# Information Management - DND Security Risk Related to Information Disposal



## McG (10 Jan 2014)

> *Security gaps found in destruction of top-secret military data*
> Defence department overhauling policy on disposal of sensitive information after troubling audit
> Kathleen Harris, CBC News
> 09 January 2014
> ...


http://www.cbc.ca/news/politics/security-gaps-found-in-destruction-of-top-secret-military-data-1.2490752


----------



## Colin Parkinson (10 Jan 2014)

10 privates with sledge hammers and cutting torches would make short work of those hard drives and would have fun doing it.


----------



## Occam (10 Jan 2014)

The industrial shredders located at 7 CFSD in Edmonton and 25 CFSD in Montreal would be well-suited to mass destruction of hard drives.  You can feed them anything up to the size of an oil drum, and nothing comes out the other side larger than 1" by 1".


----------



## George Wallace (10 Jan 2014)

Occam said:
			
		

> ...... and nothing comes out the other side larger than 1" by 1".



I don't think 1" by 1" will meet the specs.  It has to be much smaller.   >


----------



## Occam (10 Jan 2014)

George Wallace said:
			
		

> I don't think 1" by 1" will meet the specs.  It has to be much smaller.   >



How small?  If we need something smaller than 1 x 1, we just tell them to send it through multiple times until it's suitably pulverized.


----------



## q_1966 (10 Jan 2014)

Couldn't find a Harddrive in a blender video so here's an Ipad.

Will it Blend? by Blendtech
http://www.youtube.com/watch?v=lAl28d6tbko&list=PL5B2372870FCE5A72&feature=c4-overview-vl


----------



## RADOPSIGOPACCISOP (12 Jan 2014)

There are industrial shredders used for HD disposal at most ASU and major bases.

The problem is local IT Help Desks are unaware and either try their own, unapproved, methods of disposal or they don't know what to do and just pile them into growing farms of secure cabinets hoping that someone someday will know what to do with them.

The proper process involves a degaussing and industrial shredding (by an RCMP approved shredder).

If you are on a base without them, I suggest getting in touch with ASU IT support and getting the information on where to send them. Box them up, and either courier them (preferred for classified material) or have them sent through proper Canada Post channels.

Other than that, the biggest problem we have in the CF is keeping track of our IT data storage. We ought to have a enterprise solution to track classified HD, USB sticks, CDs and everything else. Then we could follow them from creation to disposal. 

Otherwise everytime someone burns classified documents to a cd, they've created a espionage treasure trove that looks like every other silver disc laying around. It's horrifyingly concerning.


----------



## Occam (12 Jan 2014)

RADOPSIGOPACISSOP said:
			
		

> Other than that, the biggest problem we have in the CF is keeping track of our IT data storage. We ought to have a enterprise solution to track classified HD, USB sticks, CDs and everything else. Then we could follow them from creation to disposal.



That's an amazing idea.  We could call it "assyst".


----------



## RADOPSIGOPACCISOP (12 Jan 2014)

Occam said:
			
		

> That's an amazing idea.  We could call it "assyst".



Which is a dismal failure for tracking. It's nothing more than a glorified work ticket program and it's a badly designed one at that.

A web client where users could log things would have much more use than one where they have to go through the help desk every time they burn a cd.


----------



## Occam (12 Jan 2014)

Using a more complex tool will simply increase the likelihood that CFNOC will send a work ticket to the wrong desk.   ;D

Maybe we could get the SAP programmers to do something in DRMIS for us?  (Yes, I'm being sarcastic.)

You could have the best asset tracking tool on the face of the earth, but a huge part of the problem is getting people to use it.  Bloggins has to realize that there are consequences if he doesn't properly label that classified CD he just burned, and those consequences have to be carried out if he doesn't.


----------



## PuckChaser (12 Jan 2014)

Occam said:
			
		

> You could have the best asset tracking tool on the face of the earth, but a huge part of the problem is getting people to use it.



Not that its the best asset tracker, but TACIS is a prime example of a good tool, not utilized properly.


