5.3 Explain the importance of policies to organizational security

  • Personnel
    • Acceptable Use Policy
    • Job Rotation
    • Mandatory Vacation
    • Separation of Duties
    • Least Privilege
    • Clean Desk Space
    • Background Checks
    • Non-Disclosure Agreement (NDA)
    • Social Media Analysis
    • Onboarding
    • Offboarding
    • User Training
      • Gamification
      • Capture the Flag
      • Phishing Campaigns
        • Phishing Simulations
        • Computer-Based Training (CBT)
        • Role-Based Training
  • Diversity of Training Techniques
  • Third-Party Risk Management
    • Vendors
    • Supply Chain
    • Business Partners
    • Service Level Agreements (SLA)
    • Memorandum of Understanding (MOU)
    • Measurement Systems Analysis (MSA)
    • Business Partnership Agreement (BPA)
    • End of Life (EOL)
    • End of Service Life (EOSL)
    • NDA
  • Data
    • Classification
    • Governance
    • Retention
  • Credential Policies
    • Personnel
    • Third-Party
    • Devices
    • Service Accounts
    • Administrator / Root Accounts
  • Organizational Policies
    • Change Management
    • Change Control
    • Asset Management

Personnel Management

The biggest threat that an organization faces is internal. It is impossible to prevent every internal attack.  It is impossible to identify all the employees who are crooks or rogue agents, especially when given an opportunity to steal.  It is better to trust nobody.

Some ways to prevent internal theft

  • Background Check.  A Background Check can consist of

    • A criminal record check.  In some states, a candidate with a criminal record cannot legally be excluded from a job just because of their criminal record.  There must be a threat to the employer or the employer’s customers.  For example, an applicant convicted of fraud may not work at a bank.  The employer should verify if the applicant has been rehabilitated and determine how long it has been since the crime took place. .  In some states, a candidate with a criminal record cannot legally be excluded from a job just because of their criminal record.  There must be a threat to the employer or the employer’s customers.  For example, an applicant convicted of fraud may not work at a bank.  The employer should verify if the applicant has been rehabilitated and determine how long it has been since the crime took place.  In some states, an employer may not consider criminal records that are more than seven or ten years old. 

      A person with a clean record may actually be a hardened criminal, but hasn’t been caught yet.

      A criminal record check may span multiple countries depending on where the person lived (or claimed to have lived).

      Due to many different court systems across the United States and other countries, criminal record information is not centralized or may be incomplete.

      An advanced criminal record check may query local court records in every jurisdiction that the candidate lived in, but it can be very expensive.  If a person lies about where he lived, then it might not be possible to uncover his criminal record.

    • A Credit Check.  A candidate with poor credit can be susceptible to bribes or may be tempted to steal.  Under Federal Law and under state law, the credit check cannot be used to exclude an applicant unless there is a legitimate reason.  A person with excellent credit can also be greedy and susceptible to bribes or may cause problems because he hates his employer.

    • Immigration.  Verify that the candidate has the legal right to work in the country that they are in.

    • License verification.  Verify that the candidate has the legal right to work in the occupation that they are applying for (doctor, nurse, lawyer, pharmacist, accountant, etc. all require licensing from a relevant board).

    • Drivers abstract.  For a candidate who will be required to operate a motor vehicle on behalf of the employer as a main part of their job or even casually, the employer must verify that the candidate has a clean driving record.  This may be a legal requirement on behalf of the employer’s insurance company.

    • Education verification.  Verify that the candidate’s degrees, diplomas, and certifications are valid.  It is easy to generate a fake degree parchment from a legitimate school.  It is easy to pay a diploma mill to provide a legitimate looking degree or attend an online university that is not accredited (a school where the student learned absolutely nothing). 

      There are thousands of universities and colleges in the United States, and even if an educational institution is licensed, it does not mean that it is producing good graduates.  The employer may be more concerned with the candidate’s knowledge, experience, or practical skills than with what the employee learned in school.

    • Employment verification.  Verify that the candidate worked at the places he said he worked.  A former employer will confirm the dates that an employee was employed but may not be able to any further details, due to the risk of defamation lawsuits.  In industries where “everybody knows everybody”, such as on Wall Street, a former employer may provide negative information “off the record”.

    • Reference check.  The candidate may be required to provide references – people they have known personally or professionally.  These references may be contacted, but it is likely that the candidate will provide names of people who are likely to provide a positive reference.

    • Social media check.  Some people do stupid things on their days off.  They must remember that they continue to represent the company when they go home for the day, especially if they are managers or executives.  They will be seen by other employees, customers, regulators, and the public, and must portray the company positively.  If they make poor choices and post inappropriate photos/videos online (drinking, committing crimes, etc.) they should be excluded.  If an employee makes bad decisions in his personal life, he will probably make bad decisions at work too.

    • Background investigation.  A background investigation for a government position may be more in depth and would include interviews with neighbors, teachers, former employers, friends, and family members.  It will go back at least ten years and identify every place that the candidate lived, worked, or studied.
  • It is important to

    • Obtain the candidate’s written consent before conducting any background check

    • Follow all relevant laws regarding obtaining and storing the data

    • Obtain additional consent from the different organizations that hold the data

    • Disclose to the candidate all information received, except where prohibited by law

    • Provide the candidate with the opportunity to contest or correct any negative information obtained, and to not make adverse employment decisions unless required to do so
    • Thoroughly vet the accuracy of any data obtained.

