PERSONAL DATA RISK ASSESSMENT

The first step toward improving a system's security is to determine its security risks using the criteria discussed earlier in this chapter. A personal data security risk assessment benefits a command in three ways:

It provides a basis for deciding whether additional security safeguards are needed for personal data.

It ensures that additional security safeguards help to counter all the serious personal data security risks.

It saves money that might have been wasted on safeguards that do not significantly lower the overall data risks and exposures.

The goal of a risk assessment is to identify and prioritize those events that would compromise the integrity and confidentiality of personal data. The seriousness of a risk depends both on the potential impact of the event and its probability of occurrence.

In general, the risk assessment should consider all risks, not just risks to personal data. While this section of the chapter emphasizes the security of personal data, it is best to develop an integrated set of security safeguards and requirements that protect all classified and other valuable data in the system wherever possible.

The risk assessment should be conducted by a team which is fully familiar with the problems that occur in the daily handling and processing of the personal information. The participants on the risk assessment team should include:

A representative of the operating facility supported by or having jurisdiction over the data under consideration;

The programmer responsible for support of the operation or function under consideration;

A representative from the facility responsible for managing AIS operations;

A system programmer (if the command has system programmers in a separate fictional area);

A computer specialist assigned the responsibility for overseeing or inspecting system security; and

The individual responsible for security.

PERSONAL DATA SECURITY RISKS

Each command should identify its specific risks and evaluate the impact of those risks in terms of its information files. Experience indicates the most commonly encountered security risks are usually accidents, errors, and omissions. The damage from these accidental events far exceeds the damage from all other personal data security risks. Good information management practices are necessary to reduce the damage that can result from these occurrences. Personal data security risks include:

Input error. Data may not be checked for consistency and reasonableness at the time they are entered into the system; or data may be disclosed, modified, lost, or misidentified during input processing.

Program errors. Programs can contain many undetected errors, especially if they were written using poor programming practices or were not extensively tested. A program error may result in undesirable modification, disclosure, or destruction of sensitive information.

Mistaken processing of data. Processing requests may update the wrong data; for example, a tape mounted at the wrong time.

Data loss. Personal data on paper printouts, magnetic tapes, or other removable storage media may be lost, misplaced, or destroyed.

Improper data dissemination. Disseminated data may be misrouted or mislabeled, or it may contain unexpected personal information.

Careless disposal of data. Personal data can be retrieved from wastepaper baskets, magnetic tapes, or discarded files.

Every AIS facility's technical manager and upper management should establish strict controls and procedures over individuals authorized to access the personal data files. If everyone at the facility needs authority to access personal data files, the security measures should adequately control system access. If there are persons working on the system whose access should be limited, the following risks should be considered:

Open system access. This means there may be no control over who can either use the AIS or enter the computer room.

Theft of data. Personal data maybe stolen from the computer room or other places where it is stored.

Unprotected files. Personal data files may not be protected from unauthorized access by other users of the AIS. This applies to online files and also to offline files, such as files on magnetic tapes. The offline files are sometimes accessible simply by requesting a tape be mounted.

Dial-in access. There is serious danger that unauthorized persons can access the system when remote, dial-in access is allowed.

Open access during abnormal circumstances.

Personal data that is adequately protected during normal operations may not be adequately protected under abnormal circumstances. Abnormal circumstances include power failures, bomb threats, and natural disasters, such as fire or flood.

The physical destruction or disabling of the AIS is not normally a primary risk to privacy. However, all computer systems presently in use are vulnerable to deliberate penetrations that can bypass security controls. These types of security penetrations require extensive technical knowledge. At present, the Navy has experienced very few of these deliberate penetrations. Commands designing large computer networks should consider the following risks early in the planning stage:

Misidentified access. Passwords are often used to control access to a computer or to data, but they are notoriously easy to obtain if their use is not carefully controlled. Furthermore, a person may use an already logged-in terminal, which the authorized user has left unattended, or may capture a communications port as an authorized user attempts to disconnect from it.

Operating system flaws. Design and implementation errors in operating systems allow a user to gain control of the system. once the user is in control, the auditing controls can be disabled, the audit trails erased, and any information on the system accessed.

Subverting programs. Programs containing hidden subprograms that disable security protections can be submitted. Other programs can copy personal files into existing or misidentified files to use when protection is relaxed.

Spoofing. Actions can be taken to mislead system personnel or the system software into performing an operation that appears normal but actually results in unauthorized access.

Eavesdropping. Communications lines can be monitored by unauthorized terminals to obtain or modify information or to gain unauthorized access to an AIS.