Security News > 2023 > December > Data loss prevention isn't rocket science, but NASA hasn't made it work in Microsoft 365

Data loss prevention isn't rocket science, but NASA hasn't made it work in Microsoft 365
2023-12-21 04:31

In an audit [PDF] published Tuesday, the OIG found NASA has a "Comprehensive privacy program that includes processes for determining whether information systems collect, store, and transmit PII; publishing System of Records Notices; and providing general privacy training to its workforce."

That's a welcome assessment, given NASA employs around 16,000 people and - as with all government agencies - collects PII about them and the contractors, partners, and members of the public it engages.

NASA uses Microsoft's suite and is implementing its DLP capabilities.

NASA therefore lacks the data to track and monitor PII leaks.

Even if NASA did know when to assemble a BRT, some of its members don't receive required annual training - such as participation in a tabletop exercise that simulates a breach response.

Another issue is that NASA has overlapping rules on privacy reporting, so "Information on whether collections of data are compliant with applicable laws and policies may be incomplete." That means the agency "Could fail to notify the public about the information the agency is collecting and storing on their behalf and the safeguards that exist to protect their personal information."


News URL

https://go.theregister.com/feed/www.theregister.com/2023/12/21/nasa_oig_privacy_review/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 701 775 4527 4650 3617 13569
Nasa 7 0 9 9 0 18