While many businesses are closing their doors for the holidays, NASA's Office of Inspector General (OIG) has issued a notice report of an audit conducted on the space agency's data processing.
The OIG noted that NASA handles a lot of personally identifiable information. Because it deals with the public and other outside organizations, it is highly susceptible to data breaches that can seriously harm affected individuals.
NASA privacy and cybersecurity officials, among others, were interviewed and privacy questionnaires were reviewed to provide a picture of cybersecurity performance to date.
NASA has audited its cybersecurity
The OIG said NASA's approach to privacy was “comprehensive” and there is plenty to like, but the report also highlights some additional steps to protect individuals' personal information.
The space agency has been criticized for relying on users to self-report potential breaches rather than taking full advantage of the data loss prevention (DLP) built into the Microsoft 365 platform it uses, which is designed to automatically detect incidents.
Between October 2021 and March 2023, NASA's Security Operations Center was found to have recorded 118 self-reported incidents suspected of involving personally identifiable information.
NASA was also criticized for having too many documents and policies that seemed to conflict with each other, making directions “unclear.” The OIG called for a common understanding of what constitutes a breach and when to activate a breach response team.
A total of six recommendations have been made, leaving much room for improvement. They include improved documentation of some processes, establishing DLP roles and responsibilities, more guidance on tracking and documenting incident response, updated policies, regular round-the-clock discussions and more training.
While for the sake of brevity, this article will not delve into the things that NASA is credited with doing well, the agency has followed numerous best practices in an effort to protect individuals. However, it is clear that an evolving cybersecurity landscape requires constant adjustments to each company or organization's measures.
Through The register