• Thanks for stopping by. Logging in to a registered account will remove all generic ads. Please reach out with any questions or concerns.

Information Management - DND Security Risk Related to Information Disposal

McG

McG

Army.ca Legend
Reaction score
2,348
Points
1,160
Security gaps found in destruction of top-secret military data
Defence department overhauling policy on disposal of sensitive information after troubling audit
Kathleen Harris, CBC News
09 January 2014

National Defence is overhauling its policy on how it sweeps, sanitizes and destroys Canada’s cache of top-secret and sensitive military information after an internal audit revealed major gaps that could jeopardize national security.

The comprehensive revamp comes after a chief review services audit found the procedures to cleanse information management and information technology assets are "outdated."

"Some departmental security orders are over five years old ... many of the department's security policies date back to 1998 and still reference technologies that haven't been commonly used in over a decade, such as 5-inch floppy discs," the report reads.

The heavily censored report — which was completed in December 2012 but only recently released publicly — looks at governance, internal controls and risk management associated with the military’s sanitization and destruction activities, including paper copies of personal files, classified reports, compact discs and video.

It also exposed gaps in training, flagged inaccurate and unreliable inventory listings and found non-standardized destruction practices across the country.

For example, some department locations use disintegrators and industrial shredders while others use explosion expert teams to destroy hard drives with explosives.

The audit also found there were no time restrictions on the destruction of assets — and that in some cases, hard drives had been stockpiled for up to two years awaiting destruction.

There were also sloppy practices when it comes to informing stakeholders of changes and updates. The audit included references to a bulk classified waste destruction process at an industrial paper destruction centre, though it is unclear why because most of that assessment was blacked out.

The audit warns that information technology and information management assets must be properly sanitized or destroyed at the end of their life to prevent "unauthorized parties" from retrieving, creating and using classified information.

"Technology is available that allows information to be recovered from electronic storage devices if they are not correctly sanitized or destroyed," the report reads. "Software ranging from sophisticated programs to simple freeware can be used to recapture improperly sanitized or disposed data. Digital recognition software is also available to piece together IM material that has not been shredded finely enough."

The department's extensive review in response to the audit will develop ways to upgrade, integrate and align policy with government-wide practices.

"One of the end results will be the development of a robust and comprehensive departmental security plan. This is a significant undertaking, as DND has numerous security policies and procedures that are being revised and standardized across the department," DND spokeswoman Linda Vena said.

The results will lead to a new departmental security plan scheduled to be completed by March 2015.

Vena said the report was heavily redacted in order to protect national security.

"The department must be vigilant against potential threats to the department and when possible vulnerabilities are known, it is the department's due diligence to properly safeguard the information to ensure it cannot be exploited," she said.

"Divulging information on how IT assets are destroyed or sanitized — particularly those used to process secret and top secret material — could provide insight on how to recover information from those assets. That would be a clear danger to national security.”

It took one year for the report to be made public because of the comprehensive review process to ensure the "integrity" of the review and reporting process, as well as to ensure operational security concerns and to ensure that redactions to the document were in accordance with the Access to Information and Privacy Act, Vena said.
Click to expand...
http://www.cbc.ca/news/politics/security-gaps-found-in-destruction-of-top-secret-military-data-1.2490752
 
10 privates with sledge hammers and cutting torches would make short work of those hard drives and would have fun doing it.
 
The industrial shredders located at 7 CFSD in Edmonton and 25 CFSD in Montreal would be well-suited to mass destruction of hard drives.  You can feed them anything up to the size of an oil drum, and nothing comes out the other side larger than 1" by 1".
 
Occam said:
...... and nothing comes out the other side larger than 1" by 1".
Click to expand...

I don't think 1" by 1" will meet the specs.  It has to be much smaller.  >:D
 
George Wallace said:
I don't think 1" by 1" will meet the specs.  It has to be much smaller.  >:D
Click to expand...

How small?  If we need something smaller than 1 x 1, we just tell them to send it through multiple times until it's suitably pulverized.
 
There are industrial shredders used for HD disposal at most ASU and major bases.

