Recommendations for Improving Protection of Sensitive Information in Defence Material Procurement
MetadataVis full innførsel
Norwegian Defence Material Agency (NDMA) is the Norwegian Ministry of Defence s commercial and technical designated procurement and divestment authority. When NDMA conducts procurements on behalf of the defence sector, they share sensitive information regarding capabilities of the Armed Forces with commercial partners. Protecting information once it leaves organizational boarders is a major challenge. The large amount of sensitive information contained within supply chains, coupled with the opportunity of targeting the weakest organization, makes them attractive targets for attackers. NDMA will manage a several complex and important material projects in the next decade. A failure in protecting the confidentiality of sensitive information relating to the material and systems acquired will reduce the value of these systems. This can have a negative impact on strategic and tactical positions for years, or even decades, into the future. The thesis investigates current challenges and proposes improvements for defence material procurement, to answer the following research questions: (1) For defence material procurement projects, what challenges exists in current legislation and practice for protecting sensitive information that is shared in the supply chain? (2) What measures should be implemented to counter these challenges? The study applies a qualitative research approach, making use of semi-structured interviews with 15 representatives from NDMA and its suppliers, in order to make use of their knowledge and experience in the field. It is found that a lot of effort is made in the field by the organizations and their staff. Protecting sensitive information in rapidly changing environments does however require continuous improvement of the security program. Eight challenges with corresponding recommendations for improvements are presented. The recommendations are to (1) increase dissemination of threat intelligence, (2) improve accuracy of information classification, (3) align protective security legislation with close allies and trading partners, (4) improve practice for orderly management of security requirements in supplier relationships, (5) expand efforts to build security competency, (6) advance collaboration between stakeholders, (7) establish information security knowledge management and (8) develop technological means for efficient and secure exchange of sensitive information between NDMA and suppliers.