Importance of Governance and Oversight

Access to information is the key attribute that drives the all organizations.  It is the one variable that enables work to get done.  It ensures that the right people have access to the right information at the right time.  Left ungoverned, access to information can and will lead to the continuous leakage of sensitive information.  Let us take the case of Private Bradley Manning of the United States Army and WikiLeaks.

Private Bradley Manning, 22, a United States Army intelligence analyst was arrested in May of this year after boasting in instant messages and emails to a high-profile former hacker that he had passed material to WikiLeaks. Manning faces two charges under military law for allegedly illegally transferring the Iraq video and copies of documents to his computer and then for passing “national defense information to an unauthorized source”. The charge sheet says Manning leaked the material to “bring discredit upon the armed forces”.  All it took was one disgruntled employee with access to sensitive information. Manning claimed to have sent 260,000 pages of confidential diplomatic cables to WikiLeaks. And now, the world eagerly waits for the release of new information with each opening of the WikiLeaks spigot.

Manning was charged under the Uniform Code of Military Justice (UCMJ) with violations of UCMJ Articles 92 and 134 for “transferring classified data onto his personal computer and adding unauthorized software to a classified computer system,” and “communicating, transmitting and delivering national defense information to an unauthorized source,” the military’s policy (with teeth) protecting against inappropriate use of systems and information.

According to chat logs, Manning brought in CD-RWs containing music, which were subsequently erased and rewritten with the leaked documents.

So how does this situation relate to activities at your organization?  Are there direct parallels in how we do our business?  The answers are that this has a direct correlation to our work and the parallels are congruent along all areas of the situations.

Your Identity, Credential, and Access Management program (ICAM) is a critical project directly tied to the types of issues the United States Army faced with Private Manning.  Private Manning had secured a top secret clearance.  That means that his background had to be investigated to ensure his stability and suitability to access and handle sensitive information classified at the top secret level.  This access is on a need-to-know basis and was required to perform his job.  At your organization, certain staff is cleared beyond standard public trust or a first level of clearance so they can perform their jobs related to accessing and manipulating sensitive information.  Your ICAM ensures a strong credentialing process that delves into the backgrounds of those needing access to sensitive information. The information is coupled with fingerprints to complete the process before we are given access to your physical boundaries.   This paperwork is the precursor to gaining virtual access to systems and information of a sensitive level as identities are created for your systems.  The identities need to have certain access attributes applied to the individual so he or she can perform their duties as assigned. 

It sounds pretty simple but it is in fact quite a detailed process. It requires significant oversight in the form of proper governance, periodic entitlements (access) reviews for compliance, certification and accreditation actions, plan of action and milestone remediation activities and continuous monitoring of systems and systems access based upon risk.   Your CIO and CISO have most likely established rules for the management of rights and obligations relative to granting access to accounts and permission to the job functions established for your Identity that are authorized to access any organization Asset (heretofore referred to as “your account”) in compliance with applicable laws and regulations and conformity to effective policies and standards.  It is essential that access and use of these assets or any other information are properly safeguarded against security related threats and dangers, including employees and contractor staff. This is true for all information within your organization, regardless of how it is created, distributed, or stored and whether it is typed, handwritten, printed, filmed, computer generated, or spoken.

Access rights to assets are based on the principle of least privilege, segregation of duties, and restricted on a need-to-know or need-to-use basis.  Such access is securely maintained and controlled based on the classification of the asset by the asset owner per policy and per the security categorization process associated with certification and accreditation or your organization’s risk assessment process. This ensures compliance with applicable regulations and statutes, and conformity with applicable and effective policies and standards.

Access standards are developed to maintain secure access to assets, consistency in how access is managed, accountability for who accesses the assets, and audit ability to identify important events which are significant and relevant to the security of systems, applications, and data.  Account management includes the identification of account types (i.e., individual, group, and system), establishment of conditions for group membership, and assignment of associated authorizations.  Information system accounts are managed, including establishing, activating, modifying, reviewing, disabling, and removing accounts. These are the ‘add, change and delete’ activities required as people come and go at your organization. Proper identification for requests to establish information system accounts and approvals of such requests are required.

It is possible that a more in-depth credentialing process for Private Manning could have picked up on the instability in his life and the trouble he had in high school.  This type of information could have disqualified Private Manning for access to sensitive information.

It is true that Private Manning had too much access and even though his clearance provided him access to very sensitive information, he had access to information that was not required to perform his duties. This was outside his ‘need to know’ and not based upon the principle of least privilege.

It is true that the United States Army allowed for removable media to be attached to devices accessing top secret information. It is also true that the United States Army did not have anomaly detection and prevention software enabled that would detect the unusual accessing and copying of information well beyond the norm for any individual accessing sensitive networks and systems.

Private Manning had elevated privileges to sensitive information, had a history of personal instability, and had openly voiced his displeasure with his employer. These were all red flags that were missed by proper authorities, including his management and his peers.  The controls required were not applied and Private Manning was able to download and disseminate gigabytes of information that now adorn the front pages of every major newspaper worldwide.

The case of Private Manning demonstrates the need for continuous oversight and review of access privileges as well as the need for strong integration of technical components with managerial governance.  It clearly identifies the requirements for communicated policies and procedures to all employees and contractors and outlines the absolute need for your organization to apply a robust risk management framework into the systems development lifecycle to ensure all managerial, operational and technical controls relative to identity and access management are implemented and tailored based upon system and information risk.  This case should serve as a warning to all organizations and as a catalyst for the implementation of strong ICAM oversight.