Blog Summary

A major newsworthy topic and central to my blog content was the ongoing debate surrounding the National Security Agency and the security breach resulting from leak of classified documents to a U.S. news agency by a contract employee, Edward Snowden. A retrospective analysis of my blog content and the sources used reveal a progression of topics dealing with various security issues from outsourcing security personnel and its associated risks to lack of adequate security processes creating vulnerability and ultimately a threat to the NSA. Numerous sources were used during the course of the blogging exercise consisting of the course text, The Huffington Post, Bloomberg News, Daily Finance, ABC news, and Tech Target.

The initial posting served as an introduction to readers on the purpose of the blog followed by the introduction of the NSA topic where scrutiny of the NSA’s hiring practices along with privacy versus security debate highlighted. Understanding threats became an important topic and the need to mitigate risks through proper development of a SecSDLC was discussed as an important priority for the NSA. The drive to outsource IT functions and the pros and cons of this IT strategy in dealing with highly classified information was debated with questions to the need for policies, training and education and whether these things could have prevented the security breach. A close monitoring of the NSA’s response to the security breach continued followed by a suggestion to use the SSE-CMM mature security model as a framework to protect the agency from threats. It was learned that the NSA would employ the two man rule as a measure to prevent highly classified information from walking out the door.  The initial July posting focused on the documented evidence to support implementation and management of basic security measures as critical to decreasing security vulnerability. This information tied in with the NSA’s lack of attention to securing data from internal threats that created the security breach and their administrative oversight solution to prevent future breaches. Week 7 focused on the anti-leak control measures the NSA implemented that included a physical security layer, encryption,  among others previously highlighted as basic security measures necessary to build a solid control management program. U.S. citizen’s privacy and the need for laws to protect overreach by organizations such as the NSA were discussed as was the easy access to one’s personal data through legal means with a question about the privacy and security of information in general. The final security blog posting tied in with the course human resource recruiting topic by delving into the hiring practices of the NSA and IT personnel working for organizations such as Booz Allen Hamilton (BAH), a subcontractor to the NSA and former employer of Edward Snowden. There seemed to be a stark contrast on the vetting process at both organizations with the NSA taking up to a year to process a new hire unlike the BAH employee reporting his hiring process took a total of a week.

In all honesty, when first learning that a weekly blog entry was a course requirement, I was less than enthusiastic but found that thinking through a topic of importance related to my coursework was stimulating and thought provoking. In retrospect, my blog entries became lengthier as the weeks progressed showing a growth in IT security knowledge. This was a bit of an epiphany. A suggestion for future classes would be to incorporate comment requirements to blog entries by classmates, maybe in lieu of a discussion post response requirement.  I believe following a topic of interest where a broad source of security measures can be addressed makes for good blogging!

 

Chronology of topics

·       Week 1—Blog introduction

·       Week 2—Contractor Vetting process and feedback on what the NSA should have done differently to maintain adequate security

·       Week 3—NSA SecSDLC was inadequate

·       Week 4—Outsourcing positions as a measure to prevent security breaches

·       Week 5—Need for use of the SSE-CMM mature security model as a framework

·       Week 6—Breakdown in utilization of basic security measures cause breaches

·       Week 7-- Anti-leak control measures, a step in the right direction for a control management policy

·       Week 8—Heightened awareness of U.S. securities agency practices in targeting citizen’s internet activity.

·       Week 9—Stringent NSA hiring practices versus Booz Hamilton Allen, subcontractor practices

Stringent NSA job requirements

This week in my information security class the focus was on staffing the security function in the organization. In keeping with the NSA focus for this blog, I researched the NSA's postings and hiring requirements for their cyber security openings. It goes without saying that getting hired by the NSA can be a long drawn out process depending on what you are applying for and security level required. It can take upwards of a year for some folks to get hired. Keeping that timeline in the forefront of my thoughts, I wondered whether the hiring process for Booz Allen Hamilton candidates required the same rigorous process as those for the NSA.

All applicants at the NSA must be able to obtain high-level security clearance with medical screening, polygraph and drug testing and an extensive background check. Every applicant is required to have a Top Secret/Special Intelligence clearance and they tell you to anticipate the process taking longer than that in the private sector. "If you are identified as competitively qualified for a position, the average time for processing is generally three to six months, but depending on a variety of individual factors, the processing time may take up to approximately a year. "

In clear contrast to the NSA's screening requirements are those of Booz Allen Hamilton whose security screening practices enabled Edward Snowden to slide through their hiring process even though there were known education discrepancies reported by Snowden during the interview process. The NSA requires top security clearances of contracted employees however there is growing concern that the processes for screening these individuals lacks the necessary security scrutiny. On a blog site, one BAH employee reported the hiring process took a week because there was an immediate need to fill the position.

Since information security job disciplines are in their infancy relative to other established professions, there is some uncertainty within organizations as to what qualifications constitute the right skill set necessary to ensure a security work force with the core competencies required to mitigate security risks and threats to the organization. With the growing need for security professionals, has a lack of qualified candidates forced organizations like BAH to settle ultimately compromising our national security?

http://www.huffingtonpost.com/2013/06/20/booz-allen-hamilton-edward-snowden_n_3475518.html