A background check can be conducted when an individual is first hired and during regular intervals or when an incident occurs.  An employer may choose to hire an employee and conduct the background check later, if they need to fill a position quickly, or if a full background check will take a long time.  In the United States, criminal record checks can be obtained online in a matter of hours.

  • Onboarding.  Onboarding is the process when the employee is first hired.  The employee is introduced to the policies of the organization and the consequences of not following those policies.

  • NDA.  An NDA is a Non-Disclosure Agreement.  Each employee, contractor, or vendor with access to any sensitive data must read and sign the Non-Disclosure Agreement prior to being provided with access to any data.  The NDA may be revised from time to time.  The NDA contains the following features

  • Acceptable Use Policy/Rules of Behavior.  The Acceptable Use Policy describes what the employee may do and what they may not do while on a company’s system.  In general, the employee should

  • Least Privilege  We should assign the employee only the minimum privileges that he requires to do his job.  That could include

  • Mandatory Vacations.  An employee who is a weasel will be able to cover his tracks if he is always at work.  For example, a crooked bank manager who is writing bad loans to himself and then writing them off can cover up if he is at work.  But if the manager is forced to take a vacation, then another employee can come in to review his work.

    The mandatory vacation policy is great because does not create an environment of mistrust or singles out a specific employee.  When we give somebody a mandatory vacation, we must make sure that their duties are assigned to somebody else during the time that they are gone.  If we give somebody a vacation but put his duties on hold until he comes back, then we have done nothing.

  • Job Rotation.  Employees are forced to rotate through different positions at the organization.  For example, an employee who is responsible for procurement or signing checks is forced to rotate with another employee.  Each employee spends only a small amount of time at each role. 

    This system allows the organization to train multiple employees in each role.  If one is fired or quits, another employee can step in to perform his job.

    This system can be inefficient because

  • Separation of Duties.  No single employee can or should do everything.  For example, an employee who approves invoices should not also be the one to create/sign the checks.  If the employee who approves invoices submits a fraudulent invoice and attempts to pay themselves, they would be caught.

  • Clean Desk.  Each employee is literally required to have a clean desk when they leave work for the day.  In some organizations, sensitive information should be locked, and only specific people can have access.  The clean desk policy is in place at many organizations, but many employees do not respect it.  Be wary of janitors and other contractors who may come into the building after hours and steal or copy anything that is not hidden.

  • Exit Interview.  An exit interview is an interview that is conducted when the employee or contractor is terminated.  It is important to embody the obligations that remain after termination into the employment contract.  At the exit interview, the employee is advised

  • Role-Based Awareness Training
    • Each user must be trained to protect the organization’s data.  The type of training depends on the user’s role.  All training must be documented.
    • Data Owner.  The data owner is the person who created the data, or who oversees the people who created the data.  In general, the data owner always has full access to the data (to read the data).  An organization may choose to prohibit a data owner from modifying or deleting the data after it has been created.

    • System Administrator.  The system administrator manages the system that holds the data.  The system administrator has full access to the data (to read, modify, and delete the data).  There must be safeguards in place to prevent a malicious system administrator from deleting data and causing harm to the organization.  There must also be safeguards in place to monitor what a system administrator can access and ensure that the system administrator has appropriate security clearance. 

      Consider the case of Edward Snowden, and more recently Joshua Schulte, both of whom stole classified government data.  A system administrator should not be able to remove data from a system, certainly not without authorization from another person.  This goes back to having separation of duties.

    • User.  A user is a person with access to some data.  The user may be able to read or modify the data.  The user is granted access based on his role in the organization, which can be controlled by group policy.  The user must not be provided with more access than required.

    • Privileged User.  A privileged user has additional rights above normal users.  The privileged user may be able to grant other users with access.

    • Executive User.  An executive user is a person like a CEO, COO, CFO, or CIO.  This person may require access to all organizational data so that he can properly perform his job.  In theory, this person has access to everything, but, he will not need access to everything.  The executive is a high-value target, and his account should be tightly controlled so that it is not compromised.  The executive may be a target of spear phishing or whaling.

  • Continuing Education.  Employees should be educated about new security threats as they arise.  Education can take place through webinars, in person, newsletters, posters, or meetings.  The education can be tailored to each individual employee based on his role.

  • Adverse Action.  An adverse action is one that is taken when an employee violates a policy

    • Zero Tolerance.  A Zero Tolerance policy means that an employee is terminated for his first violation, regardless of his position or performance.

    • Discretionary Action.  The HR department will decide what kind of action to take, which could include a written warning, a suspension, or termination. 
  • General Security Policies

    • The General Security Policies outline the security goals of the organization.  These goals are implemented through more detailed security policies.

    • Social Media Networks/Applications.  Social media policy is important to prevent people from posting inappropriate content on social media, such as

      • Trade secrets

      • An employee’s personal opinions about the organization that do not reflect the views of the organization

      • Inappropriate content that could portray the organization negatively (employees represent the organization even when they are not at work)

Amplify is an application that allows employees to post (or repost) pre-approved content about their employer.

  • Personal Email

    • An employee must not use personal email to communicate with customers

    • Personal email service providers such as Hotmail and Gmail may store e-mail in other countries, and may not provide an acceptable level of security

    • Customers have the right to know where their data is stored and what kind of data is stored about them.  The organization will not be able to fulfill this obligation if personal e-mail accounts are utilized.

