Tuesday, October 2, 2007

A Simple Incident Response to a Simple Oversight



Today may be the day you need to step up and respond to a breach involving someone else’s confidential information. Do the right thing and you will be OK. Assuming the breach is less than it really is can negatively impact your company, the victims, and your livelihood.

A Little Background
I write for this and The Breach Blog because I am passionate about information security and protecting people when dealing with confidential information. The Breach Blog was born out of this passion just a few months ago, and I have already written 69 articles (with a backlog of four) about breaches and the lessons they teach us. I believe that people can really learn from other people’s mistakes. Anyway, on to the story...

The Incident
This morning I received a phone call from one of the IT administrators at a company that I provide information security consulting for. He was in a panic.

He regularly receives email updates from his human resources department outlining terminations, new hires and management changes. He gets these updates so that he can update the company’s Active Directory. Today, he received his spreadsheets as normal, but this time there was an additional column that he did not recognize before. The column was titled “Assoc. ID”, and the spreadsheet contained information on about 50 company employees.

Can you guess what the “Assoc. ID” is?
If you guessed Social Security number, then you are correct! Oh boy.

On the surface, you may say this isn’t that big of a deal. We can just go to human resources and inform them that this is an unacceptable practice and be done with it. OK, but put yourself in the shoes of a person that was in the spreadsheet. Would you be OK if information security just went to human resources and told them to quit it? I am guessing that your answer may be the same as mine, NO!

If I was a victim, what kind of questions would I demand answers for? Let’s see:

  • I want to know where this information came from.
  • I want to know if this has been an acceptable practice by human resources in the past and if so, how long?
  • I want to know if there was anyone else that received this email.
  • I want to know that the email containing the spreadsheet was deleted. Not just from the “Inbox” either, but also “Sent Items” and “Deleted Items”.
  • I want to know if there were any copies stored locally on the sender’s computer.
  • I want to know if there are any copies on a network drive (i.e. is “My Documents” synchronized).
  • I want to know if this information may be in a backup anywhere that needs to be
    dealt with.
  • I want to know why this happened in the first place.
  • I want to know what human resources is going to do to make sure that this never happens again.
  • Are there any laws and/or regulations, i.e. do I need to disclose this breach to any state attorney generals?
You get the picture yet? I want to know everything there is to know about this breach and I want to take every possible action to contain the damage caused by it.

Victims and shareholders should expect demand no less!

As it turns out, this seemingly innocent mistake/training issue quickly escalated into a full-blown investigation that took away from other important tasks and cost the company money. It would have been easy to take the lazy approach and sweep this under the rug, but what service would I be providing to the victims, the company, or myself? Thank God this breach only affected 50 people and was relatively easy to contain and respond to. What would I have done if this breach affected 5000, 50000, or 500000 people? What if the human resources person sent the email outside of the company?

Tips I've Learned
An easy way to respond to an incident involving personally-identifiable information is to put yourself in the shoes of a victim. This may sound obvious, but too many times I have witnessed information security “experts” going the other way. Answer the questions that you would have as a victim. Take money, lost consumer confidence, stock price, etc. out of the equation and do the right thing. If we all did the right thing we would have less regulation and more time to do other “right things”.

The CIO of this company asked me a question on my way out the door once the investigation was complete. He asked me what makes an information security professional so good at what he (or she) does? My answer: 95% of what makes a good information security professional is common sense. The other 5% is skill.

Unfortunately, it is very difficult to teach someone common sense. Read more!

Monday, September 17, 2007

Shame on Wells Fargo or Shame on Me?



Friday was a busy day, but I found a little time to check my gmail account. My peak performance brain has been trained to immediately key on certain words that appear in my inbox and classify them as threats, either phishing or spam. You know words such as “Alert”, “PayPal”, “Warning” and “eBay”? This time my brain tells my eyes to check out this email labeled “Wells Fargo Online Notification of New Legal Notices”.

There are three primary reasons why I am particularly interested in this email. One, I am a Wells Fargo customer. Two, I signed-up for email updates and regularly get emails from the company. And three, gmail typically does a great job of filtering out phishing attempts from my inbox. So I open the email.


The email looks legit to me.

A Phish is a Phish?
I have been training users for the last couple of years to NEVER click on a link in an email to a login page, then proceed to login. I assumed that this is a “best practice” to protect oneself from phishing. I am always skeptical. Did this email really come from Wells Fargo? I check the header of the email, looks good. I check the links, look good. I check the html code, still looks good.

This legitimate Wells Fargo email goes against what I thought were best practices in regards to phishing prevention. Being the concerned (paranoid) information security guy that I am, I emailed reportphish@wellsfargo.com with the following:




to reportphish@wellsfargo.com
date Sep 14, 2007 1:50
PM
subject Fwd: Wells Fargo Online Notification of New
Legal Notices

To whom it may concern:

It appears that the email depicted below actually came from Wells
Fargo. The email contained links that went to your login page and
asked people to sign in. Wells Fargo should not be sending emails
like this to your customers! It goes against everything that we try
to teach people with respect to phishing.

