (CSIS), and numerous other experts agree on the gravamen of the threat.
TSA's security blunder occurred during the process of soliciting bids and proposals for a contract, reports Spencer S. Hsu of the Washington Post: "The 93-page Standard Operating Procedures manual went online in redacted form as part of a solicitation on a federal procurement Web site."
The attempt at redaction was woefully inadequate. ABC News quotes the former inspector general for the TSA, Clark Kent Ervin: "It obviously gives a road map to terrorists as to exactly how to exploit the weaknesses in our aviation security system."
The fact that this breach happened during the procurement process does not surprise me. Having managed contracts/procurement/deals in several industries that handle highly-sensitive information and systems, I found the process to be riddled with gaping holes that left security vulnerable, and that frequently went ignored for years.
Not every transaction that comes through the contracting process is this flawed. Depending on the culture, training, and will of the organization, many of these transactions are handled appropriately, even when dealing with sensitive and risky issues.
But it takes only one broken security link in the data access chain to expose this interconnected information to terrorists and other criminals.
Most established organizations have decent policies and controls on the books; however, many security gaps happen when the teams or people desiring to push a project through, quickly and on the cheap, are allowed to bypass the controls on which security, and multiple stakeholders, rely.
If these "irrational exuberance" teams, operating under the same mindset that infected our entire financial world with credit default swaps and toxic loans, override the control teams (those charged with understanding and maintaining security), the entire system is left naked to threats.
If the control teams don't understand the intricacies of transactions and security, or don't have the will to push back on fatally flawed transactions (not usually a popular position), the system goes rolling along, on the assumption that appropriate protections are in place.
Adequately securing these transactions is not an unmanageable problem.
It is imperative that information fiduciaries get a better handle on this oft-ignored piece of the data access chain. Stakeholders should demand that this security threat be addressed, really damn quick.
Copyright © 2008 To Present · Information-Security-Resources.com
Only registered users can write comments.
Please login or register. |
