The FBI is currently addressing significant weaknesses in its sensitive data management [1], as highlighted in a recent audit by the DOJ’s OIG [1].
Description
Concerns raised by the OIG include flaws in inventory management and disposal of electronic storage media [1], such as hard drives [4], thumb drives [4] [7], and floppy disks [7], containing sensitive and classified data [1] [2] [3] [4] [6] [7]. The audit found a lack of policies and controls for tracking media [1], labeling with appropriate security classifications [1] [6], and confirming proper destruction of sensitive data. The OIG also identified issues with physical access and security controls within the FBI’s premises [1]. Recommendations from the OIG include developing a new policy for secure handling and destruction of sensitive data [1], as well as revising procedures to ensure proper tracking and disposal of all electronic storage media containing sensitive or classified information [1]. The FBI was found to have significant security gaps in how it labels [5], stores [1] [2] [3] [4] [5] [6] [7], and disposes of decommissioned electronic storage media [5], according to a report by the Department of Justice’s Office of the Inspector General [5] [6]. The OIG noted that appropriate classification labels were only applied on servers and computers [5], not on extracted media like flash drives [5], and there was a lack of proper tracking for internal hard drive devices [5]. The lack of inventory controls increases the risk of lost or stolen storage media [5], prompting the OIG to recommend that the FBI bolster its inventory management for destruction [5]. The FBI has created a new policy directive to address these concerns and expects to implement it soon. The agency is revising protocols and making facility improvements [3], including installing steel cages for storage and upgrading surveillance cameras to better secure and track devices [3]. Updates on corrective actions are expected within 90 days [2].
Conclusion
The FBI’s efforts to address the weaknesses in its sensitive data management are crucial for ensuring the security and protection of classified information. By implementing the recommendations from the OIG and improving inventory controls and security measures, the FBI can mitigate the risks of data breaches and unauthorized access. Moving forward, continued vigilance and adherence to policies and procedures will be essential to safeguarding sensitive data and maintaining the integrity of the FBI’s operations.
References
[1] https://www.infosecurity-magazine.com/news/fbi-flawed-data-security-concerns/
[2] https://thecyberwire.com/podcasts/daily-podcast/2137/transcript
[3] https://www.inkl.com/news/inspector-general-points-out-serious-security-gaps-in-how-fbi-manages-storage-media
[4] https://thereviewhive.blog/8-latest-data-breaches-and-cyber-attacks/
[5] https://www.scmagazine.com/brief/audit-decommissioned-fbi-electronic-storage-media-plagued-with-security-flaws
[6] https://www.techradar.com/pro/security/the-fbi-is-not-great-at-keeping-its-own-memory-systems-secure
[7] https://www.meritalk.com/articles/fbi-tightening-sensitive-data-procedures-after-critical-ig-report/