Category Archives: Practices

Generally Accepted Practices

NSA contractor Harold Thomas Martin’s arrest

No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State

Kindle Edition: Check Amazon for Pricing Digital Only

On August 27th, two dozen camouflage adorned law enforcement officers raided the home, 2 storage sheds, and vehicle of the man known to have once worked 3 years ago at the same consulting firm (Booz Allen Hamilton) as Edward Snowden. Top Secret classified material, six documents of data of codes developed in 2014 to hack foreign governments, are alleged to have been removed and retained by the contractor.

The charges by the justice department are described as

“A criminal complaint has been filed charging Harold (Hal) Thomas Martin III, 51, of Glen Burnie, Maryland, with theft of government property and unauthorized removal and retention of classified materials by a government employee or contractor….” “…A large percentage of the materials recovered from Martin’s residence and vehicle bore markings indicating that they were property of the US government and contained highly classified information, including Top Secret and Sensitive Compartmented Information (SCI)…”

The charges could bring 1 year in prison for the unauthorized removal and retention of the top secret material and 10 years in prison for the theft of government property.

Hal Martin’s attorneys have exclaimed that he was a US Navy lieutenant and has devoted his entire career to protecting his country. The charges are allegations at this point.

87 weaknesses in 7 FDA systems

The Government Accounting Office (GAO) was asked to examine and assess seven key Food and Drug Administration (FDA) information systems.  The assessment was based on the effectiveness to which the FDA may have implemented information security controls intended to protect the confidentiality, integrity, and availability of information.  In the assessment, security policies, procedures, reports, and other documents were reviewed along with an examination of the FDA network infrastructure and interviews of FDA personnel.

The findings by GAO specifically state that the FDA did not always 

  1. adequately protect the boundaries of its network
  2. consistently identify and authenticate system users
  3. limit users’ access to only what was required to perform their duties
  4. encrypt sensitive data
  5. consistently audit and monitor system activity
  6. conduct physical security reviews of its facilities
# of GAO identified weaknesses at FDA
Control Area # of weaknesses # of recommendations
Access Controls 58 122
Configuration Management 23 37
Contingency Planning 5 6
Media protection 1 1
Total 87 166


105 busted in global credit card fraud

What do the UK, Netherlands, Germany, Belgium, and Malaysia all have in common?
If you answered "a Credit Card syndicate which was disrupted by Europol's European Cybercrime Centre (EC3)" then you are correct.

The Organized Criminal Group (OCG) which was creating and abusing counterfeit credit cards all across Europe and in Malaysia recently had 3,000 counterfeit cards confiscated along with jewelry, cash, and fake passports.  

OCG was created in Malaysia and has been committing credit card fraud schemes by abusing less secure locations for shopping such as duty-free shops in airports and electronic stores and buying high priced ticket items.  Through cooperation of American Express with the EC3 and local law enforcement around the globe, the investigation running since end of 2015 was able to successfully capture 105 suspects.

Obama administration modifies HIPAA to strengthen the firearm background check system

The following e-mail was sent Tuesday, January 5, 2016 from the OCR-Privacy-List listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services:

On January 4, 2016, the Department of Health and Human Services (HHS) moved forward on the Administration’s commitment to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to expressly permit certain covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of those individuals who, for mental health reasons, already are prohibited by Federal law from having a firearm.

This modification better enables the reporting of the identities of prohibited individuals to the background check system and is an important step toward improving the public’s safety while continuing to strongly protect individuals’ privacy interests.

The final rule gives States improved flexibility to ensure accurate but limited information is reported to the NICS.  This rulemaking makes clear that, under the Privacy Rule, certain covered entities are permitted to disclose limited information to the NICS.  The information that can be disclosed is the limited identifying information about individuals who have been involuntarily committed to a mental institution or otherwise have been determined by a lawful authority to be a danger to themselves or others or to lack the mental capacity to manage their own affairs – that is, only about those who are covered under the pre-existing mental health prohibitor. 

The new modification is carefully and narrowly tailored to preserve the patient-provider relationship and ensure that individuals are not discouraged from seeking voluntary treatment. This rule applies only to a small subset of HIPAA covered entities that either make the mental health determinations that disqualify individuals from having a firearm or are designated by their States to report this information to NICS

The rule does not apply to most treating providers. 

It is important to note that the vast majority of Americans with mental health conditions are not violent and that those with mental illness are in fact more likely to be victims than perpetrators.  An individual who seeks help for mental health problems or receives mental health treatment is not automatically legally prohibited from having a firearm; nothing in this final rule changes that.  HHS continues to support efforts by the Administration to dispel negative attitudes and misconceptions relating to mental illness and to encourage individuals to seek voluntary mental health treatment.  And the Department remains committed to robust enforcement of the civil rights laws that bar discrimination based on disability by entities that receive funding from the Department.  

The Final Rule is available for review at:

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at

To learn more about mental health resources and recovery, visit


Improper secret docs stored at HMC Dockyard

Canadian Forces Base Halifax also known as HMC Dockyard is Canada's east coast navy base and home port to the Atlantic fleet, known as Maritime Forces Atlantic.

A website designer, a Mr. Zawidski, at HMC Dockyard’s intelligence facility HMC Trinity, is currently under investigation after a Canadian Defense information security officer conducted a routine scan of one of the systems.  The scan found sensitive documents with date-stamps between 2004 and 2009 consisting of 1,086 secret documents and eleven confidential documents (“Canada Eyes Only”.)

A military police officer seized from the a Mr. Zawidski’s cubicle and file cabinet at least 4 hard disk drives, 21 CDs, 4 GB USB drive, and 19 floppy disks.

The website designer’s accounts were then frozen and his physical access was revoked from the HMC Dockyard building where he worked.

The person under investigation is now assigned to work on unclassified documents while the investigation continues.

Security of Information Act, which was passed after the attacks in the United States on Sept. 11, 2001, was possibly violated which states "endangering the safety of the secret official code word, password, sketch, plan, model, article, note, document or information. The person in question allegedly improperly stored over 1,000 classified files on their personal network storage.”