back to article Data loss prevention isn't rocket science, but NASA hasn't made it work in Microsoft 365

NASA's Office of Inspector General has run its eye over the aerospace agency's privacy regime and found plenty to like – but improvements are needed. In an audit [PDF] published Tuesday, the OIG found NASA has a "comprehensive privacy program that includes processes for determining whether information systems collect, store, …

  1. Sora2566 Bronze badge

    Remember the days when the actual rocket science was the most complex thing going on at NASA?

    1. An_Old_Dog Silver badge

      Complex Things

      @Sora2566: If you think rocket science is complex, try understanding human politics.

      1. Pascal Monett Silver badge

        Re: Complex Things

        Human politics is simple : someone is always trying to screw over someone else.

      2. Paul Herber Silver badge

        Re: Complex Things

        And brain surgery. Don't forget brain surgery.

        1. aerogems Silver badge
          Trollface

          Re: Complex Things

          Brain surgery is also simple. The trick is in realizing the pyramids in Egypt were built as giant granaries.

          1. Grunchy Silver badge

            Re: Complex Things

            I always thought of the Great Pyramid as like a really elaborate bathroom, equipped with nothing but 1 bathtub that’s really hard to get to (and no plumbing).

  2. An_Old_Dog Silver badge
    Joke

    "How the Data was Disclosed"

    To: *@*.com

    Staffer A: "What is that email address?"

    Staffer B: "It's great -- it's short and really-easy to to type, and usually gets the email to where it should go."

    Staffer A: "How'd you learn that?"

    Staffer B: "It was on a Post-It note on my monitor when I first started this job."

  3. Mike 137 Silver badge

    "Privacy review finds breach response plan is a mess"

    In my professional experience, business response plans are usually a mess, regardless of what they're intended to respond to. I think the worst I encountered was an "incident response plan" for the UK head office of an international 24 hour services provider. The "plan" consisted of a "policy" that listed a range of expected incidents, a response flow chart that included an inescapable closed loop if a particular decision was made, plus a cardboard box of assorted (non-inventoried) stuff on the top of a cupboard in the IT office. The "training" consisted of an annual get-together for the Board members with an external consultant who talked them through a trivial notional incident (for example, evacuating the building).

    I had the task of reviewing this, but I came up against massive resistance, not least because I proposed that [a] the unexpected (rather than a predefined list of specific incidents) should be allowed for, [b] that staff convenience should take second place to effective response when an incident occurred, and [c] training exercises should be realistic, including elements of confusion.

    What finally defeated me was that the presence of an "incident response plan" (rather than its effectiveness) was all they really required to pass audit.

    1. Pascal Monett Silver badge

      Re: all they really required to pass audit

      Ah, the beauty of auditing. You can get certified and flaunt that, but when disaster actually strikes, you'll be running around like headless chickens (and just as useful).

      The advantage of being on The Board is that you can decide just how much you want to be bothered by procedures. The disadvantage is that it will be difficult to find someone else to blame when the chips are down. And if you do find a scapegoat, there's a fair chance that your faulty procedures will find a way to get published, which will demonstrate just how incompetent you are.

      And the next audit might be a bit more harsh.

      1. Mike 137 Silver badge

        Re: all they really required to pass audit

        "The disadvantage is that it will be difficult to find someone else to blame when the chips are down"

        Not a problem -- blame trickles downward, just like water. It's widely recognised that the average time in post for a CISO is around three years (effectively, until the next incident). And the CISO is typically not a Board member -- just 'reports' to the Board. But directors (like boxing managers) go on for ever through cycles of revolving doors.

  4. Anonymous Coward
    Anonymous Coward

    They are not alone.

    The NHS is using an ever increasing amount of Office 365.

    A while back, we were told our bit was going to be made secure. They have introduced 2FA which seems to hardly ever pop up. I asked that, if we were going to become secure, what were we switching to instead but apparently "important people" have decided that this is where we were going!

    1. Anonymous Coward
      Anonymous Coward

      Re: They are not alone.

      You want 2FA popping up everyday? Once a device is trusted it will typically be 2FA every 30 days or so and will require the device to be secured by say biometrics. If you use a new device it will be instant for 2FA. This is common sense balancing usability with security.

  5. aerogems Silver badge
    Facepalm

    They can put craft on other planets

    Including accounting for all kinds of what-if scenarios of things that might befall those craft at any point along their millions of miles journeys, but they can't seem to get their terrestrial house in order.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like