Of all the scandals that have struck the U.S. Secret Service over the past few years, I can't think of any more damaging than the current controversy involving Congressman Jason Chaffetz (R-Utah), House Oversight and Government Reform Committee Chairman.
While it's probably safe to assume the U.S. Secret Service (like most government agencies) has established policies, procedures, practices and standards to prevent events like this from happening, It shocks and amazes me (in a bad way) how they have managed to internally disrupt so many basic security principles over the confidentiality, integrity and availability of such sensitive data. Yet, on the upside, the risk management professional in me sees this salacious incident as a learning opportunity for business owners and security professionals everywhere, because if it can happen in the Secret Service, it can happen in any organization.
The scurrilous events began earlier this year after Chaffetz's committee admonished the Secret Service and assistant director, Edward Lowery, for numerous misconduct and security mistakes. Chaffetz's accusations angered numerous agents who felt compelled to retaliate against the Congressman.
A recent investigation by the Department of Homeland Security's Inspector General found that Lowery emailed a colleague in March, commenting on Chaffetz's personal file that was being widely circulated inside the Secret Service, writing, "...some information that [Rep. Chaffetz] might find embarrassing needs to get out. Just to be fair."
Two days later, the news website, The Daily Beast, reported that Rep. Chaffetz had applied to be a Secret Service agent in 2003, ultimately being rejected for the position.
In an attempt to embarrass Chaffetz publicly, his personnel file from his 2003 application - located in a "restricted database" - was accessed by about 45 Secret Service agents, some of whom reportedly shared it throughout the agency.
Further review from the Inspector General's office found that Chaffetz's file was spread to nearly "every layer" of The Service; from administrative staff to top directors. The report further indicated that 18 supervisors (including assistant directors), the deputy director and director's chief of staff knew the information was being widely shared through agency offices. A Secret Service agent also reported that at a briefing for the visit of the Afghan president, nearly all 70 agents who attended the briefing were discussing it.
So how can your company learn from the U.S. Secret Service's mistakes? Start by developing (or confirming that you have) basic information security guidelines with respect to who can access sensitive data (such as personnel files or other confidential data) within your organization. Here are some key tips:
- Start by following time-tested, industry, security best practices to review periodically (i.e., at least annually) the policies, procedures, practices and standards that protect sensitive data, files and records within your organization. Controls should include both logical (electronic) as well as physical access to data.
- Have a discussion with appropriate IT security management staff within your organization to understand what processes are in place and gauge whether they have employed adequate preventive controls to thwart access to confidential files, particularly those in a "restricted database." Additional discussions should cover the entire enterprise architecture including the network, the operating system and the application itself. Also ask which detective controls (e.g., audit logs) are being utilized to monitor access to these critical systems and question who (if anyone) is reviewing these reports and at what intervals.
- Inquire if the organization is using role-based access control (RBAC) - a common method of regulating access to data resources based on the roles of individual users within the company based on their job competency, authority and responsibility within the company - when assigning access to data files or systems.
- Ask what software is being utilized to monitor or prevent confidential data from leaving the workplace. There are many data loss prevention (DLP) solutions that can monitor your network to prevent data exfiltration and inspect and/or deny egress traffic from carrying unauthorized content beyond the perimeter of the enterprise.
- Lastly, gauge the adequacy of any privacy or human resource training that teaches employees what to do - and what not to do - if they come across confidential, internal information. This training should also cover topics such as not sharing user IDs or passwords and how to handle situations from management or colleagues when being encouraged to engage in unethical behavior (such as email threats or lying to/ concealing information from management, compliance, or audit personnel).
Like most government agencies and mature organizations, we can speculate that the Secret Service has data security policies, procedures and practices in place, but the questions are whether or not they were truly following them and whether so many employees need such pervasive access to data, like Chaffetz's file.
Sadly, this is one of many incidents that can be reviewed as a case study in non-compliance to Information Security 101 principles. Your task - if you are unsure of the answers presented above - is to inquire if your company, and any third parties accessing such data, has implemented proper controls so you don't fall into the same trap.