MARINE CORPS BASE CAMP LEJEUNE, N.C. - More than 60 Marines with the 2nd Marine Logistics Group gathered for a class on information security held at the Marston Pavilion here, March 18.
The class prepared the Marines to tackle current threats to sensitive information and trained them to spread their new knowledge to other servicemembers within the 2nd MLG.
“We’re the people whose primary duties or collateral duties [bring us] into contact with this kind of information,” said Maj. LeRon E. Lane, the communications officer with 2nd MLG, as he discussed the importance of protecting personally identifiable information, or PII. “No one here is immune to it.”
Recent changes in the military’s policy toward PII have increased restrictions on what information can be collected and how it must be handled. For instance, the last four digits of a servicemenber’s Social Security number, previously used throughout the Marine Corps for identification purposes, is now considered PII and must be protected.
“This is what the Marine Corps has been using forever,” said Gunnery Sgt. John H. Scanlan, an information assurance technician with 2nd MLG. “Now, because of identity theft and fraud, we’re getting away from Social Security numbers.”
On its own, an individual’s Social Security number is not necessarily a threat, noted Scanlan. When linked, data such as names, Social Security numbers, addresses, and places or dates of birth provide enough information to personally impact a Marine’s life.
“If you work in a position where you need PII, you have to ask yourself, ‘Why am I collecting this information?’” said Scanlan. “Your answer should not be, ‘We’ve always done it this way.’”
The unnecessary collection of PII such as Social Security numbers or phone numbers creates an increased chance of an information leak. This is particularly true when Marines use emails to send rosters and other unit information between personnel.
“It’s usually people who want to work hard or who want to continue their working after hours,” said Lane. “There’s not a single unit in the [2nd] MLG that’s been immune.”
PII is only allowed on approved government devices. Marines cannot sent such information to personal accounts to continue their work after hours.
Furthermore, without careful screening, an email can quickly circulate throughout a unit and pass personal information to people without the “need to know.”
Auto forward settings on government emails are a particular threat, said Scanlan. If an email with PII goes to a person with auto forward on their secured email account, it will make them an automatic violator when the message is forwarded to an unsecured email address or personal electronic device.
The ability to sweep these types of violations under the rug is a thing of the past, Scanlan added. New insider threat technology can show exactly who is sending what information through the networks.
“If you don’t report it, we’re going to come find you,” said Scanlan, who stressed the importance of collecting and sending information only on a need-to-know basis.
“If you need to email PII, you can email it,” he said. “You have to encrypt it, and you have to put the statement, ‘For Official Use Only,’ in the email, and put FOUO in the subject line.”
Only approved scanning devices are allowed with PII, and faxing documents is strictly forbidden.
“Don’t let the punishments prevent you from reporting it correctly,” cautioned Lane. “The punishments come when you don’t follow procedures ... you don’t want to be the person who knows and doesn’t report.”
Screening emails, limiting collection processes, properly storing gathered information and immediately reporting breaches is a start. Changing the way Marines conduct their daily business is an ongoing effort.