Sincerely,
Concerned customer


Surely Wells Fargo knows much more about phishing than I ever could, so am I wrong?
Read more!

Tuesday, September 11, 2007

Where Have I Been?



You may have been wondering where I have been for most of the last two weeks (maybe not!), and here I am to tell you.

I have started a new blog and have been spending much of my time creating content for it and getting it up to speed. The blog is "The Breach Blog" where I have been researching and providing commentary on breaches that have occured over the last month or so. I am motivated to share breaches with the public, provide insight from a security point of view, and give people a place where they can come and voice their opinions publicly. Basically, I get great satisfaction from helping people who don't know any better.

Information for The Breach Blog is compiled from a variety of sources including (but not limited to):

- The Attrition.org Data Loss Archive and Database (pioneers in breach disclosure)
- Privacy Rights Clearinghouse
- Google Searches
- News sources
- State government sites
- Victim emails

I hope that people from all walks find value in the information provided.

The Trusted Toolkit Blog will start to get more attention again soon as I begin to divide my time more and get more organized. I'll be back...
And here is the rest of it.
Read more!

Thursday, August 30, 2007

Passwords Written Down, Real Life Real Risk



I sound like a broken record sometimes. I get sick of hearing myself speak too. I will say it again because it is of utmost importance:

People, please STOP writing passwords down!

Here is a real-life example of a written down password that could have very easily led to over $500,000 in theft.

The Incident
I get the call all of the time. Someone calls to report (anonymously) that they have found a password written down on a laptop. As always, I initiate an investigation to determine the extent of the risk to the company I am contracted to work for. Upon arrival at the site of the laptop, I notice various passwords written down on stickers just to the right of the mouse/thumbpad.



Typically, the passwords I find pose more risk to the company (i.e. Active Directory passwords, VPN passwords, etc.) than they do to the individual at fault, but this one was different. My eye was immediately drawn to one written password entry, it read:

E-TRADE: etrade.com
EXERCISE PASSWORD: 88946571335
USER ID: jdoe
PASSWORD: jdoeDoneB4d

NOTE: These user IDs and passwords have been modified for the sake of this article. The actual user IDs and passwords on the stickers were different.

Naturally, I want to find out who this person is. After searching everywhere within the company and interviewing numerous people I had run out of options. I think to myself, self “The user name and password can’t still be valid, can they?” I decide to try. I go to http://www.etrade.com/. Oh %^$*@! They are valid! Upon login, I get confronted with the “Complete View” account page.



$492,640.25 worth of risk! Now I can find the user however, which is my main motivation. Obviously the first thing to do is have the user change their password, which they did. I spent a good amount of time with the user explaining what could have happened if this information fell into the wrong hands and gave them some alternative methods for password management. I am not sure if it sunk in or not, but it felt good to help for now!

How did the laptop end up where it was?
This is the question I would be asking myself. Through investigation it was discovered that the laptop was turned in to the help desk for normal hardware rotation. The user basically sends their old laptop to the help desk for a new one, which is common every couple of years. The help desk placed the old laptop in storage then brought it out as a loaner for a contractor.

Why didn’t the help desk remove the stickers and inform Information Security personnel when the laptop was returned for recycling?
Another good question. Because sometimes people forget that information security is EVERYONES job. People need to understand what role they play because we all play one. I have found through experience that an effective training and awareness program goes a long way. Training and awareness conducted correctly could have stopped the user from writing their passwords down in the first place and may have reminded help desk to remove and report.

Conclusion
I have given this much thought over that last few days. It really bugs me when people fall victim to scams, thieves, and the like. There is no sense in making it easy for them! People write down passwords because they typically do not know of a better way to manage all of their passwords. Can we blame them? See my previous article "Passwords Part 3/3 - Password Management" for some suggestions.

In hind sight I should have not logged into the account to find the username. This poses a risk to myself. Next time I will call eTrade and inform them of the username and password found on the laptop. I hope there won't be a next time, but I would to too naive to believe so.

Read more!

Thursday, August 23, 2007

Information Security Quote of the Day



"It's seems like there's a problem with security inside Homeland Security and that makes no sense"

 - James Slade, TSA screener and the executive vice president of the National Treasury Employees Union chapter at John F. Kennedy International Airport in talking about the lost TSA hard drive containing Social Security numbers, bank and payroll information for roughly 100,000 employees in May, 2007.


NOTE:  The agency said it did not know whether the device is still within headquarters or was stolen.

Hardly a week later DHS employees announced a class action lawsuit against the TSA in AFGE, et al v. Kip Hawley and TSA which to my knowledge has not yet been resolved.

Read more!

Tuesday, August 21, 2007

TJX Breach News, and on and on...



Today the Boston Globe reported an arrest related to the TJX record-setting breach (in terms of numbers of affected consumers) in thier article, "Suspect named in TJX credit card probe Ukrainian's arrest seen as break in record fraud case".

