Remember the days when the actual rocket science was the most complex thing going on at NASA?
Data loss prevention isn't rocket science, but NASA hasn't made it work in Microsoft 365
NASA's Office of Inspector General has run its eye over the aerospace agency's privacy regime and found plenty to like – but improvements are needed. In an audit [PDF] published Tuesday, the OIG found NASA has a "comprehensive privacy program that includes processes for determining whether information systems collect, store, …
COMMENTS
-
Thursday 21st December 2023 05:21 GMT An_Old_Dog
"How the Data was Disclosed"
To: *@*.com
Staffer A: "What is that email address?"
Staffer B: "It's great -- it's short and really-easy to to type, and usually gets the email to where it should go."
Staffer A: "How'd you learn that?"
Staffer B: "It was on a Post-It note on my monitor when I first started this job."
-
Thursday 21st December 2023 07:48 GMT Mike 137
"Privacy review finds breach response plan is a mess"
In my professional experience, business response plans are usually a mess, regardless of what they're intended to respond to. I think the worst I encountered was an "incident response plan" for the UK head office of an international 24 hour services provider. The "plan" consisted of a "policy" that listed a range of expected incidents, a response flow chart that included an inescapable closed loop if a particular decision was made, plus a cardboard box of assorted (non-inventoried) stuff on the top of a cupboard in the IT office. The "training" consisted of an annual get-together for the Board members with an external consultant who talked them through a trivial notional incident (for example, evacuating the building).
I had the task of reviewing this, but I came up against massive resistance, not least because I proposed that [a] the unexpected (rather than a predefined list of specific incidents) should be allowed for, [b] that staff convenience should take second place to effective response when an incident occurred, and [c] training exercises should be realistic, including elements of confusion.
What finally defeated me was that the presence of an "incident response plan" (rather than its effectiveness) was all they really required to pass audit.
-
Thursday 21st December 2023 08:37 GMT Pascal Monett
Re: all they really required to pass audit
Ah, the beauty of auditing. You can get certified and flaunt that, but when disaster actually strikes, you'll be running around like headless chickens (and just as useful).
The advantage of being on The Board is that you can decide just how much you want to be bothered by procedures. The disadvantage is that it will be difficult to find someone else to blame when the chips are down. And if you do find a scapegoat, there's a fair chance that your faulty procedures will find a way to get published, which will demonstrate just how incompetent you are.
And the next audit might be a bit more harsh.
-
Thursday 21st December 2023 11:20 GMT Mike 137
Re: all they really required to pass audit
"The disadvantage is that it will be difficult to find someone else to blame when the chips are down"
Not a problem -- blame trickles downward, just like water. It's widely recognised that the average time in post for a CISO is around three years (effectively, until the next incident). And the CISO is typically not a Board member -- just 'reports' to the Board. But directors (like boxing managers) go on for ever through cycles of revolving doors.
-
-
-
Thursday 21st December 2023 12:54 GMT Anonymous Coward
They are not alone.
The NHS is using an ever increasing amount of Office 365.
A while back, we were told our bit was going to be made secure. They have introduced 2FA which seems to hardly ever pop up. I asked that, if we were going to become secure, what were we switching to instead but apparently "important people" have decided that this is where we were going!
-
Saturday 23rd December 2023 13:46 GMT Anonymous Coward
Re: They are not alone.
You want 2FA popping up everyday? Once a device is trusted it will typically be 2FA every 30 days or so and will require the device to be secured by say biometrics. If you use a new device it will be instant for 2FA. This is common sense balancing usability with security.
-