« Study Finds Off-Network Security Off-Track | Main | The Back-To-School Green Conspiracy »

The DoD Standard: Certifiable Zero Accountability

by Jill Vaske on August 22, 2007

My level of disgust for the U.S. Department of Defense is at a new high. Being in the data security business where “DoD compliant” is good currency, I recoil at the mention of the DoD standard for anything. One thing I know - their standards are low. 

In my mind, a “standard” is something akin to a best-practice, a formula for desired outcomes, which is only meaningful and effective if made into policy, tracked, audited, and enforced. It appears that the DoD has trouble with tracking, and as every security professional knows, tracking is the foundation of good security - the physical and electronic kind.

Not only has the DoD misplaced $2 billion in arms (Weapons given to Iraq), but data breaches are pretty common too, according to the Government Reform Committee Report on data breaches (Reform Report). In the report, the DoD reports a total of 43 breaches since 2003, and the U.S. Army reports “none,” in keeping with what I imagine is the “don’t tell” policy. The number seems reasonable considering what they know about their assets. 

To make matters worse for the private sector, which must face the news that our tax dollars may have armed the enemy, the DoD has led the commercial data security marketplace into a false sense of security by allowing the legend to persist that it has a certification process for data destruction:  NISPOM 5220.22M. Every commercial data destruction tool claims to meet the golden DoD standard; some even claim to be certified by what must be the very busy certification board at the DoD. Here’s the news: DoD certification does not exist and not one software tool or service provider has been certified to be compliant.

When so much evidence exists that the U.S. Department of Defense lacks the fiduciary discipline and process maturity to manage physical and data assets, why does the marketplace put so much value on this federal agency’s standard for data sanitization? One guess is that we want to believe that our government knows best and can lead us to the answers with its vast resources. Or, it could be that no one was ever fired for buying DoD. 

Redemtech has always been a leader in defining data sanitization best practices. Thanks to the ISO standards organization, there is a credible means for certifying conformance with those best practices, and Redemtech will follow that path.

Technorati Tags: , , , , , ,

Posted by Jill Vaske on August 22, 2007 in Executive Forum , Security | Permalink

Comments

Post a comment

Comments are moderated, and will not appear on this weblog until the author has approved them.

Through this forum, we hope to raise awareness of the issues and challenges inherent in managing IT equipment to the highest standards of financial, social and environmental responsibility. We welcome you to join the dialogue. Learn more»

SUBSCRIBE

Categories

Authors

Guests

Archives