    • In litigation, the organization may be required to disclose electronic documents including e-mails.  E-mails stored at a personal service provider will not be disclosed, since the organization is unaware of their existence.  This could violate the organization’s discovery obligations and subject them to sanctions if the breach is later discovered.

    • Sending e-mails to a customer from a personal account appears unprofessional.  A customer may suspect that e-mails from personal accounts are illegitimate.

    • When an employee uses a personal device to access corporate e-mail, they may see personal and corporate email on the same phone.  They should be careful to make sure that they do not use the wrong e-mail address when corresponding with a client.  Compartmentalization can prevent this.

    • An employee should not use a corporate e-mail for personal use.  The employee should not expect to have any privacy with respect to their corporate e-mail account, which can be monitored or disclosed to third parties.

    • The employer may be able to read an employee’s personal e-mail if it is accessed from a work device.

Untrained Users

Untrained users and users who are computer-illiterate can cause damage to different systems.  Ways in which users can cause damage

  • Users are vulnerable to phishing scams and solicitations

  • Users download and install malware onto their own computers and onto servers (or allow malware to spread across the network)

  • Users misconfigure applications and systems without realizing it

  • Users unplug power and network cables from switches, routers, and computers and then insert them into the wrong ports when the internet isn’t working for them

Some users are well-educated (engineers, CEOs, etc.) and even highly-technical, but may be untrained with more complicated systems (such as routers and storage appliances).

User Training

How can we make the users respect the security environment?  We can train them.  But how can we make training interesting so that users pay attention and remember the message?

  • Gamification – we can add games to the training videos so that there is a higher level of interaction.  We might give users different scenarios and have them select the ones that are malicious.

  • Capture the Flag – in a Capture the Flag game, we divide the users into two teams.  One team is tasked with defending the flag and the other team is tasked with trying to capture it.  A Capture the Flag game can test forensics, cryptography, or other skills.

  • Phishing Campaigns

    • Simulation – we send fake phishing e-mails to the users and see whether they click on them.  If a user clicks on a fake phishing e-mail, then they are warned and have to take another training session.

    • Computer-Based Training (CBT) – we show people different types of messages and have them try to identify whether they are legitimate or fake.  If they are fake, then the users should be able to identify why.

    • Role-Based Training – each user should be given training commensurate with his role in the organization.

We must use a wide variety of training techniques to reinforce our message.  Users have different ways of learning and might get bored.

Third-Party Risk Management

In any business plan, operation, or agreement, a business must evaluate all risks that could occur.  A risk could be positive or negative.  The business must ask

  • What are all the risks?

  • For each risk, how likely is it to occur?

  • If a risk occurs, what is the impact (on revenue, on health & safety, and on reputation)?

  • What risks can the business tolerate and for how long?

  • What risks is the business unable or unwilling to accept?

  • How can the business mitigate or eliminate each risk?  Can a risk’s impact or likelihood be reduced?

Ways that we can manage risks

  • Vendors.  We can reduce the vendor risk by doing the following

    • Having several vendors for each critical function.  This ensures that at least one vendor is always available.

    • Ensuring that each vendor follows the same security standards we do.

    • Providing vendors with only the data that they need to do their job.

  • Supply Chain.  We can reduce supply chain risk by doing the following

    • Having several vendors for each critical function or product.

    • Ensuring that the transportation of critical goods is secure.  That might include tamperproof packaging or GPS tracking of products.

  • Business Partners.  We can reduce the risk through our business partners by doing the following

    • Providing business partners with only the data that they need to do their job.  We should be able to identify each person at the business partner’s office who accesses our data, and when.  We should restrict the number of people with access to our data to only those that absolutely require it.

    • If we have a direct connection between our network and that of our business partner, we should ensure that it is secure.

  • Service Level Agreements (SLA).  SLA – Service Level Agreement.  A Service Level Agreement details the required level of performance and penalties for not meeting those levels. 

    If we are buying a service such as internet, WAN, web hosting, or telecommunications, then the SLA might tell us how reliable we can expect the service to be.  For example, if an organization purchases web hosting services, the hosting company may guarantee that services will operate 99.99% of the time.  If the web hosting is available less than 99.99% of the time, the organization may be entitled to a refund.  The SLA holds the service provider accountable because downtime costs the organization money. 

    If we are buying a service such as a repair of network hardware, or other type of break/fix service, then the SLA might tell us how quickly we can expect a response to an incident.

    The SLA terms could include

    • Uptime guarantee for web hosting, servers, internet connections, and other services

    • Response time for different issues, depending on their impact and priority.  For example, two business day response for non-critical issues, one-hour response time for critical issues

    • Geographical location where the SLA applies.  For example, urban locations may have a two-hour response time, while rural/remote locations could have a two-day response time

    • Penalty for not meeting the response time or uptime guarantee.  The penalty could be structured as

      • A refund of 10%, 25%, or 100% of the monthly fee paid for a service outage exceeding 1%, 2%, or 5%.  This structure is common for web hosting and cloud compute service providers.

      • A penalty for each violation.  The service provider could be required to pay a penalty for each violation.

    • The service provider could be required to reimburse the customer for actual damages caused by the outage.  This not a typical structure because most agreements prohibit indirect or consequential damages.  The service provider’s liability is typically limited to the fees paid by the customer.

