The BECCA Journal is being restructured.
* A book review by Jonathan Todd, CCO, is posted below.
Beirut Rules: The Murder of a CIA Station Chief and Hezbollah's War Against America
Authors: Fred Burton and Samuel M. Katz
Published October 23, 2018
I recently finished reading Beirut Rules: The Murder of a CIA Station Chief and Hezbollah's War Against America by Fred Burton and Samuel M. Katz. The informative book discusses the US hostage crisis's, embassy and barracks bombings in Lebanon and the murder of LtCol Higgins (USMC) and William Buckley (CIA) during the 1980s.
An insight which I found informative was the claim that William Buckley traveled the same route from home to work each day. The authors propose that the United States did not see the terrorist groups in Lebanon as being so bold as to go after a Station Chief. When implementing a program for maintaining security for personnel and information, often people will not see protocols as being applicable to them either because they see themselves as too low on the list of potentials targets or too high on the list of potential targets. High profile individuals can't be inconvenienced by protocols and individuals who believe they are low value don't want to adopt "paranoid" mitigation plans.
All the best,
Jonathan Todd, CCO
An excellent book review, well written with sound conclusions based on a real
life situation. We all need reminding from time to time not to become complacent.
* A Mandate
Develop Actionable, Full-Spectrum Information Protection Plans
by Matthew Wilson, CCO, PMP
“Organizational information and personal privacy.
More than ever, the assault on critical organizational information and personal privacy requires awareness and defense across multiple domains and security disciplines. The explosive growth of information technology in past decades has proliferated and scattered government, corporate, and private information — much of it landing in vulnerable locations. The protection of information being transported and residing on information technology systems is the focus of much of the information security profession. However, the volume of critically private information resting in unanticipated places is significant. Think of (or imagine) a time before computers were so prolific. The vulnerabilities to information that existed then included a lack of adequate physical cover and access control, improper use of transmission systems, and loose talk, just to name a few. The fact is, all of these vulnerabilities continue to exist today. These types of often-forgotten vulnerabilities require the same aggressive application of protective measures as are being waged by many of today’s information security professionals. While system patches and password protocols are vitally important, only full-spectrum information protection plans can achieve the necessary level of protection to an organization’s critical information.
Development of specific and actionable information protection plans is equally as important as applying information security measures across the entire spectrum. Successful plans adequately inform an enterprise as to the Who, What, When, Where, and Why (5Ws) of the plan as a whole and of each protective measure individually. In too many historical examples, an organization’s plan to protect information rarely has gone deeper than the handful of PowerPoint slides used to inform leadership or gain their approval on a way ahead. These products lack the detail and fidelity required for translation into distinct and accountable actions across the enterprise.
In a general sense, Information Security professionals identify information requiring protection, assess the capabilities of competitors and wrong doers to obtain the information, and develop measures to protect the information. Organizations need to look closely at these measures and assess how actionable they are. Many measures are near the mark with respect to the “What,” but lack enough details for the remaining 4Ws to ensure the successful protection of the information. For example, a measure that states, “Reduce visibility of sensitive events” is a solid step in the correct direction to protect critical information: the “What” is being addressed. However, too much detail is left to chance and interpretation. Who specifically will conduct the measure? When is the exact period during which the measure will be conducted? Where exactly are the locations of the events? Why ultimately are we executing this measure — to protect which specific piece of information? The most likely outcome of failure to plan at this level of detail is nonexecution of the desired measure. It could be as simple as people assuming someone else will execute the measure for action. More damaging, unintended consequences of poor information protection planning include inadvertently placing other information at increased risk or misallocation of time and money spent implementing misinterpreted measures.
More than most, the Certified Confidentiality Officer (CCO) community can contribute to the successful development and execution of actionable, full-spectrum information protection plans. The integration of our Information Security, Counterintelligence, and Business Espionage skillsets is a force multiplier in all planning evolutions.