

NSA Reports to the President's Intelligence Oversight Board - tephra
https://www.nsa.gov/public_info/declass/IntelligenceOversightBoard.shtml

======
koops
Date posted: December 23rd. Enough to tell you the NSA would love this, as
pathetically obfuscated and incomplete as it is, to be ignored.

~~~
doe88
That only tell how much their mentality is despicable. That a private company
releases things they don't like on friday is one thing. But that an
administration whose stated goal is to work for its citizens uses this kind of
tactic is really low. And obviously just imagine for two seconds if they could
also hide stuffs, lie, censor... ohh wait...

------
meowface
From the most recent report
([https://www.nsa.gov/public_info/_files/IOB/FY2013_2Q_IOB_Rep...](https://www.nsa.gov/public_info/_files/IOB/FY2013_2Q_IOB_Report.pdf))

>NSA/CSS is developing a tool to automate submission of mission compliance
incident reports across the NSA/CSS enterprise. The [REDACTED] will become the
Agency's central tool for reporting potential mission compliance incidents and
will provide a streamlined management process, a central repository, and
metrics data to support root cause identification and trend analysis.

I'm rather surprised they've been in existence for this long but apparently do
not yet have a centralized way of submitting and tracking misuse and leakage
incidents. Even small organizations dealing with data that's not nearly as
sensitive usually have systems in place to do this.

I interpreted this to mean they don't even seem to have a centralized internal
incident response team at all? Or if so, perhaps a very small one. It almost
sounds like they're just relying on managers and analysts to report incidents
to their Office of the Inspector General by "good faith".

It's possible I'm wrong and they do have an existing system for this, but it's
just mostly restricted to pen and paper instead of a database.

Either way, that doesn't sound like a good thing to me. An organization like
the NSA should have some of the strictest oversight and compliance
requirements imaginable, not this ad hoc "whoops one of my subordinates
emailed TS data to some random people, sorry about that" via a phone call.

~~~
zrail
> mostly restricted to pen and paper

This is almost certainly correct. Paper and fax-based processes form the
backbone of government agencies, compliance-wise. They've been trying to fix
this for a _long_ time but the quality of the big, default government software
contractors leaves much to be desired. Imagine the healthcare.gov debacle,
except by definition outside of the public's eye and much smaller in scope.

~~~
meowface
That's what I figured.

For an organization dedicated almost entirely to computer systems, though,
you'd think it would make sense to track system misusage incidents with... a
computer system. At least if you want to be efficient.

~~~
danielsamuels
Unfortunately 'governments' and 'efficiency' don't seem to go well together.

~~~
minot
I've only worked at four different corporations and even I know that 'private
corporations' and 'efficiency' don't necessarily go any better.