    • When we enforce a break/fix SLA, the service provider will be expected to stock replacement parts for any device that they cover.  This will ensure that spare components are always available.

  • Memorandum of Understanding (MOU).  MOU/MOA – Memorandum of Understanding/Memorandum of Association

    • An MOU is a general document that outlines the reasons that two parties have for pursuing an agreement (i.e. how each party will benefit from the agreement). 

    • The MOU provides a framework for further negotiations

    • Once the MOU is in place, then the parties can negotiate more detailed terms.

    • In the event of a dispute in a formal agreement, a court may look at the original purpose outlined by the MOU/MOA, but an MOU is generally not legally binding

  • Measurement Systems Analysis (MSA).  An MSA is a tool for evaluating whether our measurement system is precise and accurate.  In other words, how do we know that a ruler is one foot long? 

    Every organization measures things, and they use the measurements to make decisions.  Some things we might measure

    • How many customers walk into the door each day.  We can use this to decide whether our store has enough traffic to justify staying open.

    • The percentage of products that have defects.  We can use this to decide whether our manufacturing process needs improvement.

    • Our customer satisfaction rate.  We can use this to decide whether our call center requires improvement.

  • Business Partnership Agreement (BPA).  BPA – Business Partners Agreement or Business Partnership Agreement.  This agreement outlines the relationship between two organizations or individuals.  The organizations may be engaging in a joint venture or may have a vendor/purchaser relationship.  The agreement could include

    • The responsibilities of each party

    • The revenue share in the event of a joint venture

    • The cost that one partner may pay to the other

    • The cost of goods or services being acquired

    • The payment terms

    • The type of goods and services being acquired

    • The length of time that the agreement will last

    • How the agreement will be enforced (which jurisdiction is the agreement subject to).  For greater certainty, the parties may choose to have disputes heard in a court of law local to them or may choose to have disputes enforced by an arbitrator. 

  • End of Life (EOL).  A product’s End of Life is when the manufacturer stops manufacturing the product.  The manufacturer might announce the EOL well in advance or might do so abruptly.  We do not want to buy a product that will become obsolete.

    • What is the EOL date, if announced, or when do we anticipate an EOL?

    • Will the manufacturer replace the product with a similar product?

    • Do other vendors make a similar product?

    • Will the manufacturer continue to support the product (warranty, repairs, patches, support, etc.)?

    • Can we still purchase OEM or aftermarket parts for the product?

    • Is it cost-effective to stockpile the product for further use?

For example, if you were buying a specific model of Cisco switch and Cisco decided that they were going to stop manufacturing it, you would expect the following

  • Cisco will announce the EOL data a year in advance

    • Cisco will continue to make patches / IOS updates for the switch

    • You can still obtain a replacement switch if yours fails under warranty

    • Cisco will make a newer model switch to replace the one that has reached the EOL

    • You can buy switches from other vendors such as HP, Juniper, etc., which might work well as replacements for the Cisco switches.  But you probably don’t want to mix and match switch vendors.

  • End of Service Life (EOSL).  A product’s End of Service Life is when the manufacturer stops supporting it.  This is generally a few years after the EOL, and no earlier than when the warranty on the last device sold has expired.

    That means that we don’t have any more support from the manufacturer, warranty repairs, or patches.  We don’t want to buy a product that has reached its EOSL. 

    If we have a device in use that is approaching its EOSL then we want to create a plan for replacing it before the EOSL has arrived.  We want to have enough time to evaluate the available replacement devices, install them, configure them, test them, and work out any issues so that we are not stuck.

    In some cases, we might not have an available replacement device, such as in the case of a legacy system.  We might not have any choice but to keep using it.  We might try to obtain service from an independent repair shop, or we might try to obtain maintenance documentation from the manufacturer.

    One question we should ask is whether the software we use will run on the replacement hardware, or whether the hardware we use will run the replacement software. 

  • NDA.  An NDA is a Non-Disclosure Agreement.  Each employee, contractor, or vendor with access to any sensitive data must read and sign the Non-Disclosure Agreement prior to being provided with access to any data.  The NDA may be revised from time to time.  The NDA contains the following features

    • Prohibits employees from disclosing any sensitive data to any person outside the organization

    • Identify how the organization marks sensitive data

    • Describes how the employee should store sensitive data (encrypted USB, laptop, not taking data home, use of personal mobile devices)

    • The NDA may have exceptions for legal reasons such as in response to a court order or other legal process

    • Describes how an employee should report the inadvertent disclosure of sensitive data

    • The obligations under the NDA do not stop when the employee leaves the organization

  • ISA – Interconnection Security Agreement.  The ISA details how two IT systems will connect to each other.  Two organizations may connect their systems to share data.  For example, two banks may connect their systems so that they can engage in financial transactions with each other.  The ISA might include

    • The types of systems that will connect

    • Specific technical details about how the systems will connect

    • The purpose of the connection

    • The type of data that will be shared

    • The obligations that each party must undertake to keep their data confidential

    • The cost of connecting the systems and how the costs will be shared

Data Roles

Next, we must put in place some controls for keeping our data secure.  Each person who interacts with data must be given a role.  There are different roles for managing the data.

  • Owner – The owner is the person who created the data or is the subject of the data.  The owner may create policies regarding the use of the data. 

    The owner may not necessarily have the right to delete the data.  For example, if you write an e-mail at work, then you might own the e-mail, but if there are data retention laws, then you don’t necessarily have the right to delete it.  You can delete the e-mail from your inbox, but it might continue to be archived by the organization.

