Web Portals and Shared Drives Must Be Continually Monitored
By Steve Muck - Published, June 9, 2010
The following is a recently reported data breach involving the disclosure of personally identifiable information (PII) on the Navy Knowledge Online (NKO) website. Names have been changed or omitted but details are factual and based on reports sent to the DON CIO Privacy Office.
When used properly, web portals and shared network drives do a great job of facilitating information sharing and collaboration. They are indispensable to commands that are forward deployed, and for drilling Reservists and other communities that rely on virtual access to information. However, PII breach incidents have been reported with increasing frequency in this area and must be given command attention to ensure strict access controls are in place.
In December 2009, a DON command received a heads up that PII data had been discovered in a file on the NKO website without security controls. The data was displayed on two spreadsheets containing names, addresses and other PII. While the site requires users to log on or use a CAC card to access the site, it should have also required the user to have file access permission. In the past, NKO was used extensively by the command as a staging area where mobilization information was posted so that Navy entities could access this information to use in the mobilization process.
More recently, and due to heightened PII awareness from annual refresher training, the command removed this type of information from the site, and it was used for general information purposes only. It appeared that the two spreadsheets inadvertently remained on NKO since their original posting in September 2008. Both spreadsheets were removed from the NKO website immediately after discovery.
The most valuable lesson learned from this incident was the importance of placing controls on documents that contain PII, even when those documents are protected behind CAC-enabled websites. Similar to dealing with classified information, one must analyze who should have access to PII. Only those with a need to know should have access to PII.
Positive controls (e.g., password, encryption, etc.) must be placed on documents containing PII to ensure that only approved personnel have access. Lastly, spot checks must be performed on a routine basis to ensure that controls that were put in place still remain.
Of special note, numerous incidents regarding lack of access controls have been reported after network maintenance has been performed. Software tools are commercially available to run periodic checks on shared drives and portals that key in on PII elements such as a Social Security number. Aggressive use of the DON PII compliance spot checklist also has been a useful tool.
Steve Muck is the DON CIO privacy team lead.