The problem is local IT Help Desks are unaware and either try their own, unapproved, methods of disposal or they don't know what to do and just pile them into growing farms of secure cabinets hoping that someone someday will know what to do with them.

The proper process involves a degaussing and industrial shredding (by an RCMP approved shredder).

If you are on a base without them, I suggest getting in touch with ASU IT support and getting the information on where to send them. Box them up, and either courier them (preferred for classified material) or have them sent through proper Canada Post channels.

Other than that, the biggest problem we have in the CF is keeping track of our IT data storage. We ought to have a enterprise solution to track classified HD, USB sticks, CDs and everything else. Then we could follow them from creation to disposal.

Otherwise everytime someone burns classified documents to a cd, they've created a espionage treasure trove that looks like every other silver disc laying around. It's horrifyingly concerning.
 
RADOPSIGOPACISSOP said:
Other than that, the biggest problem we have in the CF is keeping track of our IT data storage. We ought to have a enterprise solution to track classified HD, USB sticks, CDs and everything else. Then we could follow them from creation to disposal.
Click to expand...

That's an amazing idea.  We could call it "assyst".  ;)
 
Occam said:
That's an amazing idea.  We could call it "assyst".  ;)
Click to expand...

Which is a dismal failure for tracking. It's nothing more than a glorified work ticket program and it's a badly designed one at that.

A web client where users could log things would have much more use than one where they have to go through the help desk every time they burn a cd.
 
Using a more complex tool will simply increase the likelihood that CFNOC will send a work ticket to the wrong desk.  ;D

Maybe we could get the SAP programmers to do something in DRMIS for us?  (Yes, I'm being sarcastic.)

You could have the best asset tracking tool on the face of the earth, but a huge part of the problem is getting people to use it.  Bloggins has to realize that there are consequences if he doesn't properly label that classified CD he just burned, and those consequences have to be carried out if he doesn't.
 
Occam said:
You could have the best asset tracking tool on the face of the earth, but a huge part of the problem is getting people to use it.
Click to expand...

Not that its the best asset tracker, but TACIS is a prime example of a good tool, not utilized properly.
 
Occam said:
Using a more complex tool will simply increase the likelihood that CFNOC will send a work ticket to the wrong desk.  ;D

Maybe we could get the SAP programmers to do something in DRMIS for us?  (Yes, I'm being sarcastic.)

You could have the best asset tracking tool on the face of the earth, but a huge part of the problem is getting people to use it.  Bloggins has to realize that there are consequences if he doesn't properly label that classified CD he just burned, and those consequences have to be carried out if he doesn't.
Click to expand...

In my experience, more important than consequences, is to make it as easy as possible for someone to do their job the proper way. If you make it a hassle, they won't do it, and will hide it to dodge the consequences.
 
PuckChaser said:
Not that its the best asset tracker, but TACIS is a prime example of a good tool, not utilized properly.
Click to expand...

Never used TACIS. DRMIS would have been the best solution if the whole thing hadn't turned into a dog's breakfast.

IMHO they really need to just toss out these 1 purpose application clients and make a single web portal where user/client personnel can put everything in from supply, to admin, to IT everything. Link the web client to the databases and then provide the administrator/managers (Sup Techs, RMS Clerks, ACISS Ops) access to the more complicated and powerful application clients they need to manage the databases.

You want a simplified and customized interface for the average soldier that covers all his data inputting. One website, and attach login credentials to his DWAN user account. Make it as simple as possible.
 
RADOPSIGOPACISSOP said:
In my experience, more important than consequences, is to make it as easy as possible for someone to do their job the proper way. If you make it a hassle, they won't do it, and will hide it to dodge the consequences.
Click to expand...


I my experience carelessness is the biggest threat to security, including management of data storage.

"Consequences," like HUGE fines, reductions in rank and time in cells, are a good remedy for carelessness, in my experience.

But: YMMV
 
E.R. Campbell said:
I my experience carelessness is the biggest threat to security, including management of data storage.

