A major newsworthy topic and central to my blog
content was the ongoing debate surrounding the National Security Agency and the
security breach resulting from leak of classified documents to a U.S. news
agency by a contract employee, Edward Snowden. A retrospective analysis of my
blog content and the sources used reveal a progression of topics dealing with
various security issues from outsourcing security personnel and its associated risks
to lack of adequate security processes creating vulnerability and ultimately a
threat to the NSA. Numerous sources were used during the course of the blogging
exercise consisting of the course text, The Huffington Post, Bloomberg News,
Daily Finance, ABC news, and Tech Target.
The initial posting served as an introduction to
readers on the purpose of the blog followed by the introduction of the NSA
topic where scrutiny of the NSA’s hiring practices along with privacy versus
security debate highlighted. Understanding threats became an important topic
and the need to mitigate risks through proper development of a SecSDLC was
discussed as an important priority for the NSA. The drive to outsource IT
functions and the pros and cons of this IT strategy in dealing with highly
classified information was debated with questions to the need for policies,
training and education and whether these things could have prevented the
security breach. A close monitoring of the NSA’s response to the security
breach continued followed by a suggestion to use the SSE-CMM mature security
model as a framework to protect the agency from threats. It was learned that
the NSA would employ the two man rule as a measure to prevent highly classified
information from walking out the door.
The initial July posting focused on the documented evidence to support
implementation and management of basic security measures as critical to
decreasing security vulnerability. This information tied in with the NSA’s lack
of attention to securing data from internal threats that created the security
breach and their administrative oversight solution to prevent future breaches.
Week 7 focused on the anti-leak control measures the NSA implemented that
included a physical security layer, encryption,
among others previously highlighted as basic security measures necessary
to build a solid control management program. U.S. citizen’s privacy and the
need for laws to protect overreach by organizations such as the NSA were
discussed as was the easy access to one’s personal data through legal means
with a question about the privacy and security of information in general. The
final security blog posting tied in with the course human resource recruiting
topic by delving into the hiring practices of the NSA and IT personnel working
for organizations such as Booz Allen Hamilton (BAH), a subcontractor to the NSA
and former employer of Edward Snowden. There seemed to be a stark contrast on
the vetting process at both organizations with the NSA taking up to a year to
process a new hire unlike the BAH employee reporting his hiring process took a
total of a week.
In all honesty, when
first learning that a weekly blog entry was a course requirement, I was less
than enthusiastic but found that thinking through a topic of importance related
to my coursework was stimulating and thought provoking. In retrospect, my blog
entries became lengthier as the weeks progressed showing a growth in IT
security knowledge. This was a bit of an epiphany. A suggestion for future
classes would be to incorporate comment requirements to blog entries by
classmates, maybe in lieu of a discussion post response requirement. I believe following a topic of interest where
a broad source of security measures can be addressed makes for good blogging!
Chronology
of topics
·
Week 1—Blog introduction
·
Week 2—Contractor Vetting process and
feedback on what the NSA should have done differently to maintain adequate
security
·
Week 3—NSA SecSDLC was inadequate
·
Week 4—Outsourcing positions as a measure
to prevent security breaches
·
Week 5—Need for use of the
SSE-CMM mature security model as a framework
·
Week 6—Breakdown in
utilization of basic security measures cause breaches
·
Week 7-- Anti-leak control
measures, a step in the right direction for a control management policy
·
Week 8—Heightened awareness of
U.S. securities agency practices in targeting citizen’s internet activity.
·
Week 9—Stringent NSA hiring
practices versus Booz Hamilton Allen, subcontractor practices
No comments:
Post a Comment