  • Steward/Custodian – The custodian manages the data and maintains custody of the data and released data.  The custodian enforces policies set by the owner and by the privacy officer.

  • Privacy Officer – The privacy officer creates policies in accordance with applicable law.  The privacy officer must be familiar with the privacy laws in each jurisdiction where the organization operates. 

    The privacy officer must also be familiar with the different agreements that the organization has entered into.  We might have custody of data that belongs to other organizations, and the release of such data will be subject to specific agreements.  The privacy officer may respond to subpoenas and Freedom of Information Act requests.

Data Retention

How long should an organization store data for?  The short answer is for as long as necessary, and no longer.  Storing more data than necessary can increase the risk that data is inadvertently disclosed.

  • When an organization collects personal information from a customer it should tell the customer how long it will store the data for.  It should also tell that customer why it is collecting the data, how it will be used, and who it will be provided to.

  • An organization may be required by law to retain data for a minimum period.  For example, SOX requires an organization that is publicly traded to keep data for at least seven years.

  • Some jurisdictions have laws prohibit an organization from storing data for a long time.

  • Some professional organizations (engineers, lawyers, pharmacists) may require their members to store client records for many years or decades.  For example, if an engineer designed a bridge, the records may need to be stored for the lifetime of the bridge (100 years).  A doctor or lawyer may need to store data for at least ten years.

  • When a professional (doctor, lawyer, engineer, accountant, pharmacist) stops practicing, there is a procedure for the disposition of those records.  The guidelines are issued by the professional’s organization.  The clients have a right to those records.

Legal and Compliance are important consideration when storing data.  The organization must ask

  • What data does the organization need to collect and from where?

    • Data that is a matter of public record, such as social media. 

      • This data may not be accurate because on the internet, anybody can write anything about anyone.  The source of the data may not permit aggregate collection of the data, or any collection of the data.  The organization should not make decisions based solely on public data.

    • Data voluntarily provided by customers.

      • Have the customers consented to the data collection?

      • Are the customers informed about the type of data collected, how it will be used, how long it will be stored, and who will have access to it?

      • Is there a mechanism for the customers to view and correct the data stored by the organization?

    • Data provided by third parties

      • This could include criminal record checks and credit checks

      • The organization should obtain consent from the customer before accessing this data

  • Is the organization permitted by law to collect the data?

    • Which laws apply?

    • Do multiple overlapping laws apply?  Such as state and federal law?  Or regulations by multiple state and federal agencies?

    • If the data is collected in one country or state and stored in another country or state, do the laws of multiple jurisdictions apply?

  • How should the data be stored? 

    • Are specific types of equipment required?

    • Does the equipment or storage medium need to be labelled?

    • Does the storage medium need to have encryption, and if so, what type?

    • Does the storage medium need to be physically secured, and if so, what type of physical security is required?

    • Who can access the data?  Do they require a security clearance?

    • Does the organization need to maintain an access log and record each time that the data is accessed?

    • How long can the data be stored (minimum and maximum)?

    • What rights do customers have over their own data?

The organization may need to disclose the data to a court, government agency, or third party, without the consent of the customer.  The circumstances:

  • Disclosure to a third party without the consent of the customer is rare.  It may be provided if

    • The third party is engaged in litigation against the customer

    • The third party has obtained a valid subpoena or court order (such as an Anton Pillar order) that permits the disclosure of the data

    • The data custodian should still verify that the subpoena or court order is valid (and not a forgery), and that the court that issued the order has jurisdiction over the custodian.  For example, if the data is stored in California and a court in New York issued the order, the custodian should deny the request.

    • The custodian should still not disclose the data even after confirming that the order is valid and that the court has jurisdiction.  The custodian should provide the details of the order to the customer (unless prohibited by the order – and this is extremely rare) and provide the customer with an opportunity to contest the order or quash the subpoena.

  • Disclosure to a government agency

    • The organization may be required by law to disclose information to a government agency.

    • Examples include

      • An employer must disclose tax/income information to Revenue Canada or the IRS
      • A hospital or doctor must disclose diagnosis of a communicable disease to a public health authority

      • An organization may disclose cases of fraud to law enforcement

      • Disclosure of limited information to a law enforcement agency where there is a risk of physical harm or death to a person.  The organization must verify that the threat is credible, and that the law enforcement agency is legitimate.

    • The organization must be sure that it is disclosing the minimum amount of information to the agency, and that the information is disclosed securely.

    • The organization must advise the customer of the disclosure (if there is a customer affected), unless prohibited by law.

    • The organization should include in its terms of service language that permits it to disclose cases of fraud to the law enforcement agencies without prior consent.  The organization should be able to protect itself from legal liability and fraud at the same time.

  • Disclosure to a court

    • The organization must provide information to a court in a criminal case, if

      • Required by lawful order of that court

      • The court has jurisdiction over the custodian of the data

    • The organization should provide the customer with an opportunity to contest the order if legally able to do so

    • Examples of court disclosure

      • Criminal subpoena from a state or federal court.  The criminal subpoena is typically issued by a prosecutor or grand jury, is not signed by a judge and is in response to an ongoing criminal investigation.  Many criminal subpoenas contain language that advise the recipient not to disclose the contents of the subpoena to the defendant, although adhering to this is not generally required.  Disclosure may compromise the investigation.