"Consequences," like HUGE fines, reductions in rank and time in cells, are a good remedy for carelessness, in my experience.

But: YMMV
Click to expand...

Consequences rarely fix carelessness. Consequences only work when there is a decision not to do something, ie non-compliance. Only when a person is willfully negligent does the idea of consequences factor into their reasoning. Otherwise it's incompetence, a training issue.

Doing add unnecessary additional administrative burden to already overworked troops. Make it EASY for them to do their job correctly.
 
RADOPSIGOPACISSOP said:
Consequences rarely fix carelessness. Consequences only work when there is a decision not to do something, ie non-compliance. Only when a person is willfully negligent does the idea of consequences factor into their reasoning. Otherwise it's incompetence, a training issue.

Doing add unnecessary additional administrative burden to already overworked troops. Make it EASY for them to do their job correctly.
Click to expand...

You, obviously, have no idea who you're responding to with this post.
 
RADOPSIGOPACISSOP said:
Consequences rarely fix carelessness. Consequences only work when there is a decision not to do something, ie non-compliance. Only when a person is willfully negligent does the idea of consequences factor into their reasoning. Otherwise it's incompetence, a training issue.

Doing add unnecessary additional administrative burden to already overworked troops. Make it EASY for them to do their job correctly.
Click to expand...


Not so.

Willful negligence is, thankfully, quite rare. Poor training is more common, but still not the norm. Carelessness is rampant, but it can be trained out of people.
.
.
.
.
.
In my experience, anyway.
 
E.R. Campbell said:
Not so.

Willful negligence is, thankfully, quite rare. Poor training is more common, but still not the norm. Carelessness is rampant, but it can be trained out of people.
.
.
.
.
.
In my experience, anyway.
Click to expand...

Doesn't matter how good you train a juggler, if you keep throwing balls at him eventually they'll start dropping.

Streamline the tasks and make it easy to do the job properly, then you'll see your troops perform better and perform things correctly.
 
RADOPSIGOPACISSOP said:
Doesn't matter how good you train a juggler, if you keep throwing balls at him eventually they'll start dropping.

Streamline the tasks and make it easy to do the job properly, then you'll see your troops perform better and perform things correctly.
Click to expand...


I certainly agree with the highlighted bit, but you must, also, address the carelessness issue, which does exist and is a result of less than adequate discipline ~ at home, in schools, and in the CF. My guess, based on my experience, is that solving a good part of the carelessness issue will pay early, big dividends. It's cheaper, too, and has add on benefits in every area of a soldier's life. A well disciplined soldier is happy, healthy and productive.
 
E.R. Campbell said:
I my experience carelessness is the biggest threat to security, including management of data storage.

"Consequences," like HUGE fines, reductions in rank and time in cells, are a good remedy for carelessness, in my experience.

But: YMMV
Click to expand...

Being the only one trained on Nestor, resulted in me signing for the whole lot for our unit, I was very aware of the consequences to me personally if someone else lost some of it. Must say it sharpened the mind greatly.

Still saying your making the simple difficult, privates can destroy anything, making sure you record what, where and when is the important bit and that's where the Junior officer comes in. The Young officer is given the task to directly supervise the destruction, records the particulars of what's to be destroyed. Everything is wiped, pounded with a sledge and then melted with a torch. A good job for the Extra duty detail.   
 
You must log in or register to reply here.

Similar threads

Kirkhill
Small Radio Networking and Clouds
Replies
15
Views
14K
Kirkhill
Kirkhill
daftandbarmy
    • Like
The Management Myth
Replies
11
Views
14K
Brad Sallows
Brad Sallows
daftandbarmy
2023 Layoff Tracker: Latest Meta Cuts Could Hit 4,000
2
Replies
31
Views
22K
mariomike
mariomike
daftandbarmy
    • Like
    • Humorous
    • Insightful
Canada's federal public servants afraid to speak truth to power: study
2
Replies
21
Views
14K
Good2Golf
Good2Golf
dimsum
MND Mandate Letter 2021
2
Replies
25
Views
34K
FJAG
FJAG
Back
Top