I continue to be intrigued by the details of this case.  Maksym Yastremskiy stands accused of playing a "key role in the sale of many credit card numbers stolen from TJX Cos" and likely the "largest seller of stolen TJX numbers".  


According to the article, Mr. Yastremskiy sold cards in batches of up to 10,000 for $20-100 per card through various online forums.  Let's do some math.

10,000 cards @ $20-100/card = $200,000-1,000,000!

Let's say for a second that 45 million cards (allegedly lost in the original breach) were able to be sold for the same price.

45,700,000 cards @ $20-100/card = $914,000,000-4,570,000,000!

Up to 4.5 billion dollars!  Now this is all VERY hypothetical, but it should be VERY clear why organized crime is so interested and active in information security (or insecurity).  The amount of money made is incredible.

The article goes on to state that TJX reported that initial estimates of how much the breach will cost the company were grossly understated.  TJX estimates that it will spend $256,000,000 to cover the costs of the breach, improved security controls, and lawsuits.  
I don't know, but this still seems understated to me.

There is evidence of cards and/or information related to the TJX breach being used all over the world from retail WalMart stores to cash advances.

What a mess.  What did Mom say?  Something like an ounce of prevention is worth a pound of cure, or was it an ounce of security is worth $20-100/card?  I can't remember!


Some good TJX breach-related links:
 - The original TJX press release announcing the breach dated 1/17/07
 - The TJX "IMPORTANT CUSTOMER ALERT" dated 2/21/07
 - The original Information Week online article dated 1/17/07
 - "TJX profit down sharply on breach costs" reported by CNNMoney on 8/14/07
 - The recent Boston Globe story reporting Yastremskiy arrest dated 8/21/07
 - Massachusetts Bankers Association class-action lawsuit announcement dated 4/24/07
 - FTC Notice of Proposed Routine Use; Request for Public Comment, Privacy Act of 1974; System of Records: FTC File No. P072104
And here is the rest of it.
Read more!

Monday, August 6, 2007

Mystery Credit Card Cancellations



This article raises more questions for me than it answers. I am referring to the article written by Stewart Carter, editor of The eCommerce Report titled "Visa confirms data tapes theft". I am assuming that this article is credible.

Data tapes containing "card data" were stolen in late May, 2007. Visa International has confirmed that "an investigation into the theft of data tapes on May 25 is ongoing and therefore we cannot comment further on this matter". Dead end.

On July 19th, the Sydney Morning Herald reported that Westpac (a large Pacific Rim bank) was cancelling Visa cards en mass. On July 24th, ZDNet reported that Virgin Money (Westpac's card partner) was cancelling MasterCard credit cards. It is unclear why Westpac and Virgin Money are cancelling so many credit cards.

Jane Counsel, Westpac’s senior media relations manager did respond to the eCommerce Report's inquiries by stating "…[T]he card data compromise which has impacted Westpac and Virgin cards relates to transactions that have occurred with a third party vendor who uses a payment gateway provided by one of the other major banks…”. "A third party vendor"??? Who?

It is clear from the article that none of the organizations involved want to take an responsibility into what could be a very significant breach. Stay tuned, as I am sure this story is far from over.

But, then again I wonder if this news is credible. I looked for both the Sydney Morning Herald and the ZDNet articles and couldn't find either. Please post them if you can find them.



Read more!

Friday, August 3, 2007

Information Security Policy 101 – Policy Approval



OK, the time has come for us to wrap this up!  July is over and so is “Information Security Policy Month”. This is the 19th and final installment in the Information Security Policy 101 Series.

If you have been following along over the last month you will notice that we have covered 16 of the most common information security policies, but we haven’t tied them together or sought formal approval yet.

NOTE: The “approval” we are seeking now is the approval of the written policies. This should not be confused with the initial approval you should have received prior to even beginning an information security policy project.

The advice that I will give in this article is based on what has worked for me in the past. I have had the honor of leading multiple information security projects in the past for both private and public companies from assessment through to final approval and adoption.

The Company XYZ Corporate Information Security Policy
The Company XYZ Corporate Information Security Policy is the one document that everyone in the organization is expected to read and understand. Some portions of the policy may apply more directly than others, but everything is meant to be understood by the audience.

Take the 16 policies (or however many your organization has deemed necessary) and place the “Company XYZ Corporate Information Security Policy” wrapper around them adding some important information that may include:

Header explaining the document
Versioning information
Table of contents
Introduction
Purpose (of the Corporate Information Security Policy)
Scope (of the Corporate Information Security Policy)
Definitions
Responsibilities
Waivers
Disciplinary Actions
Supporting Information, and;
References


Woah! Seems like a lot of information, doesn’t it? Admittedly, yes it does. Take a look at the sample and it should be clearer

SAMPLE CORPORATE INFORMATION SECURITY POLICY

Once the document is complete, it’s ready for approval!

