Talk about a teaching moment! The theft of highly classified information from the National Security Agency by Booz Allen Hamilton employee Edward Snowden brings front and center issues that outsourcers and their service providers face every day:
- Do I have in place policies, procedures, and systems that adequately protect my customers’ information and my organization’s proprietary information?
- Do my service providers have in place policies, procedures, and systems that adequately protect my customers’ information and my organization’s proprietary information?
- And how do I find out what those protections are and how well they are managed ?
NSA’s mandate for producing and analyzing signal intelligence requires it to protect its sources and methods. When I worked for the agency more than 40 years ago, compartmentalization and need-to-know were the words of the day … every day. I suspect they still are, though both tenets seem to have broken down in this instance.
I obviously don’t know what services Booz Allen Hamilton was contracted to provide the NSA. I also obviously don’t know if the NSA has systems in place to conduct assessments of its service providers’ information security policies, procedures, and practices. But I do know that the agency’s failure to prevent Snowden from accessing and removing the information he is now disclosing is likely resulting in the degradation of its intelligence gathering methods and presenting the United States a diplomatic brouhaha, the extents to which are difficult to predict.
One can argue that the NSA’s breach is an order of magnitude more damaging to the nation than a breach suffered by a commercial organization. However, many Shared Assessments members and non-member users of the Program’s Tools present systemic threats because of their being part of critical infrastructure segments, including financial services, electric power generation and transmission, and telecommunications. And every organization has the same need to protect its customers’ information and its proprietary information. And, while damage to brand, loss of market share, and loss of market capitalization aren’t issues for intelligence agencies; they are of significant importance to private sector organizations. Thus, a formal third-party assessment program is a key component of effective governance.
So, with apologies to John Donne, “… never send to know for whom the bell tolls …”.
Santa Fe Group Consultant Bob Jones has led financial institution fraud risk management programs for more than 40 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.