----------



## RADOPSIGOPACCISOP (12 Jan 2014)

Occam said:
			
		

> Using a more complex tool will simply increase the likelihood that CFNOC will send a work ticket to the wrong desk.   ;D
> 
> Maybe we could get the SAP programmers to do something in DRMIS for us?  (Yes, I'm being sarcastic.)
> 
> You could have the best asset tracking tool on the face of the earth, but a huge part of the problem is getting people to use it.  Bloggins has to realize that there are consequences if he doesn't properly label that classified CD he just burned, and those consequences have to be carried out if he doesn't.



In my experience, more important than consequences, is to make it as easy as possible for someone to do their job the proper way. If you make it a hassle, they won't do it, and will hide it to dodge the consequences.


----------



## RADOPSIGOPACCISOP (12 Jan 2014)

PuckChaser said:
			
		

> Not that its the best asset tracker, but TACIS is a prime example of a good tool, not utilized properly.



Never used TACIS. DRMIS would have been the best solution if the whole thing hadn't turned into a dog's breakfast.

IMHO they really need to just toss out these 1 purpose application clients and make a single web portal where user/client personnel can put everything in from supply, to admin, to IT everything. Link the web client to the databases and then provide the administrator/managers (Sup Techs, RMS Clerks, ACISS Ops) access to the more complicated and powerful application clients they need to manage the databases.

You want a simplified and customized interface for the average soldier that covers all his data inputting. One website, and attach login credentials to his DWAN user account. Make it as simple as possible.


----------



## Edward Campbell (12 Jan 2014)

RADOPSIGOPACISSOP said:
			
		

> In my experience, more important than consequences, is to make it as easy as possible for someone to do their job the proper way. If you make it a hassle, they won't do it, and will hide it to dodge the consequences.




I _my_ experience carelessness is the biggest threat to security, including management of data storage.

"Consequences," like HUGE fines, reductions in rank and time in cells, are a good remedy for carelessness, in _my_ experience.

But: YMMV


----------



## RADOPSIGOPACCISOP (12 Jan 2014)

E.R. Campbell said:
			
		

> I _my_ experience carelessness is the biggest threat to security, including management of data storage.
> 
> "Consequences," like HUGE fines, reductions in rank and time in cells, are a good remedy for carelessness, in _my_ experience.
> 
> But: YMMV



Consequences rarely fix carelessness. Consequences only work when there is a decision not to do something, ie non-compliance. Only when a person is willfully negligent does the idea of consequences factor into their reasoning. Otherwise it's incompetence, a training issue.

Doing add unnecessary additional administrative burden to already overworked troops. Make it EASY for them to do their job correctly.


----------



## Fishbone Jones (12 Jan 2014)

RADOPSIGOPACISSOP said:
			
		

> Consequences rarely fix carelessness. Consequences only work when there is a decision not to do something, ie non-compliance. Only when a person is willfully negligent does the idea of consequences factor into their reasoning. Otherwise it's incompetence, a training issue.
> 
> Doing add unnecessary additional administrative burden to already overworked troops. Make it EASY for them to do their job correctly.



You, obviously, have no idea who you're responding to with this post.


----------



## Edward Campbell (12 Jan 2014)

RADOPSIGOPACISSOP said:
			
		

> Consequences rarely fix carelessness. Consequences only work when there is a decision not to do something, ie non-compliance. Only when a person is willfully negligent does the idea of consequences factor into their reasoning. Otherwise it's incompetence, a training issue.
> 
> Doing add unnecessary additional administrative burden to already overworked troops. Make it EASY for them to do their job correctly.




Not so.

Willful negligence is, thankfully, quite rare. Poor training is more common, but still not the norm. Carelessness is rampant, but it can be _trained_ out of people.
.
.
.
.
.
In _my_ experience, anyway.


----------



## RADOPSIGOPACCISOP (12 Jan 2014)

E.R. Campbell said:
			
		

> Not so.
> 
> Willful negligence is, thankfully, quite rare. Poor training is more common, but still not the norm. Carelessness is rampant, but it can be _trained_ out of people.
> .
> ...