NOTE: Be prepared for mutiple "back and forth" go arounds with management before the policy is "golden"!

Approval
The detailed process for approval of the newly written Corporate Information Security Policy will differ greatly from organization to organization. Some organizations have a more “approachable” executive team than do others so use judgment and care in your approach. When in doubt follow the chain of command by seeking the advice of your direct up line manager.

Approval must come from the leaders of your organization. If you have any hope of adopting, implementing and enforcing your policy then executive approval is a must. Too many times have I seen information security personnel attempt to implement policy without seeking the right approvals and every single time their efforts have failed miserably. Who has overall authority in your organization? This is the person that needs to approve.

Ideally, you have included your organization's leaders all along during the information security policy project. This makes communication and approval much easier. All is not lost however if you have not.

What does management need to know?
1. The Corporate Information Security Policy is based on sound security “best practices”.

Ensure management that the policy is a best of breed policy that was written after careful analysis and research.

2. Approval of the policy will not disrupt business.

The bottom line is that a company is in business to make money. You will not receive the approval of management if they perceive that information security will in any way hinder the ability of the company to make money.  An art of information security is that it must NOT EVER stand in the way of business or be percieved as such.

Inform management that “approval” of the policy does not mean that the policy has been “adopted” or “implemented”. Approval gives the organization (and information security personnel) the ability to begin adoption and start the “secure” process. Create an adoption/implementation timeline that highlights when information security believes that the organization could be compliant with most of the policy and inform management that the organization will never be fully-compliant. Remember, security is evolutionary not stationary!

3. The expected costs involved through the approval of the information security policy will be more than offset by reduced risk and exposure

You can probably think of other items of note to use in your approval process, but the ones above have consistently worked for me.

Next Steps
The real work begins!
Now that you have your new approved policy in hand, decide how you will train the organization’s personnel. There are a variety of training options available including CBT, web-based, instructor-led, in-sourced, out-sourced, etc. Once a training timeline has been tentatively agreed upon, formally announce the new policy to the organization.

It is also time to decide how you will adopt and implement. Read through the policy and detail what you have in place now and what you will need in order to be compliant. Create projects and/or timelines for the implementation of the various standards, procedures, administrative and technical controls.

Closing
Thank you to all that have read and provided feedback to this series!  You know who you are.  I will be posting a summary post that includes all of the "Information Security Policy Month" articles in a nice consice format.

Feel free to contact me if you have and feedback or need any assistance in your own policies.

Previous: "Information Security Policy 101 – Virus Protection Policy"
Read more!

Wednesday, August 1, 2007

Do you care? - Aflac lost laptop



I have been debating over the last week whether I even wanted to mention this, but this story just seems too good to pass up as an example of what is security news and might not be.

The headlines read:
"Aflac Reports Laptop Detailing 152,000 Clients Stolen" - bloomberg.com 7/26/07
"Aflac Loses Data on 152,000" - darkreading.com 7/27/07


And, etiolated.org reports this as an "incident" (etoilated and Attrition.org are a couple of my favorite sites BTW).

Your first reaction might be (or have been) a little like mine was.  I immediately assumed the worse, shook my head, and clicked on the link to read a little more.  You can read the articles yourself (click the links above) so I won't delve into all that they say, but some interesting points worth mentioning:

1.  A laptop was stolen from an Aflac employee on a commuter train that contained "clients' names, addresses, birth dates, and policy details".  Bad news, right?  Read on...

2.  "All the information was encrypted and password-protected, so it would be very difficult for any third-party to access it".  Amen!  Encryption if properly managed can make it nealy impossible for a third-party to access the data.  I sincerely hope that the employee who had the laptop stolen from him/her is not akin to many of the employees I see with laptops when it comes to password management, i.e. written on a Post-it note or on the back of the laptop.  Most likely a password is used by the employee and doubles as the "secret key" that enables decryption of the drive/data.  Given the limited amount of information to work with, one can only assume.

"Aflac wanted to send letters apologizing to policyholders before alerting the press"  Why?  Don't most (if not all) breach disclosure laws and regulations have safe harbor statements when the data is encrypted?  Maybe a reader can help me out here.  If a company is not required by law to disclose the lost laptop publicly AND there is very very little risk of disclosure (encrypted), then why send letters and notify the press?

Thankfully, cooler heads seemed to have prevailed on this piece of news (or non-news) and it wasn't blown out of proportion.  Kudos to Aflac for using encryption on laptops!
Read more!

Monday, July 30, 2007

Information Security Policy 101 – Virus Protection Policy



Part 18 in the Information Security Policy 101 Series

For many organizations the threats posed by viruses are manageable given appropriate controls. A Virus Protection Policy is the first step towards ensuring that appropriate controls are in place on workstations, laptops, email gateways, servers, etc.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Virus Protection Policy is to describe the
requirements for dealing with computer virus, worm and Trojan horse infection,
prevention, detection and cleanup.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Virus Protection Policy applies to all persons with any type of access to an %ORGANIZATION% information resource.