        A Defendant on trial may also issue a subpoena to obtain information from a third party that is relevant to his defense.

        If an organization does not respond to a subpoena, the prosecutor may obtain a motion to compel production of the data from the judge.

        The organization should not respond to the subpoena if it is issued by a court that does not have jurisdiction over it.  But the issuer may take the subpoena to another court (one that does have jurisdiction) and ask them to enforce it.

        When the court is located in a foreign country, then the government of the foreign country asks the host country to obtain the evidence on its behalf. 

        • This can be completed informally in that a local police department in one country can ask a local police department in another country for assistance.

          For example, the LAPD can ask the police department in Mexico City to gather some evidence for them. 

          The defence will later argue that the evidence is not admissible in a USA court, because Mexico does not have the same legal protections as the United States.  The police in other countries have less respect for the law, and sometimes they do not have rules against “unreasonable search and seizure”.

          US Courts have generally ruled that evidence collected illegally in other countries is admissible if the foreign police were not acting as agents of the US police.

        • MLAT.  MLAT or a Mutual Legal Assistance Treaty is a more formal method of obtaining the data.  Two countries may negotiate a treaty that allow one country to ask the other to do some of the following

          • Execute a search warrant

          • Gather evidence

          • Interview witnesses

          • Enforce a fine

          • Enforce a forfeiture order

In general, the procedure is as follows

  • The federal government of one country is investigating a crime

    • They ask the federal government of the other country for assistance.  This request is sent through a diplomatic channel.

      • The federal department of justice for the assisting country goes to court and obtains an order on behalf of the first country.  They then execute the order and transfer the evidence.

      • The order is subject to the legal standards of the country that is issuing the order.  A court will not issue an order unless it is satisfied that a crime was committed (and it must be a crime under the laws of the country that is issuing the order).

    • Letters Rogatory.  When the two countries do not have a treaty, one country can still ask another country for assistance.  Less assistance is available, but the foreign country can still usually gather publicly available evidence and interview witnesses.

    • Search warrant.  The organization will not have an opportunity to respond to a search warrant because they are obtained ex parte and mandatorily enforced.  The exception is for a search warrant obtained under the Electronic Communications Privacy Act.

    • FISA.  Orders issued by the FISA Court (Foreign Intelligence Surveillance Court) and must typically be complied with.  The orders are obtained in secret and are considered classified, and therefore cannot be provided to the customers.

      The organization can choose to contest an order issued by the FISA court but will not have access to the underlying classified data used to obtain it.  As a result, it will be practically impossible to quash.

      An organization will not be able to disclose the fact that it even received an order (although it may release numbers in aggregate).

    • NSL.  A National Security Letter, or NSL.  An NSL is issued by the FBI to obtain Toll Records (phone numbers dialed, and calls received, email addresses sent and received, billing records), Financial Records, and Credit Information. 

      An NSL is not obtained through a court and is considered classified.  The recipient is not permitted to disclose the contents of the NSL.

    • Foreign court order.  An organization should not comply with an order from a foreign court, but a foreign prosecutor can use a diplomatic channel to ask a local court to enforce the order.  For example, the United States and Canada have an MLAT (Mutual Legal Assistance Treaty).

We talked about the different types of accounts, but we need to clearly set policies for each one

  • User Account.  This is the standard account.  There may be multiple types of user accounts with different levels of privileges and access.

    • Each user should be responsible for safeguarding their credentials.

    • A user should not share their credentials with other users.  Each user should be responsible for the activities performed under his own login.

    • A user should lock their computer or log out before they step away from it.

    • A user account should be tied to a person’s HR record.  When the person is terminated or leaves for an extended period, their account should be locked.

    • A manager should approve the activation of an account or the application of privileges to an account.

    • Accounts should be audited regularly to remove unnecessary privileges.

  • Shared and Generic Accounts.

    • It is better to allow each user to log in with their own account, and then delegate access to them, rather than give multiple users the password to one account.  They will be able to access the same information, but their activities can be accounted for.

    • A generic account is one that may be used by a device such as multi-function printer/scanner or conference room phone.  This device must connect to the corporate network and access specific resources.  Generic account credentials usually do not change.

    • A generic account is risky.  For example, a photocopier may store the generic account username and password in plain text.  The organization must take precautions to ensure that only the device in question can authenticate with that account or use other methods to allow devices to access the network.

      Sometimes a generic account is necessary for legacy devices.

    • The generic account should be assigned the least amount of privileges required for it to perform its tasks.

    • A manager should approve the creation of a generic account, and its purpose should be well documented.

  • Guest Account.  A guest account is granted to visitors and contractors.  The guest account typically has limited privileges.  Guest accounts should be locked out when not required.

  • Service Account.  A service account is used for maintenance.  For example, a software application running on a server may require a service account to download/install updates.  The service account should not be permitted to log in to a computer.

    • A manager should approve the creation of a service account, and its purpose should be well documented.

  • Privileged Account.  A privileged account is also known as an admin account or an elevated account.  The privileged account will have more access than the user account.  In a large organization, there can be different levels of privilege/access, or groups of privilege/access (for example, domain administrator, email administrator, etc.).

    • A privileged account should be tied to a specific user.

    • The user should only be assigned the privileges that he requires to do his job.

    • The user should use a standard account for day to day tasks.  The user should only log in to the privileged account when required. 

