Wednesday, August 12, 2015

IPO helps keep data secure

by Tech Sgt Vernon Cunningham
JBER Public Affairs


8/12/2015 - JOINT BASE ELMENDORF-RICHARDSON, Alaska -- "Our job is to prevent the compromise, loss, or unauthorized access of information regardless of physical form or characteristics over its life cycle," said Mark Meyer, 673rd Air Base Wing Information Protection Office chief.  "Social security numbers, passwords and personal information ... those are the things the bad guys want so they can break into your bank accounts and personal affairs to ruin your credit history."

The 673d ABW IPO serves to integrate, maintain and improve Joint Base Elmendorf-Richardson's Air Force collective policies, processes and implementation of risk management to protect information, said Meyer.

"[Information protection] starts with information and industrial security," said Richard Smith, 673d IPO security specialist.  "Guidelines for protection and access to information are created by establishing protection measures so people can't get to the information."

Smith said the concept of physical protection is established by putting the information in appropriate containers.  Then the procedures for protecting that particular container are followed.

Myers said an example would be if an evaluation report had social a security number typed on it.  That document would be secured in a folder labeled as privacy act material.  Then the procedures for securing privacy act material would be followed, which means it needs to be locked in a drawer or an individual needs to secure it and control access to the document, he said.

In addition to physical protection, access to the information is restricted by IPO's strict security clearance procedures.  Security clearances are initiated after determining the level of access personnel in each position will need to have in varying degrees from non-sensitive, to sensitive and critical.

"Not only do we initiate clearances, but we have a continual evaluation program," said Meyers.  "There is a periodic review every 10 years or 5 years. That's when we check them again.  Then there is a continuous evaluation; if somebody has an incident or an event that warrants looking at, we look and take it into consideration.  It could be unexplained finances, a warrant, an affair or something that just doesn't seem right.  We continuously evaluate all the time."

Meyers said once the protection is established, IPO still has to make sure everyone complies.

Personnel at JBER are given constant reminders on how to secure their information.  Because of the scope of their responsibility, IPO uses activity security managers to serve as liaisons and help reach each individual within a unit.

"We offer ASM training at least every 90 days per AFI," said Meyers.  "However, we give one-on-one training for area security managers all the time, since we get daily updates from Secretary of the Air Force and PACAF."

Once the ASMs are trained, IPO sends continual requirements to the units to reinforce information safety.

"There is initial training that happens when they first get to their unit," said Smith.  "There is also refresher training conducted annually.  Right now, they get most of their refresher training through the Advanced Distance Learning System.  But we routinely provide security managers with up-to-date training tools and information for them to distribute to their unit personnel.  Plus we send out messages to the units.  So, it's kind of routinely funneled down and [peer-to-peer] in addition to the required refresher training."

Meyers said they do, however, still process security incidents that could have been prevented.

"The biggest cause of our security incidents is people who walk into classified areas with cell phones," said Meyers.  "You can't have any personal electronic device in that environment.  That includes Fit Bit, phone, Wi-Fi or Bluetooth device of any kind, etc...you can't have it."

Meyers said IPO sees a common factor present in many of their security incidents.

"Attention to detail," said Meyers.  "Ensure all classified is accounted for and secure before closing and locking containers.  Spin the dial [on your container] and verify that handles are locked.  Those two and cell phones are our biggest challenges.  Everyone has to pay attention."

A common type of information that needs protecting is personally identifiable information, usually referred to as PII.  Typically this type of data is shredded and, according to 673rd Communications Squadron, strip shredders are no longer allowed, Myers said.

This is data which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother's maiden name, biometric records, or any other information which is linked or linkable to a specified individual, Meyers said.

Myers suggested people be careful where they leave their personal cell phones.  There is typically so much personal information on a phone that if it doesn't have a firewall or adequate protection built in, people can get access to sensitive information, he said.

IPO serves as one of the leaders in securing all our data and avoiding unwanted distribution of personal information for JBER personnel.  This is the IPO mission and they take it seriously.

"38 years ago when I started my career, it was said that information is power," said Meyer.  "It still holds true today!"

No comments:

Post a Comment