SAMPLE:
Audience
The %ORGANIZATION% Virus Protection Policy applies equally to all individuals
that use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Virus Protection Policy
The Virus Protection Policy is simple policy that you may find some overlap with other information security policies. One additional benefit of having a separate Virus Protection Policy is the ease of reference for users and support personnel. Be careful to write statements that do not contradict those in another policy, however rare.

SAMPLE VIRUS PROTECTION POLICY STATEMENTS:

- All %ORGANIZATION% owned and/or managed workstations, including laptops whether connected to the %ORGANIZATION% network, or standalone, must use the %ORGANIZATION% IT management approved virus protection software and configuration.
- All non-%ORGANIZATION% owned and/or managed workstations, including laptops must use %ORGANIZATION% IT management approved virus protection software and configuration, prior to any connection to an %ORGANIZATION% Information Resource.

Conclusion
The draft, approval, implementation, and enforcement of a Virus Protection Policy can decrease the amount of risk to an organization’s information resources as a result of malware (virus and/or spyware).

Download the SAMPLE VIRUS PROTECTION POLICY.

Next in the series: “Information Security Policy 101 – Policy Approval”

Previous: “Information Security Policy 101 – “Vendor/Third-Party Access Policy”
Read more!

Information Security Policy 101 – Vendor/Third-Party Access Policy



Part 17 in the Information Security Policy 101 Series

Some organizations call on the support of a third-party and/or vendor rarely. Other organizations have third-party support personnel in and out of various areas all day, every day. Most organizations fall somewhere in the middle. I cannot think of a single organization that has not allowed a third-party and/or vendor at least physical access to restricted areas to conduct seemingly innocent tasks.

Question: What governs a vendor and/or other third party's access?

Answer: Vendor/Third-Party Access Policy.

NOTE: Some organizations have already negotiated detailed contracts with vendors and other third-party entities. In some instances an existing contract may need to be appended, a new contract drawn up, or a waiver request approved.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Vendor Access Policy is to establish the
rules for vendor access to %ORGANIZATION% Information Resources and support
services (A/C, UPS, PDU, fire suppression, etc.), vendor responsibilities, and
protection of %ORGANIZATION% information. Vendor access to
%ORGANIZATION% Information Resources is granted solely for the work
contracted and for no other purposes.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Third-Party/Vendor Access Policy typically applies to those persons involved in contracting third-party/vendor support and representatives of the third-party/vendor itself.

SAMPLE:
Audience
The %ORGANIZATION% Vendor Access Policy applies to all individuals that are
responsible for the installation of new %ORGANIZATION% Information Resource
assets, and the operations and maintenance of existing %ORGANIZATION%
Information Resources, and who do or may allow vendor access for support,
maintenance, monitoring and/or troubleshooting purposes.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Vendor/Third-Party Access Policy
The Vendor/Third-Party Access Policy is longer and more in-depth than some of the policies we have covered most recently. Use the information gleaned from your business assessment to determine to what extent your policy should be detailed towards the information resources you are trying to protect.

TIP: Have your legal department (or whoever is in charge for negotiating contracts) review the policy in detail. You may also choose to have your legal department assist you in the drafting of this policy.

SAMPLE THIRD-PARTY/VENDOR ACCESS POLICY STATEMENTS:

- Vendors must comply with all applicable %ORGANIZATION% policies, practice standards and agreements, including, but not limited to:
@ Safety Policies
@ Privacy Policies
@ Security Policies
@ Auditing Policies
@ Software Licensing Policies
@ Acceptable Use Policies
- Vendor agreements and contracts must specify:
@ The %ORGANIZATION% information the vendor should have access to
@ How %ORGANIZATION% information is to be protected by the vendor
@ Acceptable methods for the return, destruction or disposal of %ORGANIZATION% information in the vendor’s possession at the end of the contract
@ The Vendor must only use %ORGANIZATION% information and Information Resources for the purpose of the business agreement
@ Any other %ORGANIZATION% information acquired by the vendor in the course of the contract cannot be used for the vendor’s own purposes or divulged to others

Conclusion
The draft, approval, and implementation of a Vendor/Third-Party Access Policy will assist in ensuring that information security is forethought in contract negotiations and no longer an afterthought. Seasoned information security personnel understand the benefit of information security applied early on vs. retrofitting an existing solution with security after the fact.

Download the SAMPLE VENDOR/THIRD-PARTY ACCESS POLICY.

Next in the series: “Information Security Policy 101 – Virus Protection Policy”

Previous: “Information Security Policy 101 – “Software Licensing Policy”
Read more!

Information Security Policy 101 – Software Licensing Policy



Part 16 in the Information Security Policy 101 Series

“The Business Software Alliance (BSA) is gearing up for a final push to convince companies to fill in their voluntary audit forms.” – VNUNet.com UK

“Thirty-five percent of the world's software is pirated. Software piracy is not only a crime, but it can destroy computers and data.” – Business Software Alliance

There is little doubt that the use of unlicensed and/or pirated software can pose significant risk to an organization’s information resources and assets. Risks can range from malware installation to significant fines. You may notice that there is some slight overlap between the Software Licensing Policy and our Acceptable Use Policy. If you remember, there was mention of using “unauthorized” software in our Acceptable Use Policy.