    • Even better, the user should never log in to his privileged account.  He should log in to his standard account and then run privileged tasks as an administrator.

    • A manager should approve the creation of a privileged account, and its purpose should be well documented.

  • Third Party Account.  A third-party account is one that is issued to a contractor or other party.  It may be a user account or a privileged account (for example an IT contractor).

    • The third-party account should be tied to a specific person at the third-party

    • The user should be subject to the standard agreements such as the Acceptable Use Policy and the NDA

    • The user’s organization should agree to be held liable for any misuse of the account

    • A manager should approve the creation of the account

Laws relevant to data privacy

  • HIPPA (Health Information Portability and Protection Act) protects Personal Health Information (PII).

    • It covers information about

      • An individual’s past, present or future physical or mental health or condition,

      • The provision of healthcare to the individual
  • Payment for healthcare

    • PHI may not be disclosed except

      • To the government (to investigate fraud, for compliance, etc.)

      • To law enforcement if it will prevent the death or serious injury of a person

      • In response to a court order

      • To the patient’s healthcare provider

      • To the patient or patient’s authorized representatives

    • The organization must

      • Designate a privacy officer who is responsible for maintaining privacy policies

      • Install data safeguards

      • Implement a mitigation plan for disclosure of protected data

      • Accept complaints from individuals regarding the storage of data

      • Train all employees to protect PHI
  • The Right to Financial Privacy Act (RFPA), 12 USC § 3414.

    • In 1976, the Supreme Court found in United States v. Miller that financial institution customers had no legal right to privacy with respect to their financial records

    • As a result, the RFPA was passed

    • The law states that “no Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described”

    • The government must provide the customer with advanced notice prior to obtaining the records, so that the customer can challenge the disclosure in court.  Exceptions

      • Disclosure of records that do not identify a specific customer

      • Disclosures to the IRS

      • Emergency disclosures

      • Disclosures in the interest of national security

      • Disclosures in response to civil litigation

    • A financial institution could be any organization that issues credit, including

      • Depository institution (banks, thrifts, credit unions)

      • Money services business

      • Money order issuers, sellers and redeemers

      • Travelers check issuers, sellers and redeemers

      • U.S. Postal Service

      • Securities and futures industries

      • Futures commission merchants

      • Commodity trading advisor

      • Casino and card clubs

    • A financial institution has the legal obligation to disclose the following

      • Any kind of insider abuse of a financial institution

      • Federal crimes against, or involving transactions conducted through, a financial institution that the financial institution detects and that involve at least $5,000 if a suspect can be identified, or at least $25,000 regardless of whether a suspect can be identified

      • Transactions of at least $5,000 that the institution knows, suspects, or has reason to suspect involve funds from illegal activities or are structured to attempt to hide those funds

      • Transactions of at least $5,000 that the institution knows, suspects, or has reason to suspect have no business or apparent lawful purpose or are not the sort in which the particular customer would normally be expected to engage and for which the institution knows of no reasonable explanation after due investigation

  • The Electronic Communications Privacy Act (ECPA), 18 USC § 2709.  This act is made up of three smaller acts

    • The Wiretap Act
      • Defines the types of communications that can be lawfully intercepted (public radio communications, emergency communications, satellite communications, etc. can be intercepted)

      • Makes it illegal to sell or advertise a device that can intercept a wire communication

      • A wiretap must be authorized by a federal judge; and an application to obtain a wiretap made to a federal judge must be approved by a Deputy Assistant Attorney General or higher

      • The application must state

        • A description of the offense that has been committed, a description of the person whose communications are being intercepted, and a description of the communications that are being intercepted

        • That other investigative procedures have been attempted and failed or that they are too dangerous

        • The length of time that the interception will take

        • A list of all other applications for interceptions that have been filed and whether they were approved or denied

      • The application will be approved if

        • There is probable cause to show that an offense has been committed or will be committed

        • Evidence of the offense can be obtained through the interception, and

        • Normal investigative procedures have failed or are too dangerous

      • A wiretap order expires after thirty days

      • The interception must be conducted in a method that minimizes the interception of irrelevant communications.  Courts have created different methods for minimization.

        • Law enforcement can listen to all conversations, but can only record or keep communications that are relevant

        • Law enforcement can listen to the first part of each conversation, but can only continue listening or recording the conversation if the first part contains signs of criminal activity

        • Patterns of telephone use that indicate criminal activity can be detected and listened to

        • Use of code or cryptic language in the conversation may indicate the presence of criminal activity and can be listened to

    • The Stored Communications Act

      • Remember that there are two types of service providers

        • A Remote Computing Service: “any service which provides to users thereof the ability to send or receive wire or electronic communications.”

        • An Electronic Communications Service: “the provision to the public of computer storage or processing services by means of an electronic communications system”

      • Any e-mail in storage for 180 days or less is considered an electronic communication and may only be disclosed

        • In response to a search warrant.

        • To the government when urgent disclosure is necessary to prevent the death or serious injury of a human

      • Disclosing e-mail metadata (e-mail addresses, time/date sent/received, etc.) does not require a warrant

      • Disclosure of e-mail content is not permitted through a civil subpoena

      • Many companies (such as Facebook, Twitter, etc.) have classified themselves as “electronic communications services” instead of “remote computing services” and are refusing to provide most “content” data through civil subpoenas.

