Security News > 2023 > December > Data loss prevention isn't rocket science, but NASA hasn't made it work in Microsoft 365
In an audit [PDF] published Tuesday, the OIG found NASA has a "Comprehensive privacy program that includes processes for determining whether information systems collect, store, and transmit PII; publishing System of Records Notices; and providing general privacy training to its workforce."
That's a welcome assessment, given NASA employs around 16,000 people and - as with all government agencies - collects PII about them and the contractors, partners, and members of the public it engages.
NASA uses Microsoft's suite and is implementing its DLP capabilities.
NASA therefore lacks the data to track and monitor PII leaks.
Even if NASA did know when to assemble a BRT, some of its members don't receive required annual training - such as participation in a tabletop exercise that simulates a breach response.
Another issue is that NASA has overlapping rules on privacy reporting, so "Information on whether collections of data are compliant with applicable laws and policies may be incomplete." That means the agency "Could fail to notify the public about the information the agency is collecting and storing on their behalf and the safeguards that exist to protect their personal information."
News URL
https://go.theregister.com/feed/www.theregister.com/2023/12/21/nasa_oig_privacy_review/
Related news
- A Hacker's Era: Why Microsoft 365 Protection Reigns Supreme (source)
- Ransomware attackers hop from on-premises systems to cloud to compromise Microsoft 365 accounts (source)
- New Mamba 2FA bypass service targets Microsoft 365 accounts (source)
- ScubaGear: Open-source tool to assess Microsoft 365 configurations for security gaps (source)
- Microsoft 365 Admin portal abused to send sextortion emails (source)
- Microsoft now testing hotpatch on Windows 11 24H2 and Windows 365 (source)