It's Hard to Keep Secrets When You Entrust Them To Others
When you entrust sensitive information to a contracted company or individual, you are also accepting risk. If you do not perform due diligence to ensure your contractor has effective safeguards in place, and understands that your information is sensitive, and if you do not have specific security requirements within your contract, you are opening yourself up to a major embarassment, major incident, or both.
The U.S. State Department entrusts many of their secrets to many different contractors. They have found themselves with yet some more bad press as a result of one of their contractors.
Today CNN reported a website had posted detailed impages of the planned layout of the new U.S. Embassy currently under construction in Baghdad.http://www.cnn.com/2007/WORLD/meast/06/01/embassy.plans.ap/index.html
"Detailed plans for the new U.S. Embassy now under construction in Baghdad appeared online in a major breach of the tight security surrounding the sensitive project that will be America's largest diplomatic mission abroad. Computer-generated projections of the nearly completed heavily fortified compound were posted to the Web site of Berger Devine Yaeger Inc., an American architectural firm that was contracted to design the massive facility in the Iraqi capital. The post was removed by the company from its Web site Thursday shortly after being contacted about it by the State Department."
I checked the Berger Devine Yaeger site just to see what was there, but the site was down.
However, the web page with the text information for the Baghdad project is still cached, as expected, but the cached images were not available on Google. However, depending upon how long the plans were actually on the site, it's likely there have been many copies of the plans made.
Once information has been posted on the Internet it will likely be forever present in other places on the Internet.
Of course the contractor downplayed the incident.
"Berger Devine Yaeger's parent company, the giant contractor Louis Berger Group, said the plans had been very preliminary and would not be of help to potential U.S. enemies."
And, as the article pointed out, with the capabilities of satellites clearly broadcasting on many Internet sites, with amazing close-ups, any place on earth, it would be hard to keep the construction secret any way.
However, actually posting the photos and other details on their site is completely different from satellite images, and still a huge gaffe.
It appears they had posted the details on purpose as part of their marketing promotion; in the caches it appears they had plans and photos from their other clients posted also.
It's important to know how your business partners are not only safeguarding your sensitive information, you also need to make sure they *UNDERSTAND* that the information you've entrusted to them *IS* sensitive, and that they must protect it and not use it inappropriately, such as in marketing campaigns.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
This goes back to your previous post about insider threat and security within the company. Even though contractors don't always work in the office, they are still dealing with company information and are therefore part of the organization. This risk has to be taken care of.
It is discouraging to see stories like this over and over again (contractor's laptop stolen, which contained sensitive data on X thousand people...) as if corporate enterprises and government institutions aren't learning the lesson.
Posted by: Mila | June 1, 2007 8:12 PM
There is an extremely simple concept that does seem to mitigate risk -- Provide the least amount of access for the least amount of people, ONLY FOR THE EXPLICITLY PERMITTED PURPOSE. Once all parties understand that concept, they should examine controls to ensure its proper implementation.
Posted by: Craig Herberg | June 4, 2007 11:20 AM
Yes, limiting access to only the data necessary to perform job responsibilities is the best practice. The devil is in the details for how to get that understanding to contracted companies.
What may be classified as very sensitive with tightly controlled access may not be considered in the same way by the entities to whom that sensitive information is entrusted, as appears to be the case here. It looks like printed details about projects was part of the contractor's typical business practice.
All the more need for good contracts that contain detailed security requirements, along with ensuring that only the people who should have access are given access, and that all personnel receive appropriate training and ongoing awareness about protecting client data.
I've done a great many security program reviews for contracted entities, and the majority of them do not have detailed security requirements within the contract, nor do they have good, and often nonexistent, training and awareness practices.
Posted by: Rebecca | June 4, 2007 7:35 PM