by Mike Gentile, Ron Collette, and the CISOHandbook.com Team

Preface:

Recent regulations such as the Freedom Of Information Act (FOIA) are putting pressure on government agencies within the United States to disclose more and more information to an ever growing number of people. This article will explore some of the challenges this is presenting to security officers within the government sector.

Article:

FOIA is not a bad thing. In fact, it is based on many of the core principles which have made the United States such a great country. With that said, in a current security landscape where there is so much information available, as well as so many people who want to do bad things with it, the appropriate disclosure of information has definitely become an issue worth investigating. This article will look at how most government agencies decide what information should be released, the current challenges that are impacting these decisions, and some recommendations we believe will help the situation.  We will begin by looking at how many agencies approach the release of information to the public.

There are many different ways in which a request for information by the public can occur at a government agency. It could be by a person off the street walking into an agency clerk’s office, through a legal proceeding, or even something as simple as an email to a government agency employee. Regardless of the method, it all comes down to a decision, one that can often be made very quickly, as to whether the request should be released. This decision and the thought process that goes into it is what lawyers like to call a “balance test”. FOIA requires that each request must be evaluated to determine if the disclosure of the requested information will cause "harm" to the security of the organization versus the public's right to know.

So, if someone walks into an agency and just for kicks says “Can I get the designs for that nuclear reactor?” this request should go through a balance test within the agency and in many instances it should fail. We say “in many instances” here because there are definitely challenges within many US government agencies that are hindering the ability to make correct decisions. The first issue is the qualifications of the person whom is being asked to make the decision.

If the decision maker regarding such disclosures is the security officer or other security professional within an agency, it is fairly clear what the end result will be: “No Way, Not a Chance!” In fact, this request would probably be investigated further to identify the reason that such information was requested in the first place. The problem is that these requests are not always landing on a security officer’s desk.  Instead, since there are so many ways in which people can request information, these decisions seem to be made by many different types of agency employees with varying levels of security skill set.  This situation is exacerbated by the fact that, they also often have limited tools to support them in the decision making process.

The first tool that is often lacking is the existence of formal processes for handling such requests; they are generally ad-hoc and not documented. This adds complexity for anyone that is being asked to make a decision about this type of request, let alone someone without a security background.  Another issue is that in many situations the information that is being requested is more difficult to identify as something that could be harmful from a security perspective.

The example we used earlier about nuclear reactor designs is very clear cut, but many requests can still have a great impact on the security profile of an agency, or the communities they serve and are much more discreet. For example, what about a request from someone for the location of an agency’s datacenter(s), or documentation on their design? Again, to a security professional this would be straight forward, but to a clerk with no security experience this might seem like a harmless request. Now you may be asking yourself, wouldn’t this clerk just see that the documentation is labeled “Confidential” or “Do not disclose” and use that in their decision? This brings us to the next tool that is often lacking: Data Classification.

In many of the government agencies that we perform work, data classification still has a long way to go. Now at the federal level in agencies such as the FBI, NSA, or CIA they have had compartmentalized data classification for decades. However, as you move away from the intelligence community, particularly agencies at the state and municipal level, you begin to see gaps or omissions rather quickly. These agencies tend to have an ad-hoc approach to how they classify data, and often there are also big gaps between what they are supposed to be doing and what is implemented. We still even see agencies that have no approach to data classification and almost nothing implemented (scary but true). In these situations, agency employees have very little guidance as to what information should be withheld and what should be disclosed, other than what they can determine on their own.

So we have identified a couple of issues we believe to be fairly important, what can an agency do about these situations?

One of the most important things that can be done is to assess the current situation at your agency. To do this, you will want to begin by identifying all of the areas in which requests for information by the public are occurring. Do you have these processes documented and are the right people making the decisions as to what is being released?  If the processes are not documented, initiating a project to formalize these processes and documenting them will be powerful. This will make it easier to train agency personnel, as well as ensure everyone involved understands their role.

If your agency does possess formal processes, you will want to evaluate whether they are appropriate for your situation.  The use of legal counsel, if you have access to them, can be invaluable in determining the efficiency of your existing processes and/or your compliance with applicable regulations.  After reviewing your processes, the next place to spend some energy is evaluating the tools that are implemented to help support your employees who are making these decisions.

The easiest and most effective tool for closing any gaps is a strong security training program. It should be obvious that knowledge is the best tool we can provide anyone when attempting to understand the impact of data release to the public. In addition, training is also a very effective option because it is one of the most affordable tools that we can use.

The next tool that should be engaged to help with these decisions is a strong data classification model. Not only is having a documented data classification strategy critical, it also needs to be effectively implemented within the environment. We wrote another article through Computer Economics, titled Overcoming Obstacles to Data Classification , that may help with some data classification ideas. Please check it out.

Lastly, compartmentalize the truly sensitive information so that it requires additional levels of approval prior to its release.  This is the one of the few places where we feel that the addition of bureaucracy is a good thing.
Hopefully, this article has helped identify some ideas on something that we believe is very important.  Though we believe firmly in the freedom of information, our current world forces us to move forward with caution. As always, we are very interested in what you think. Please click here to leave us your ideas and feedback.