>NSA/CSS is developing a tool to automate submission of mission compliance incident reports across the NSA/CSS enterprise. The [REDACTED] will become the Agency's central tool for reporting potential mission compliance incidents and will provide a streamlined management process, a central repository, and metrics data to support root cause identification and trend analysis.
I'm rather surprised they've been in existence for this long but apparently do not yet have a centralized way of submitting and tracking misuse and leakage incidents. Even small organizations dealing with data that's not nearly as sensitive usually have systems in place to do this.
I interpreted this to mean they don't even seem to have a centralized internal incident response team at all? Or if so, perhaps a very small one. It almost sounds like they're just relying on managers and analysts to report incidents to their Office of the Inspector General by "good faith".
It's possible I'm wrong and they do have an existing system for this, but it's just mostly restricted to pen and paper instead of a database.
Either way, that doesn't sound like a good thing to me. An organization like the NSA should have some of the strictest oversight and compliance requirements imaginable, not this ad hoc "whoops one of my subordinates emailed TS data to some random people, sorry about that" via a phone call.
This is almost certainly correct. Paper and fax-based processes form the backbone of government agencies, compliance-wise. They've been trying to fix this for a long time but the quality of the big, default government software contractors leaves much to be desired. Imagine the healthcare.gov debacle, except by definition outside of the public's eye and much smaller in scope.
For an organization dedicated almost entirely to computer systems, though, you'd think it would make sense to track system misusage incidents with... a computer system. At least if you want to be efficient.
There's a big difference between a system for submitting and collating issues. You want to be really flexible with inputs on this kind of thing, and specifically to allow anonymous (which means non-electronic) means. Free form text is also a benefit, because trying to put enough dropdowns for someone who is not a security expert to classify the thing they saw that might be wrong, but they don't really know, is a great way to put people off / misclassify things. The submission system is also going to have security/classification issues up the ying yang in terms of wanting lots of people to use it, yet storing highly sensitive data.
You can have really rigorous procedures without putting them on a computer. You can also have really rigorous procedures without needing a special computer system to manage them.
That only tell how much their mentality is despicable. That a private company releases things they don't like on friday is one thing. But that an administration whose stated goal is to work for its citizens uses this kind of tactic is really low. And obviously just imagine for two seconds if they could also hide stuffs, lie, censor... ohh wait...
8 comments
[ 4.1 ms ] story [ 35.6 ms ] thread>NSA/CSS is developing a tool to automate submission of mission compliance incident reports across the NSA/CSS enterprise. The [REDACTED] will become the Agency's central tool for reporting potential mission compliance incidents and will provide a streamlined management process, a central repository, and metrics data to support root cause identification and trend analysis.
I'm rather surprised they've been in existence for this long but apparently do not yet have a centralized way of submitting and tracking misuse and leakage incidents. Even small organizations dealing with data that's not nearly as sensitive usually have systems in place to do this.
I interpreted this to mean they don't even seem to have a centralized internal incident response team at all? Or if so, perhaps a very small one. It almost sounds like they're just relying on managers and analysts to report incidents to their Office of the Inspector General by "good faith".
It's possible I'm wrong and they do have an existing system for this, but it's just mostly restricted to pen and paper instead of a database.
Either way, that doesn't sound like a good thing to me. An organization like the NSA should have some of the strictest oversight and compliance requirements imaginable, not this ad hoc "whoops one of my subordinates emailed TS data to some random people, sorry about that" via a phone call.
This is almost certainly correct. Paper and fax-based processes form the backbone of government agencies, compliance-wise. They've been trying to fix this for a long time but the quality of the big, default government software contractors leaves much to be desired. Imagine the healthcare.gov debacle, except by definition outside of the public's eye and much smaller in scope.
For an organization dedicated almost entirely to computer systems, though, you'd think it would make sense to track system misusage incidents with... a computer system. At least if you want to be efficient.
You can have really rigorous procedures without putting them on a computer. You can also have really rigorous procedures without needing a special computer system to manage them.