NOTE: A well-written software licensing policy can limit the amount of time required to satisfy BSA requests for information because it demonstrates proactive action on the part of the organization.

TIP: Many Windows-based organizations grant their users local administrator rights to their workstations. Disallowing this practice can significantly reduce the risk of users installing unauthorized and/or unlicensed software.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Software Licensing Policy is to establish
the rules for licensed software use on %ORGANIZATION% Information Resources.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Software Licensing Policy applies to all of an organization’s information resource users.

SAMPLE:
Audience
The %ORGANIZATION% Software Licensing Policy applies equally to all
individuals that use any %ORGANIZATION% Information Resources.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Software Licensing Policy
Like many of the policies already covered in this series, the Software Licensing Policy is short and simple. The policy makes management’s views regarding software licensing “official”.

SAMPLE SOFTWARE LICENSING POLICY STATEMENTS:

- %ORGANIZATION% provides a sufficient number of licensed copies of software such that workers can get their work done in an expedient and effective manner. Management must make appropriate arrangements with the involved vendor(s) for additional licensed copies if and when additional copies are needed for business activities.
- Users must refrain from knowingly violating license agreements and/or requirements.
- Third party copyrighted information or software, that %ORGANIZATION% does not have specific approval to store and/or use, must not be stored on %ORGANIZATION% systems or networks. Systems administrators reserve the right to remove such information and software unless the involved users can provide proof of authorization from the rightful owner(s).

Conclusion
A well-written Software Licensing Policy can save an organization a considerable amount of time and effort, especially given how easy it is to write and get approved. A subject of much debate is the BSA’s million dollar reward to turn-in software pirates:

BSA Rewards Page:
https://reporting.bsa.org/usa/rewardsconditions.aspx

A twist:

Would You Rat Out Your Boss for $1 Million?: http://blogs.pcworld.com/staffblog/archives/004849.html

Wouldn’t it be nice to take out the drama by using a simple policy and enforcement?

Download the SAMPLE SOFTWARE LICENSING POLICY.

Next in the series: “Information Security Policy 101 – Vendor/Third-Party Access Policy”

Previous: “Information Security Policy 101 – “Security Training and Awareness Policy”
Read more!

Information Security Policy 101 – Security Training and Awareness Policy



OK, we're back!

Part 15 in the Information Security Policy 101 Series

“there is a substantial increase in the respondents’ perception of the importance of security awareness training. On average, respondents from most sectors do not believe their organization invests enough in this area.” - 2006 CSI/FBI Computer Crime and Security Survey. If I were going to overspend on any one area of my information security program, it would be for information security training and awareness.

Information security personnel can write whatever they want in their policies, but if nobody is aware of the policies or trained on how they can comply with them then what good are they?

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Information Security Training and Awareness
Policy is to describe the requirements that must be met, in order ensure that each user of
%ORGANIZATION% Information Resources receives adequate training on information
security issues.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Security Training and Awareness Policy applies to all of an organization’s information resource users.

SAMPLE:
Audience
The %ORGANIZATION% Information Security Training and Awareness Policy applies
equally to all individuals that use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Security Training and Awareness Policy
The Security Training and Awareness Policy is a simple policy that states what management expects and gives authority to information security personnel. The policy should state general rules that the audience must comply with and lay the groundwork for the training program.

SAMPLE SECURITY TRAINING AND AWARENESS POLICY STATEMENTS:

- All new users must complete an approved Security Awareness training class prior to, or at least within 30 days of, being granted access to any %ORGANIZATION% Information Resources.
- All users must acknowledge they have read and understand the ORGANIZATION% Corporate Information Security Policy
- All users (employees, consultants, contractors, temporaries, etc.) must be provided with this policy to allow them to properly protect %ORGANIZATION% Information Resources.

Conclusion
Do not underestimate the importance of a formal information security training and awareness program. Understand that many people do not understand their critical role in keeping organization assets secure.

TIP: Find things that you can use to prove a ROI in you training and awareness program. I have used help desk staff in the past for this. We took a one month time frame before information security training, where we tracked the number of laptops that came in for service from field staff with passwords on Post-it notes before training. We tracked the same afterwards then calculated a percentage and extrapolated the number over a one year period. The change was dramatic.

Download the SAMPLE SECURITY TRAINING AND AWARENESS POLICY.

Next in the series: “Information Security Policy 101 – Software Licensing Policy”

Previous: “Information Security Policy 101 – “Privacy Policy”
And here is the rest of it.
Read more!

Thursday, July 26, 2007

Update

To The Trusted Toolkit Blog Readers:

I have been caught up this week with a pretty serious investigation which I cannot detail publicly, so I have fallen behind on my schedule of delivering information security policies.

