Data security in the supply chain is a long-standing concern for Defence. It is the responsibility of the Australian company in possession of controlled technology to safeguard data.
The protection of technical data has been highlighted as the greatest priority by US Departments of State and Commerce and they are likely to treat any breach very seriously. Whilst governments and primes continue to stress the need for cyber improvements, actual adoption of data security in the Defence supply chain remains poor.
In September 2018 we wrote an article explaining the ITAR and EAR regulation to readers. This was followed in February 2019 with an article that detailed the specifics around controlled technical data and what the Australian and US governments alike are introducing in order to protect this data. In June, we followed these articles with an outline of initial procedural steps Australian companies can take to ensure compliance in this area. We now conclude this series by focusing on safeguards and security controls Defence suppliers can apply to ensure compliance in cyber and secure controlled technical data.
The following are some of the key initial steps Defence suppliers can take to secure controlled technical data:
Establish data owners and users. One of the first steps is to establish the roles and responsibilities of users involved in the day to day operations of controlled data. It is important to identify who the data owners are. Data owners should be made responsible and accountable for the security of controlled data.
Identify and classify controlled data. Companies should identify and establish the type of controlled data they hold and the applicable regulations. This should include the source of the item or article, where it is stored, who has access to it and how is it being used, transferred or exported.
Protect controlled data using encryption. All controlled data should remain segregated and encrypted when in use (e.g. access of design files), when being stored (e.g. in network or cloud drives) and when being moved (e.g. in USBs or email attachments). At no point during its lifecycle should data be available in an unencrypted form, even to authorised users. This protects against malicious or accidental loss of data.
Limit access of controlled data. Inadvertent access of controlled data by unauthorised internal users is a common way to expose sensitive data. Access controls should be applied to controlled data and should be reviewed and updated periodically. These controls should cover both databases and file-based sources.
Monitoring of controlled data. Companies should establish strong data monitoring and auditing controls to the extent needed to enable alerting, analysis, investigation, and reporting of unlawful or unauthorised activity.
Data disposal. Periodic disposal of controlled data that is no longer required is an essential step in reducing a company’s risk and ensuring compliance. Companies should establish proper procedures to destroy/delete all physical and electronic controlled data at the end of its useful life.
Conduct regular audits and risk assessments. An effective audit and risk assessment program is essential to ensure what should happen, does happen, and that what should not happen, does not. Companies should periodically audit and assess the risks to controlled data and take corrective action based on the findings.
Having an effective data security and compliance programme can no longer be treated as a luxury item and is a must for Defence suppliers irrespective of their size. Suppliers need to have clear understanding of their data security and compliance requirements and should take steps to ensure they are protected.
Note: Rizwan Mahmood is Director Projects, e-Safe Systems Australia. Kevin Chenney is a Senior Consultant with Goal Professional Services.