State/OIG Reviews @StateDept Policies and Controls Protecting PII and National Security Data

Posted: 2:03 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

State/OIG recently posted online its review of the State Department’s policies and controls protecting personally identifiable information (PII) data and national security data. Below is an excerpt:

The Consolidated Appropriations Act, 2016,1 Section 406, Federal Computer Security, requires the Inspector General of each covered agency to submit a report that contains a description of controls utilized by covered agencies to protect sensitive information maintained, processed, and transmitted by a covered system. Specifically, the Consolidated Appropriations Act requires a description of controls utilized by covered agencies to protect two types of data contained within covered systems: personally identifiable information (PII) data and national security data. Information related to national security data is covered in a classified annex to this information report.
[…]
Specifically, Williams Adley selected and reviewed 4 systems from a Department-provided listing of 216 systems (Electronic Medical Records System (eMED), Integrated Personnel Management System (IPMS), Consular Consolidated Database (CCD), and Consular Lookout and Support System (CLASS)) that provide access to PII. In addition, Williams Adley reviewed 2 National Security Systems (NSS) from a Department-provided listing of 60 systems (Chief of Mission and Special Embassy Programs Database (NSDD 38), and Principal Officers Executive Management System (POEMS)).

This report describes the policies and controls used by the Department for five specific topics identified in the Act:

(1) logical access policies and practices;

The review found only two of the six systems reviewed (eMED and IPMS) had system-specific logical access control policies.

(2) logical access controls and multi-factor authentication used;

With respect to why logical access controls or multi-factor authentication are not being used, according to Department officials, two of the six systems (IPMS and one NSS) did not implement multi-factor authentication to govern system-level privileged user access because functional capabilities are not available. According to Department officials, IPMS is currently planning multi-factor implementation, while the one NSS is waiting for the Department to provide the functional capabilities necessary to implement multi-factor authentication to govern privileged user logical access.

(3) the reasons logical access controls or multi-factor authentication have not been used;

With respect to access and multi-factor authentication, Williams Adley found the Department has not fully implemented multi-factor authentication at the entity level; however, it had implemented other logical access compensating controls to govern privileged user access. Four of the six systems reviewed (eMED, CCD, CLASS, and one NSS) had either fully or partially implemented multi-factor authentication to government system-level privileged user logical access. The two systems that did not utilize multi-factor authentication to govern logical access of privileged users (IPMS and one NSS) relied on username and password combinations. Nevertheless, all six systems had some type of logical access controls in place.

(4) information security management practices used for covered systems;

With respect to information security management practices used for covered systems, Williams Adley found the Department uses a federated model to manage software inventory. In addition, the Department has implemented a defense-in-depth information system program. Further, the Department monitors network traffic, detects and responds to incidents, and scans for security compliance and vulnerabilities. However, the Department has only partially implemented a data loss prevention system and has not implemented digital rights management technology.

(5) policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors.

With respect to policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors, Williams Adley found the Department has a number of policies related to this topic. The relevant Department policies and procedures are established within the Department’s Foreign Affairs Manual (FAM).

The report notes that the Bureau of Information Resource Management, the Executive Secretariat’s Office of Information Resource Management, and the Bureau of Diplomatic Security, provided comments to a draft of the report. Because the comments were marked sensitive, the comments have been reprinted, in their entirety, in the classified annex of the report (AUD-IT- 16-45A).

The publicly available report is available here: https://oig.state.gov/system/files/aud-it-16-45.pdf

#

 

J. Kael Weston’s The Mirror Test: America at War in Iraq and Afghanistan (Excerpt)

Posted: 1:45 am ET
[twitter-follow screen_name=’Diplopundit’ ]

“When we look into that mirror, let’s not turn away.”
-J. Kael Weston

Richard Holbrooke in The Longest War called John Kael Weston “a remarkable young Foreign Service officer after he established a direct dialogue with tribal leaders, university students, mullahs, madrassa students and even Taliban defectors in 2008.