Stay Tuned. I will be publishing the "catch-up" postings soon. In the meantime, I suggest shoring up your incident response policy and procedures if you have not done so already. Mine are saving me a bunch of time and embarrasment this week!

Thanks for reading! Read more!

Tuesday, July 24, 2007

Information Security Policy 101 – Privacy Policy



Part 14 in the Information Security Policy 101 Series

Writing an organization's privacy policy is not as clear-cut as it may seem. An entire book could easily be written around privacy in the workplace. What an organization states, what it actually does, and what an employee reasonably expects are all critical to privacy/employment matters. To make things worse, privacy rights are not entirely clear under the law.

Two rules of privacy rights (although you could probably come up with more):


One, Write a policy that is focused. Do NOT write “you have no expectation of privacy” as a blanket statement. Privacy is not “all or nothing”.

Two, Do what you say you are going to do consistently. Do NOT follow your policy only when there is an enforcement action. As the US Supreme Court has noted, "[W]hile police, and even administrative enforcement personnel, conduct searches for the primary purpose of obtaining evidence for use in criminal or other enforcement proceedings, employers most frequently need to enter the offices and desks of their employees for legitimate work-related reasons wholly unrelated to illegal conduct."

TIP: Privacy policy should be reviewed by a legal counselor that is familiar with privacy rights and law. Many corporate counselors are not experts in this area.


General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Privacy Policy is to clearly communicate
the %ORGANIZATION% privacy expectations to Information Resource users.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Privacy Policy should apply to all personnel, and in some cases (depending on your organization) contractors, vendors, and other third-parties.

SAMPLE:
Audience
The %ORGANIZATION% Privacy Policy applies equally to all individuals who use
any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Privacy Policy
Privacy policy is a critical policy in most organizations and needs to clearly communicate what amount of privacy a user should expect when using the organization information assets.

NOTE: A very good article written by Mark Rasch; Employee Privacy, Employer Policy.

SAMPLE PRIVACY POLICY STATEMENTS:

- Electronic files created, sent, received, or stored on Information Resources owned, leased, administered, or otherwise under the custody and control of %ORGANIZATION% are not private and may be accessed by %ORGANIZATION% Information Security employees at any time, under the direction of %ORGANIZATION% executive management and/or Human Resources, without knowledge of the Information Resource user or owner.
- To manage systems and enforce security, %ORGANIZATION% may log, review, and otherwise utilize any information stored on or passing through its Information Resource systems in accordance with the provisions and safeguards provided in %ORGANIZATION% Information Resource standards. For these same purposes, %ORGANIZATION% may also capture user activity such as telephone numbers dialed and web sites visited.

Conclusion
Be careful in using a sample Privacy Policy. Be sure that it fits your organization and internal processes. A poorly written or implemented Privacy Policy can leave your organization open to a legal quagmire. Most of the investigation and forensic work I have done in the past has been governed by what the organization’s Privacy Policy stated.

Download the SAMPLE PRIVACY POLICY.

Next in the series: “Information Security Policy 101 – Security Training and Awareness Policy”

Previous: “Information Security Policy 101 – “Mobile Computing Policy”

Read more!

Monday, July 23, 2007

Information Security Policy 101 – Mobile Computing Policy



Part 13 in the Information Security Policy 101 Series

Few things in my profession give me more shivers than the amount and sensitivity of data that is carried outside the corporate boundary every day on mobile devices such as PDAs, laptops, and Smartphones. Without effective controls mobile devices are easily lost or stolen, data transmissions are easily intercepted, and shoulder-surfing is commonplace. Nearly every week a company is forced to publicly disclose a lost or stolen laptop that contained personally identifiable data (PII).

See: http://attrition.org/dataloss/, http://breachalerts.trustedid.com/, http://doj.nh.gov/consumer/breaches.html, http://www.privacyrights.org/ar/ChronDataBreaches.htm


Often information security is a discipline that constantly attempts to balance the risk of using a technology versus the business benefits gained as a result from such use. How can an information security professional effectively balance the risks inherent with using mobile devices while still allowing the business to benefit from their use?

In order to provide protection to the data that may be contained on a mobile device, organizations must extend protections and controls to such devices. Protection starts with policy.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Mobile Computing Security Policy is to
establish the rules for the use of mobile computing devices and their connection to the
network. These rules are necessary to preserve the Integrity, Availability, and
Confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Mobile Security Policy applies to all individuals in the organization that use, possess, manage, secure, and/or approve the use of mobile devices.

SAMPLE:
Audience
The %ORGANIZATION% Mobile Computing Security Policy applies equally to all
individuals that utilize mobile computing devices and access %ORGANIZATION%
Information Resources.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Mobile Computing Policy
If an organization does not use or allow the use of mobile devices, then a simple statement in an Acceptable Use policy may be all that is needed. If the organization does allow the use of mobile computing devices, general rules around this usage need to be communicated to all relevant personnel. As with all policies, the Mobile Computing Policy should state general rules, leaving room supporting documentation (procedures, standards, and guidelines) to define the specifics.