    • The Pen Register and Trap and Trace Devices Statute

      • A pen register records the phone numbers that have been dialed

      • A law enforcement officer can apply to a court for a pen register if they can certify that the information to be obtained is relevant to a criminal investigation

      • A law enforcement officer can install and maintain a pen register without a court order if an emergency exists, but only for up to 48 hours, and must then apply for an order after the fact

  • The Fair Credit Reporting Act (FCRA), 15 USC § 1681

    • A consumer reporting agency (credit bureau) can only provide a credit report

      • To the consumer it relates to

      • In response to a court order

      • To a person who is evaluating a transaction with a consumer, to the consumer’s employer, to the consumer’s insurer, to the consumer’s investor, or for another legitimate business requirement

      • To determine child support payments

      • To the federal government if it relates to national security

    • An employer may not take any adverse action that relies on the report without first providing the consumer with a copy of the report

    • A consumer has the right to obtain a copy of his report at no cost

  • Freedom of Information Act

    • Information held by federal government agencies is subject to public inspection in an electronic format

    • A person may apply to a government agency for access to records.  The agency must then search for the records.  The person may request specific records or request that the agency search for records that match specific keywords or circumstances.

    • The government does not disclose

      • Classified information

      • Trade secrets and financial information

      • Personnel and medical files

      • Law enforcement data that is considered private, that could hurt a Defendant’s right to a fair trial, that could compromise the identity of an informant, that could endanger a person, or that could disclose specific law enforcement techniques

      • Geological data

    • The federal government of Canada and some provinces in Canada have similar acts with similar names

  • Gramm-Leach-Bliley Act

    • A financial institution must safeguard the privacy of its customers

    • Financial institutions include companies that are engaged in

      • Lending, exchanging, transferring, investing for others, or safeguarding money or securities

      • Providing financial, investment or economic advisory services

      • Brokering loans

      • Servicing loans

      • Debt collecting

      • Providing real estate settlement services

      • Career counseling

    • Any information that is personally identifiable financial information is protected unless it is publicly available

    • A financial institution must provide each customer with a Privacy Notice

    • The notice contains

      • A list of the categories of information collected

      • A list of the categories of information disclosed

      • A list of the categories of affiliates and non-affiliated third parties to whom the information is disclosed

      • Categories of information disclosed and to whom under the joint marketing/ service provider exception in section 313.13 of the Privacy Rule (see “Exceptions”).

      • Any disclosures required by the Fair Credit Reporting Act

      • Policies and practices for protecting the confidentiality and security of information

      • An “opt-out” notice explaining the individual’s right to not have their information shared; a reasonable way to opt out; and, a reasonable amount of time to opt out before the information is disclosed

    • The organization must safeguard data by

      • Designating an employee to maintain information security

      • Identifying risks to security, confidentiality, and integrity of the information

      • Performing a risk assessment, which includes employee training, information systems, and detecting intrusions

      • Installing safeguards to prevent risks that were identified in the risk assessment and test or monitor those safeguards to ensure that they are functional

Change Control

As mentioned earlier, a single employee cannot make a change by himself.  The change control policies tell us the following

  • What types of activities constitute a change.  This might network hardware configuration, switch configuration, security policies, the physical location of infrastructure, and many other items.

  • The work flow for a change request and how we keep track of them.  In general, a person who wants to make a change must write a detailed plan and justification for the change. 

  • The person or people responsible for approving the change request.  The level of management required for approval depends on the cost and impact of the change.

  • The change request might go to a committee known as the Change Control Board or CCB.  The policy should define the people who are on the committee.

    The CCB evaluates the impact of the change on the organization.  Some of the things that the CCB might consider

    • The cost of the change

    • The amount of time required to implement the change

    • The risk of the change affecting a critical organizational function

    • The potential benefit of the change

The CCB decides whether a change is approved or denied.  A member of the executive team may be able to overrule a decision made by the committee.

  • Once the change is approved, we must do the following

    • Develop a detailed budget for the change

    • Develop a detailed plan for the change, including a way to reverse the changes should they fail.

    • Develop a detailed schedule for the change

    • Execute the change

  • Once the change has been executed, we must document the change so that others are aware of its existence.  This could include updating critical systems or asset logs.

Asset Management

The organization must have a way to keep track of its assets.  Assets could include devices like computers, laptops, routers, printers, cameras, wireless access points, vehicles, furniture, etc..

Why do we want to track assets?

  • We will know what we have.  If we have spare equipment in stock, and somebody needs a piece of equipment, we can deploy it from stock instead of purchasing a new one.

  • We can keep track of equipment so that we know where it is and who it is assigned to.

  • We can have an accurate valuation of our equipment for insurance purposes.  When we buy insurance, we must tell the insurance company how much our stuff is worth, and what the replacement cost is.

  • We can have an accurate valuation for financial reporting purposes.  Tax laws usually allow a company to write off a portion of the value of their assets each year.  This is called depreciation

  • We can quickly figure out the age of our assets.  We can figure out if something is still under warranty or if it needs to be replaced.

We mentioned asset tags earlier.  Each asset tag has a unique number.  It might also have a barcode and/or an RFID chip.  We might put an asset tag on any device that we are tracking, but we don’t have to.  An asset tag uniquely identifies each asset, when many assets look the same.

Some of the properties that we might track

  • Device Asset Tag

  • Serial Number

  • Make/Model Number

  • Physical Location

  • Cost

  • Date of Purchase

  • Warranty Information

  • Who it is assigned to