On Sunday, June 23, 2013, General Keith B. Alexander, Director of the U.S. NSA, publicly announced the implementation of a new control to manage the risk of another Edward Snowden emerging and absconding with classified information — a “two man rule”. We found a definition of this operational risk management concept on Glenn Brunette’s Event Horizon blog on Oracle.com.
Popular technology product themes, including big data, and Software as a Service (SaaS) cloud computing offers, will lose a lot of their attractiveness for larger organizations if a reliable method can’t be found to control the risk of a new Edward Snowden compromising yet another set of operational risk management controls and getting away with a lot of classified information. So we maintain a keen interest in this story.
We don’t think the “two man rule” will be a long term solution to this problem, for a few reasons:
- IT Systems Administrators have to move quickly to fix problems. Slowing them down by requiring a sign off by another systems administrator prior to implementing a fix will likely lead to dissatisfied users and organization-wide impatience with risk controls
- What’s to stop two systems administrators teaming up on an effort to data security?
A better idea is to analyze the current process of granting security clearances to make it substantially more difficult to obtain top security clearances. If these clearance procedures can be hardened, the problem will be controlled simply by denying admission to individuals capable of subverting data security measures. Why let these people into secure environments in the first place?
The “two man rule” is the type of control to implement in response to a problem. But we need to implement proactive controls, capable of eliminating the possibility of problems arising at all. These controls should be available, and used within staff selection procedures for IT roles requiring security clearances.
© IMB Enterprises, Inc. & Ira Michael Blonder, 2013 All Rights Reserved