Houston, we have a problem. NASA may have put men on the moon, but its privacy program is in need of some rocket fuel.
That’s according to the aerospace agency’s Office of Inspector General (OIG), who recently reviewed NASA’s privacy program and found its data loss prevention (DLP) approach to be astronomically lacking.
In an audit published at the end of 2023, the OIG concluded that while NASA’s privacy program is “comprehensive,” it “needs to take additional steps to protect individuals’ personal information that it collects, uses, and maintains,” especially when it comes to DLP.
DLP can feel like rocket science
The issues plaguing NASA’s digital solar system are by no means unique. DLP tools have earned quite the reputation for being difficult to implement and manage. Often they are noisy, inaccurate, and fail to capture unstructured data.
Every organization can relate to, and learn from, the recommendations in the NASA audit.
DLP troubles
According to the audit, NASA relies on Microsoft’s 365 platform for DLP. However, the data loss reporting process is manual and cumbersome. The body doesn’t make use of any artificial intelligence or automation, meaning users have to self-report data loss incidents.
There’s a lot wrong with this. For one, data loss incidents are mostly the result of human error. People don’t tend to realize that they’ve even shared sensitive information with the wrong recipient or configured a confidential document to the public. That means that self-reporting inevitably leads to data exposures that will never be discovered.
On top of that, as the report notes, when people do report data loss incidents, the data collected doesn’t “consistently identify the number of affected accounts, how the PII was disclosed, and root causes, nor was a risk rating assigned or lessons learned captured.”
In essence, NASA doesn’t have the means to effectively track, monitor, and mitigate PII leaks.
Poor processes
On top of that, in the event that a data leak is reported, NASA doesn’t have the processes in place to effectively respond. The report states that NASA’s incident response process is “dispersed among several documents that conflict with each other,” making it difficult for the body’s incident response team to know what to and when.
It’s a similar picture when it comes to privacy reporting, with the report noting that NASA again has conflicting rules that put it at risk of failing to “notify the public about the information the agency is collecting and storing on their behalf and the safeguards that exist to protect their personal information.”
Incomplete training
Last but certainly not least, the OIG noted that NASA’s security and privacy training program needs some work. As many as 2,000 individuals with security roles within the organization don’t receive the annual required training for breach response processes.
Plus, for employees on the frontline that must self-report breaches, the only training regime is an annual one, which, as we know from extensive research, isn’t effective for long-term behavior change.
Privacy program recommendations
The OIG has given NASA the following recommendations to propel its privacy program forward:
- Establish DLP roles and responsibilities related to the oversight of and response to potential PII incidents.
- Clearly identify roles and responsibilities for tracking and documenting incident response from detection to final resolution for incidents that involve or potentially involve PII.
- Update the breach response plan to clearly identify who is involved during breach responses of varying levels of severity.
- Require those with specific security and privacy roles to take privacy role-based training.
It sounds like a lot of work for any security team, but solutions like Polymer DLP make protecting sensitive data and training employees on security policies easy and effective. Want to learn more? Request a Polymer DLP demo today.