What should facility security officers and defense contractors do about security incidents?
I was thinking about the myriad of security breaches that could have been prevented through the use of good security operations, communication between authorized co-workers, and practicing the lessons learned during security training. One of the biggest culprits in a complete security program is the lack of available security breach statistics. There are resources for uncovering spy stories or spy data, but for information on the most common types of violations, mistakes, oversights, etc. the data doesn’t seem to be there. We cannot learn from mistakes if we don’t know what the mistakes are.
Good security administrators have data on security breaches, violations, compromise reports, or suspected compromise. However, this data rarely leaves your office. Due to sensitive nature, he stays close either out of fear of retaliation or fear of embarrassment. In truth, there is no retribution for security breach reports and the information contained could be very valuable for security awareness.
Take, for example, that a security manager discovers a security breach with employees leaving the safe open too many times, or leaving an area locked without setting alarms. The security officer will likely have information detailing the frequency of violations, the individuals committing the violations, resolutions, and training to correct the behavior. This security manager could use the information to specifically train the business unit to inform them of the breach, as well as provide meat for annual security awareness training.
However, this information may be stripped of all identifying information and sent to a collection point for access by other security administrators in the industry. Such an effort would only serve to strengthen OPSEC and management security measures to protect classified information.
In the spirit of sharing, I will contribute some violations that I have investigated or personally experienced.
· Transmission worker 1 showed up with workers 2 and 3 at the communication center to pick up a classified device for encrypting information. The worker was carrying a thin plastic shopping bag, and the communications center loaded four heavy devices into the bag. The three workers then walked a quarter-mile over urban terrain to their work areas. Upon arrival, Worker 1 noticed a hole in the bag and one of the devices was missing. Workers 1-3 conducted a search to no avail and reported the loss. Fortunately, the device had been found and turned over to the proper authorities.
· “Need to Know” Violation: Worker 1 and Worker 2 shared an office where classified work could be done. Each one worked on two different programs, but with the same level of security. Worker 1 had to run to the bathroom and asked Worker 2 (same clearance level) to look at her classified documents. Worker 2 received a phone call, forgot about the classified material, and left the office and material unattended. Upon returning, both workers realized that the classified material was unattended and reported the breach to security. Security provided security awareness training emphasizing not leaving classified material unattended to Worker 2. However, Worker 1 received training on leaving material with an authorized employee who had no “need to know.”
These are just two experiences of security breaches discovered, addressed, and now shared for your use. No person or company is identified, so there is no retribution. Feel free to include it in your next training.