A quick disclaimer: I have nothing against TSA, despite the fact I’ve missed a flight in the past due to long lines at the security check… They are a symptom of a greater problem rather than the problem itself.
Now that we’ve put it aside let’s observe TSA’s mission statement (http://www.tsa.gov/who_we_are/mission.shtm):
“The Transportation Security Administration protects the Nation's transportation systems to ensure freedom of movement for people and commerce”
And vision statement:
“The Transportation Security Administration will continuously set the standard for excellence in transportation security through its people, processes, and technology.”
Sounds like TSA are heavy duty on security, right?
Well, I will not discuss transportation security (though debatable by some); however history tells us a slightly different story when it comes to information security…
Looking at the past 4 years:
2007 (http://bit.ly/aoChfI) – External hard drive containing data from approximately 100,000 archived employment records went missing from a controlled area at TSA.
2009 (http://bit.ly/5REHBu) – TSA accidentally posted a document containing highly sensitive information on its airport screening procedures on a government website.
2010 (http://bit.ly/dc2Nbu) – Poor security protocols lead to TSA fired worker sabotaging TSA’s databases containing information tied to the war on terror and other law enforcement activities.
While some might argue this is an unfortunate collection of non related incidents, I would seriously doubt it. With no intent of being harsh with TSA, this comedy of errors is an indication how security is perceived at TSA.
It will never happen to us! (Therefore no real controls, procedures or C-level directives are necessary)
Post incident #1:
Oops, it did happen. Ok, it will never happen to us AGAIN! (Must be a random statistic glitch, our current strategy is proving itself!)
Post incident #2:
Not again, No way! (Hmmm, at least we placed on each page of the manual the following: NO PART OF THIS RECORD MAY BE DISCLOSED TO PERSONS WITHOUT A 'NEED TO KNOW.')
Post incident #3:
Doh! Let’s bring in a data breach response services company to clean out the mess (http://bit.ly/c0loLq). (Addressing the collateral damage is probably going to solve the problem!)
Most of these types of incidents can be addressed today with existing controls. These are not operator errors, but a depressing example of the overall organizational/C-Level failure to enact security policies (much which are seemingly common procedures) that secures data and protects sensitive assets.
If C-level execs don’t get it they can simply view it as an insurance policy (ensuring bad things don’t happen). People get an insurance policy not because they plan to use it on a daily basis, but mainly because if something happens it can be substantial.
Another way to look at the statistics is organizations play a game of Russian roulette, assuming it will not happen to them (there is only one bullet and five empty chambers).
With the case of TSA - it looks like the cylinder is practically full…
Today I was riding with the four horsemen of the apocalypse, so I’ll finish with a positive tone:
Spring is here, happy (belated) equinox (http://bit.ly/2qHKU1)!