Doesn't matter how good you train a juggler, if you keep throwing balls at him eventually they'll start dropping.

Streamline the tasks and make it easy to do the job properly, then you'll see your troops perform better and perform things correctly.


----------



## Edward Campbell (12 Jan 2014)

RADOPSIGOPACISSOP said:
			
		

> Doesn't matter how good you train a juggler, if you keep throwing balls at him eventually they'll start dropping.
> 
> Streamline the tasks and make it easy to do the job properly, then you'll see your troops perform better and perform things correctly.




I certainly agree with the highlighted bit, *but* you must, also, address the carelessness issue, which does exist and is a result of less than adequate discipline ~ at home, in schools, and in the CF. My _guess_, based on _my_ experience, is that solving a good part of the carelessness issue will pay early, big dividends. It's cheaper, too, and has add on benefits in every area of a soldier's life. A well disciplined soldier is happy, healthy and productive.


----------



## Colin Parkinson (16 Jan 2014)

E.R. Campbell said:
			
		

> I _my_ experience carelessness is the biggest threat to security, including management of data storage.
> 
> "Consequences," like HUGE fines, reductions in rank and time in cells, are a good remedy for carelessness, in _my_ experience.
> 
> But: YMMV



Being the only one trained on Nestor, resulted in me signing for the whole lot for our unit, I was very aware of the consequences to me personally if someone else lost some of it. Must say it sharpened the mind greatly.

Still saying your making the simple difficult, privates can destroy anything, making sure you record what, where and when is the important bit and that's where the Junior officer comes in. The Young officer is given the task to directly supervise the destruction, records the particulars of what's to be destroyed. Everything is wiped, pounded with a sledge and then melted with a torch. A good job for the Extra duty detail.


----------



## Occam (16 Jan 2014)

Colin P said:
			
		

> Being the only one trained on Nestor



As in the speech encryption Nestor?  If so - I haven't heard that term in 20+ years...when we got rid of them.


----------



## Colin Parkinson (16 Jan 2014)

That would be the one, certainly an improvement on one time pads.


----------



## JesseWZ (16 Jan 2014)

E.R. Campbell said:
			
		

> I certainly agree with the highlighted bit, *but* you must, also, address the carelessness issue, which does exist and is a result of less than adequate discipline ~ at home, in schools, and in the CF. My _guess_, based on _my_ experience, is that solving a good part of the carelessness issue will pay early, big dividends. It's cheaper, too, and has add on benefits in every area of a soldier's life. A well disciplined soldier is happy, healthy and productive.



One of my current tasks is investigating these sorts of incidents. 99% of all files that cross my path are the direct result of one of two things: 1. "I didn't know" and 2. "I didn't think." The unfortunate reality is carelessness is a huge, huge, huge factor in the loss or compromise of classified data. IMHO, we do not treat _security* violations*_ as significantly as we should, if we did, we would have less_ security *breaches*._ This goes hand in hand with carelessness being "trained" out of people.


----------



## dapaterson (16 Jan 2014)

It also goes hand in hand with being extremely conservative in designating and classifying information.  "This will make us look stupid" should not be grounds for designation or classification.

When obviously useless fluff is designated or classified, it becomes more difficult to enforce the rules for material that genuinely needs protection.


----------



## DAA (16 Jan 2014)

JesseWZ said:
			
		

> One of my current tasks is investigating these sorts of incidents. 99% of all files that cross my path are the direct result of one of two things: 1. "I didn't know" and 2. "I didn't think." The unfortunate reality is carelessness is a huge, huge, huge factor in the loss or compromise of classified data. IMHO, we do not treat _security* violations*_ as significantly as we should, if we did, we would have less_ security *breaches*._ This goes hand in hand with carelessness being "trained" out of people.



Out of curiousity, out of said indiscretions, what rank levels are we talking about?

In other words, is this people being "tasked" to dispose of things or people just being complacent?


----------



## JesseWZ (16 Jan 2014)

Pte/OS through LCol/Commanders... Complacency knows no rank distinction. Even those that are "tasked," the taskers still typically fall into those two categories.


----------