Dexter Filkins, the author of The Forever War wrote that “As a front-line political officer for the State Department, Weston has perhaps seen more of Iraq and Afghanistan than any single American. But what makes this book special–what makes Weston special–is his ability to transcend his own experience and bring it all home, and force us, as Americans, to ask ourselves the larger questions that these wars demand. This is a necessary book, and one that will last.” 

Phil Klay, the author of Redeployment and winner of the 2014 National Book Award for Fiction  and the John Leonard First Book Prize wrote that the books is “a riveting, on-the-ground look at American policy and its aftermath” and “is essential reading for anyone seeking to come to terms with our endless wars.”

John Kael Weston joined the State Department in 2001. He served in Iraq and Afghanistan as the State Department representative in Anbar Province, Iraq, and Helmand and Khost Provinces in Afghanistan (http://www.jkweston.com). He has a twin brother Kyle Weston who works for a Utah-based outsourcing company and wrote about experiencing war through a twin.  Prior to serving in the war zones of Iraq and Afghanistan, he served at USUN in 2003.  He is the recipient of the Secretary of State’’s Medal for Heroism.  He left government service in 2010.  Read an excerpt below courtesy of Amazon Kindle/Preview:

Screen Shot 2016-05-31

click on image to read the excerpt

 

#

Fraudsters in Costa Rica VOIP Scheme Plead Guilty to $9 million “Sweepstakes Fraud”

Posted: 1:29 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

Via USDOJ: Owner of Costa Rican Call Center and Two Others Plead Guilty to Defrauding Elderly through Offshore Sweepstakes Scheme

Two U.S. citizens and a Canadian citizen have pleaded guilty for their roles in a $9 million “sweepstakes fraud” scheme to defraud hundreds of U.S. residents, many of them elderly, announced Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division and U.S. Attorney Jill Westmoreland Rose of the Western District of North Carolina.

Jeffrey Robert Bonner, 37, of Sacramento, California; Cody Trevor Burgsteiner, 33, of Houston; and Darra Lee Shephard, 57, of Calgary, Alberta, pleaded guilty this week before U.S. Magistrate Judge David Keesler of the Western District of North Carolina to various counts of conspiracy to commit wire fraud and mail fraud, wire fraud, conspiracy to commit money laundering and international money laundering, all in connection with a Costa Rican telemarketing fraud scheme.  Sentencing dates have not been set.

As part of their guilty pleas, Bonner, Burgsteiner and Shephard each admitted that from approximately 2007 through November 2012, they worked in a call center located in Costa Rica, which Bonner owned, where they placed telephone calls to U.S. residents, falsely informing them that they had won a substantial cash prize in a “sweepstakes.”  The victims, many of whom were elderly, were told that in order to receive the prize, they had to pay for a purported “refundable insurance fee,” the defendants admitted.  Bonner, Burgsteiner and Shephard admitted that once they received the money, they contacted the victims again to tell them that their prize amount had increased, due to either a clerical error or because other winners had been disqualified.  The victims were then told to send additional money to pay for new purported fees, duties and insurance to receive the now larger sweepstakes prize, the defendants admitted.  The defendants further admitted that they and their co-conspirators continued their attempts to collect additional money from the victims until an individual either ran out of money or discovered the fraudulent nature of the scheme.  To mask that they were calling from Costa Rica, the conspirators utilized voice over internet protocol (VoIP) phones that displayed a 202 area code, giving the false impression that they were calling from Washington, D.C., they admitted.  According to admissions made in connections with their pleas, the defendants and their co-conspirators often falsely claimed that they were calling on behalf of a U.S. federal agency to lure victims into a false sense of security.

Bonner, Burgsteiner, Shephard and their co-conspirators were responsible for causing approximately $9 million in losses to hundreds of U.S. citizens.

The U.S. Postal Inspection Service, FBI, Internal Revenue Service-Criminal Investigation, Federal Trade Commission and Department of Homeland Security investigated the case, and the Criminal Division’s Fraud Section supervised the investigation.  Senior Litigation Counsel Patrick Donley and Trial Attorneys William Bowne and Gustav Eyler of the Fraud Section are prosecuting the case.

#

%d bloggers like this: