Experiences w/ Secure Worker Access Consortium (SWAC)?

[DrZoidberWoop]

Does anyone have any experiences/tips for running a successful operation w/ Secure Worker Access Consortium (SWAC) and data confidentiality requirements?

I work for a steel company, which is going to have to set up secure document processes/procedures in a remote setting. Meaning, we will be coordinating shop-drawings & fabricating the steel here and then shipping it hundreds of miles to NYC, all under VERY strict constraints.

I'm mostly looking for general tips on potential pitfalls or situations that could cause my organization to fail a future audit of our document control system, which would be unacceptably damaging to the company's reputation.

What security measures for file access are appropriate for the file sharing? Do we set up a single off-network PC w/ protected flash drives only? Things like that are what I'm after.

Sorry for being very general, I can't share much.

 

[jhnblgr]

Companies I worked with that have similar strict file confidentiality rules used secured databases to house all the documents. No uncontrolled files allowed and all staff had to be trained and sign that they would follow the rules.

 

[CWB1]

Seems like a gimmick to me but not sure I'm understanding their website. Does SWAC provide companies a background check on applicants/employees to review and approve, or is SWAC reviewing and approving applicants/employees on behalf of companies? The first possibility seems no different than how background checks are performed now. The second seems silly bc obviously companies have different opinions of risk factors in background checks, and ultimately employers need to fully understand and own that risk bc it may affect their profit, reputation, etc.

Regardless, as a consultant I've done classified design work for govt agencies that required a security clearance. I've also done work for private sector companies that ranged from borderline paranoid to lackadaisical about security. At both ends of the spectrum, the customer dictates security requirements. Both ends use the same commercial tools for PLM, PM, file-sharing, etc; they just restrict access and spy on employees differently. More-secure govt/corps dont allow local copies (your PC) of CAD or prints, requiring you to be onsite to access CAD and other data servers. They severely restrict file/data sharing and dont allow emailing of screenshots/pics or technical details, nvm CAD/print files themselves. You might be able to access email from home via an intentionally slow VPN (limits data theft before discovery) for corporate news, meeting invites, personnel issues, etc but have to be in-office to do anything worthwhile. Its also not uncommon to have restrictions on carrying personal cell phones or other devices onsite.

My suggestion is to simply have honest conversations with the customer about their security requirements including specifics of how, and the cost to implement them. Some are relatively easy if you have a good IT guy - limiting the size of emails (restricts content), speed of VPN, locking down file saving/sharing within individual programs, use of encryption, etc. Some may be cheaper/easier to manage physically rather than electronically - for offsite work it may be cheaper and easier to simply have an employee carry a laptop or thumb drive back-forth rather than electronically transferring data. Designate an internal security-lead and have them setup a monthly security review with internal and external stakeholders. If your lead needs a starting point, I'd recommend they google/YouTube "ITAR Training" or similar for familiarization.

 

[DrZoidberWoop]

Thanks for the response. I'm entering into this type of work for the first time and am grateful for your overview.