The breach of the presidential candidates’ passport files were widely reported over the past few days, such as here and here, not to mention the many postings referencing it as “passport-gate” throughout the blogosphere and the political implications. However, based upon what I’ve been reading it looks more like the result of a poor, inadequate and vulnerable information security program.
There are many information security and privacy issues involved with this incident. It would make a great case study to use at a joint meeting with your information security, privacy and compliance folks. Some of the questions to include in your discussion could include…
Why did the peeping personnel have access to the files? Did they have applications and/or systems authorization? Or, were they using someone else’s account? Or, did the applications that controlled access to the passport files not have appropriate security built in?
It is reported the peepers were contract workers from Analysis Corp. of McLean, Va., and Stanley Inc., an Arlington, Va. Did the State Department contract require the workers to have appropriate training? Did the contracted company have information security policies as part of a comprehensive information assurance program? Did the State Department provide training to the contract workers prior to giving them access to the network and data?
Will the State Department cancel the contracts with Analysis Corp. and Stanley Inc.? Should they? Why or why not?
What groups of personnel should have access to the passport files? How is access authorization determined? Do policies exist, along with supporting procedures?
Why were a couple of the contractors fired, and the other was not? What problems could this inconsistent application of sanctions cause?
Hillary Clinton’s file was accessed during a training session. Discuss the legal implications of using production data for test, development and training. Discuss what this case points out to be poor training practices.
The passport files reportedly contained date and place of birth, occupation, family status, physical characteristics, copies of birth or baptismal certificates, medical, personal and financial reports or arrest warrants, and the individual’s Social Security number. Discuss the ways in which these types of information could be used maliciously. Think about not only how such information can be used maliciously for any individual, but also for individuals who are running for president.
The inappropriate access was flagged as a result of a “software system that alerts supervisors when files of a “high-profile person” are searched.” Should such alerts be generated for all persons, not just for high-profile persons? Why or why not?
Shouldn’t the personally identifiable information (PII) be encrypted in storage? If not, under what circumstances?
What safeguards should be considered to prevent this type of privacy breach?
What responsibilities should the State Deparment have for this privacy breach? Should they be sanctioned? In what ways?
Tags: Analysis Corp, applications security, awareness and training, Barack Obama, Hillary Clinton, Information Security, IT compliance, John McCain, passport-gate, policies and procedures, privacy breach, risk management, security awareness, security training, Stanley Inc