One of the top headlines in the current news cycle is that the Secret Service has deleted all their text messages from January 5th and 6th 2021. As an IT professional I was shocked that one of the most important security organizations of the United States Government may have blatantly violated the Federal Records-Keeping law. Then I started thinking about how were they even allowed to delete those important messages? It occurs to me that these agents were asked to comply with a policy without any controls. The system was preventing them from violating the law.
Policies are great, but without controls, they seem destined to fail. An example of a policy that is destined to fail that everyone can relate to, is the speed limit on a road. The best drivers with the best intentions are destined to violate the speed limit because it’s almost impossible comply one hundred percent of the time. The speed limit will change randomly, or the sign will be obfuscated by trees, or the driver started daydreaming, or countless other real-world things will happen that will cause the speed limit to be broken knowingly or unknowingly. If you are lucky driver that just violated the speed limit, there won’t be a police presence ready to pull you over when you accidentally go too fast. But with just a policy, that’s all you can do, come up with ways to police people after the fact. In the world of corporate and government information technology, policing laws and policies after the fact isn’t good enough. What if the policy is vitally important? What if the Secret Service intentionally destroyed evidence vital to national security?
This is where controls come in. Controls are used by systems to prevent the violation of a policy or law. Policies are written and then controls are created to enforce them. The most basic policy with matching control is when a system requires authentication. A policy is written that a person must authenticate before they gain access to the system. The control is implemented that forces an authentication window for the user to enter their credentials. The policy may state that users must have a certain complex password or use Multi-Factor Authentication. In this case, the control must be configured to meet the policy requirements or users will be denied access.
When the speed limit sign is present the driver must drive at the indicated speed. The sign is the policy. But how can I implement a control? Newer cars are equipped with features like automatic cruise control or eyesight. These cars can read the sign and adjust the speed of the car. As a driver, I can implement a personal control by enabling this feature. As for the Government though, there is still no control in place. The Government is still leaving it up for me to self-regulate. Speeding policies are probably designed to fail for revenue generation, but that is a different blog post.
In regard to the Secret Service deleting text messages there is a law in place meant to prevent that:
Guidelines and Laws. According to the Records Management by Federal Agencies law (44 U.S.C Chapter 31) The head of each Federal agency shall make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency’s activities.
The law further asserts:
The head of each Federal agency shall establish and maintain an active, continuing program for the economical and efficient management of the records of the agency. The program, among other things, shall provide for (1) effective controls over the creation and over the maintenance and use of records in the conduct of current business; (2) procedures for identifying records of general interest or use to the public that are appropriate for public disclosure, and for posting such records in a publicly accessible electronic format; (3) cooperation with the Archivist in applying standards, procedures, and techniques designed to improve the management of records, promote the maintenance and security of records deemed appropriate for preservation, and facilitate the segregation and disposal of records of temporary value;
Assuming that Secret Service text messages are deemed “…records in the conduct of current business”, the law indicates that these records should be preserved, but it doesn’t tell you how, except that it indicates that there should be “effective controls”. There is a lot to unpack here regarding what the Secret Service did and why the text messages in question are missing and I don’t have those answers. For all, we know the missing text messages could be a red-herring and they used non-approved applications or devices for communicating that day.
In the world of corporate and government-issued devices, however, systems exist that will enforce the controls of the written policies and laws. Phones can be locked down so that only approved applications are installed. Programs exist to archive text messages in real-time. There are also control systems in place that force the backup of devices on a schedule. At best, the Secret Service text message incident demonstrates how having policies without controls is a bad idea when dealing with critically important laws and guidelines. At worse, the incident was an intentional breach of the law by the Secret Service.
I would also like to discuss Guidelines. IT Guidelines are sets of recommendations that help an organization meet its IT goals. They may be specific to a certain area of IT, such as security or networks, or they may be general best practices. Guidelines are not mandatory like policies or laws, but they can provide valuable guidance for meeting IT objectives.
Laws and IT policies are mandatory, meaning that organizations must comply with them or face penalties. IT guidelines, on the other hand, are simply recommendations. This means that while following IT guidelines can help an organization meet its IT goals, there is no legal consequence for failing to do so. Guidelines can be created by various sources, such as IT professionals, trade associations, or government agencies. Many times, IT guidelines are based on industry best practices.
So, while laws and IT policies are mandatory, IT guidelines are simply suggestions. But because they can be based on best practices, following them can help your organization meet its IT goals. In the case of the Secret Service, I believe they were required by law to archive those text messages. In the case of driving down the road, you are required by law to follow the speed limit. In the case of password complexities IT Guidelines provided by agencies such as NIST exist to help companies write their own policies. Companies can choose to accept the guideline as is, ignore it, or expand it to something more complete as part of their company policies.
The Policy, Controls, Laws and Guidelines landscape is always changing as technology advances and new threats emerge. Staying current with the laws and guidelines can help your organization stay compliant and secure.
GLM West offers consulting services that can help you with this and other IT outsourcing services, check out our website for more info! https://www.glmwest.com
Comments