Security News > 2023 > December > Data loss prevention isn't rocket science, but NASA hasn't made it work in Microsoft 365
In an audit [PDF] published Tuesday, the OIG found NASA has a "Comprehensive privacy program that includes processes for determining whether information systems collect, store, and transmit PII; publishing System of Records Notices; and providing general privacy training to its workforce."
That's a welcome assessment, given NASA employs around 16,000 people and - as with all government agencies - collects PII about them and the contractors, partners, and members of the public it engages.
NASA uses Microsoft's suite and is implementing its DLP capabilities.
NASA therefore lacks the data to track and monitor PII leaks.
Even if NASA did know when to assemble a BRT, some of its members don't receive required annual training - such as participation in a tabletop exercise that simulates a breach response.
Another issue is that NASA has overlapping rules on privacy reporting, so "Information on whether collections of data are compliant with applicable laws and policies may be incomplete." That means the agency "Could fail to notify the public about the information the agency is collecting and storing on their behalf and the safeguards that exist to protect their personal information."
News URL
https://go.theregister.com/feed/www.theregister.com/2023/12/21/nasa_oig_privacy_review/
Related news
- Microsoft: Licensing issue blocks Microsoft 365 Family for some users (source)
- Tycoon2FA phishing kit targets Microsoft 365 with new tricks (source)
- ActiveX blocked by default in Microsoft 365 because remote code execution is bad, OK? (source)
- Microsoft blocks ActiveX by default in Microsoft 365, Office 2024 (source)
- Attackers phish OAuth codes, take over Microsoft 365 accounts (source)
- Hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts (source)
- New Microsoft 365 outage impacts Teams and other services (source)