Like many Defense industry companies, QinetiQ Australia has special project-by-project exemptions from the U.S. Government to handle information protected by the International Traffic in Arms Regulations (ITAR). This exemption carries an obligation not to release such material to non-US or non-exempted individuals.
Non compliance will result in a fine and a mandatory compliance component, requiring the entity to spend funds on compliance measures. In 2011, a multinational defense, security and aerospace company was fined $79m for ITAR violations, and even if the fine is nearer $10m the remedial action can take years.
QinetiQ Australia wished to proactively avoid such penalties and to tighten up their procedures, but also to raise their users’ awareness of the sensitivity of ITAR information. Whilst users are well trained in protocols for handling Australian Government classified material (including classified ITAR material), unclassified ITAR marking and handling protocol was less familiar.
The QinetiQ Australia security team chose Fortra's Classifier Suite Email Classifier and Office Classifier to help them enforce ITAR requirements for information handling, whilst raising user awareness of their obligations.
By empowering users to label Office documents and emails as ‘Not ITAR Controlled’ or ‘ITAR Controlled’, QinetiQ Australia can enforce security measures which can prevent ITAR material being sent by e-mail to unauthorized recipients, both internal (employees) and external.
Also, users are required to make a mandatory labelling decision on sending an email, which encourages them to consider the sensitivity of the information they are sending, increasing their awareness of ITAR.
“As we elected to use a very obvious and mandatory marking system, the ITAR consideration is front and center for our staff every day” commented Lachlan Burg “ITAR is now part of our minute-to-minute considerations and decision making, significantly reducing the opportunity for inadvertent or unconsidered non-compliance.”
In common with much security regulation, breaches of ITAR often occur accidentally, rather than deliberately. Classifier prevents accidental data loss where an ITAR Controlled document is attached to a non-ITAR Controlled email, as it automatically compares the label of the email with the label of any attachments to the email, blocking the message send if the sensitivity of the attachment label is higher than the email label
Fortra's Classifier Suite application has added a technological aid to the management and control of unclassified ITAR information for QinetiQ Australia, allowing them to further improve on the delivery of confidentiality to their customers, something upon which they pride themselves. The labelling policy may be extended in the future to include the ITAR Technical Assistance Agreement (TAA) or alternative licensing information which will add even greater compartmentalization, fidelity and control options.