Protecting our information: An achievable resolution for a New Year Published Jan. 6, 2011 By Jeff Jeghers and Marianne Porter Installation Information Protection Office HANSCOM AIR FORCE BASE, Mass. -- Last year certainly provided everyone an opportunity to be educated on the global attention we receive and the serious impact that occurs when our information is not handled correctly. There is complexity created with all the various kinds of information available and all the handling categories you may see in your career. However, handling information properly is not that difficult if you understand and follow some helpful concepts before applying the specific, detailed protection requirements. Below are personal and work-related concepts tied together to further your basic understanding on how to properly protect information: Need to Pay (Need to Know): We hear of "need to know" all the time but what does that really mean? The bottom line meaning is that if someone doesn't need to know something and is kept from knowing that particular information, they can't do harm with it. Would you share your credit card number with a co-worker or a stranger? If you do, there is an unfortunate chance you may need to pay for fraudulent charges incurred. When you share information at work with those who don't have a valid need to know and those members do wrong, who will need to pay then for any possible losses and what "currency" will they pay with? Something's Not Right (CEP): You're educated on continuous evaluation programs for not only yourself but your co-workers, as well. If a bank or a doctor's office handles your personal information incorrectly, wouldn't you challenge that practice or perhaps take your business elsewhere? If someone is not safeguarding our information here correctly, wouldn't you handle that situation in a similar fashion? People who maliciously handle our information incorrectly tend to show signs of concern in other ways before the mishandling occurs. Even those with no malicious motives may be handling information incorrectly and they need your intervention. Be a good Wingman and help them now to avoid bigger problems later. It's tough to do, but it is the right thing to do and what is expected of each of us. Total Protection (Depth): You may own a personal shredder or use the privacy settings on your Facebook account, but do you talk aloud on your cell phone in public about your personal issues? Why do anything securely if you're not going to protect an asset from all angles? In security we protect in layers, utilizing different but complimenting procedures and mechanisms and we call this security in-depth. For those that are required to adhere to security procedures, it is better perhaps to think in terms of totality vice depth and follow a logical path for protection. When you're safeguarding information, consider all the avenues you convey, retain and destroy this information and extend protection standards out to each avenue. Would you place information openly on your personal web page, like your social security number, and then not place it in your home trash for fear of theft? Most likely not, and it's important you understand and practice this concept of consistency while at work, as well. Inequality (Handling): Information is not created equal nor is it treated as such from a protection standpoint. Your social security number and your favorite TV program are both technically types of personal information, but would you protect them in the same fashion? You probably wouldn't protect your taste in TV shows too zealously, and there is a good chance if that information were to be revealed, you would survive. This is unlike your SSN, which could cause you harm if compromised. Know what you are handling and know, absolutely, the protection standards in how to handle that particular piece of information. Don't assume it's all the same. Situational Being (Awareness): Most members are quite in tune to when their cell phone batteries need a charge or where not to stray because of poor lighting in their neighborhoods, but they conversely rush into handling information when they are completely in the dark or armed without the proper tools to handle the task. Before you start out handling information, ask yourself some questions first: Am I prepared? Are my thoughts focused? Am I allowed to do this? Does it all make sense? If you answer no to any of these questions then stop what you are doing and ask for help. Do you hesitate when filling out forms that compile lots of personal information outside of work? Why would you then glide through handling government information without first considering the ramifications of doing it wrong? Perspective (OPSEC): When most of you think about your home in terms of securing it, do you start inside or outside? Do you safeguard via commercial promotion or actual threat calculation? Do you take a holistic approach? How you view security is vital because of what you are actually securing something from. The classic accumulation of newspapers on a driveway may seem like a mess to some, but to a criminal it means you're not home. Don't think outside the box, stand outside the box and see what you notice, or even better, what your adversary would notice. If information and observation come together, you may have a vulnerability that needs to be addressed. Try it at home or try it at work, but decide to try it at some point so you understand what is meant when we say to take the adversaries point of view. It is better to see potential vulnerabilities now rather than later. Although we still predominately think of warfare as a distant event, you should make no mistake about the fact that when it comes to protecting information you are always on the front line. Make the resolution this year to improve your understanding in how to protect our information, as it is both obtainable and rewarding. Don't make it more complicated than it needs to be, but don't assume you know all the proper angles either. None of us do. We work together and when in doubt, we ask for help.