NOTE: At least 35 states have laws regarding security breach notification and most have safe harbor provisions around data that has been encrypted.

SAMPLE MOBILE COMPUTING POLICY STATEMENTS:

- Only %ORGANIZATION% approved portable computing devices may be used to access %ORGANIZATION% Information Resources.
- Portable computing devices must, at a minimum be password protected in accordance with the %ORGANIZATION% Password Policy.
- %ORGANIZATION% Confidential data should not be stored on portable computing devices. However, in the event that there is no alternative to local storage, all Confidential %ORGANIZATION% data must be encrypted using approved encryption techniques, wherever possible.

Conclusion
Due to the increased risks that mobile computing devices pose to many organizations and the increased reliance on these devices to complete “business critical” tasks, it is recommended that a stand-alone Mobile Computing Policy be developed.

Download the SAMPLE MOBILE COMPUTING POLICY.

Next in the series: “Information Security Policy 101 – Mobile Computing Policy”

Previous: “Information Security Policy 101 – “Physical Security Policy”
Read more!

Information Security Policy 101 – Physical Security Policy



Part 12 in the Information Security Policy 101 Series

In some organizations “physical” security and “information” security are separated into different groups or teams. Whether this is a good idea or not has been the subject of some debate over the years. One issue that should not be debated is the tight interdependence between the two.

Information security is a balance of physical, logical, and administrative controls. Every control must have its roots written in somewhere in policy.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Physical Security Policy is to establish the
rules for the granting, control, monitoring, and removal of physical access to
Information Resource facilities.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Physical Security Policy applies to any person or entity that has the potential to physically interact with information resources or facilities that house information resources under the control of an organization. The policy is specifically written to provide direction to those individuals whom are charged with maintaining physical security.

SAMPLE:
Audience
The %ORGANIZATION% Physical Security Policy applies to all
%ORGANIZATION% individuals that install and support Information Resources, are
charged with Information Resource security and data owners.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Physical Security Policy
The form that a Physical Security Policy takes is dependant on many factors. This article is written with small to medium sized organizations in mind. These organizations do not typically have the staff to support a separate physical security group and/or opt to integrate physical security into a single information security program. In order to determine where a physical security policy fits best in an organization the earlier business assessment should be used.

NOTE: Physical security policy is a must in almost all organizations. If physical security is not adequately defined and applied, all other controls could be easily defeated.

SAMPLE PHYSICAL SECURITY POLICY STATEMENTS:

- Physical security systems must comply with all applicable regulations including but not limited to building codes and fire prevention codes.
- Physical access to all %ORGANIZATION% restricted facilities must be documented and managed.
- All Information Resource facilities must be physically protected in proportion to the criticality or importance of their function at %ORGANIZATION%.

Conclusion
The science involved with physical security is often specialized and there seem to be a limitless supply of available technologies and controls that can be applied. The physical Security Policy should be written in broad enough terms as to not restrict the use of any one specific control. The policy does not usually require an in-depth knowledge of all the available controls, whereas the application and implementation typically do. In most cases, I write the policy then call upon physical security consultants to design effective controls.

NOTE: If you have a keen interest in the physical nature of information security and would like to demonstrate your mastery, check out the Physical Security Professional (PSP) certification from ASIS International.

Download the SAMPLE PHYSICAL SECURITY POLICY.

Next in the series: “Information Security Policy 101 – Mobile Computing Policy”

Previous: “Information Security Policy 101 – “Password Policy”
Read more!

Thursday, July 19, 2007

Information Security Policy 101 – Password Policy



Part 11 in the Information Security Policy 101 Series

Passwords get a bad rap. Nobody likes them, users, administrators, and information security personnel alike. Users don’t like passwords because us “information security police” make them so complex and hard to remember, administrators don’t like them because they have so many that they have to remember, and information security personnel don’t like them because they are arguably the most insecure means of authentication.

All the more reason and justification for a Password Policy.

A Password Policy should be required in all organizations that rely on passwords as a source of authentication.

Let’s get to it.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:.
Purpose
The purpose of the %ORGANIZATION% Password Policy is to establish the rules for the creation, distribution, safeguarding, termination, and reclamation of %ORGANIZATION% user authentication mechanisms.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Password Policy aptly applies to any person or entity uses a password.

SAMPLE:
Audience
The %ORGANIZATION% Password Policy applies equally to all individuals who use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Password Policy
The Password Policy should communicate the general rules for password creation, use, storage, transmission and destruction (the “lifecycle”). Most likely the policy will state many general security “best practices” of password management along with some home grown statements based on the business assessment.

NOTE: People will inevitably break some rules in password policy. It is proven that the number and severity of incidents can be reduced by training and awareness. Give users a better way to do things rather than telling them what they cannot do.

SAMPLE PASSWORD POLICY STATEMENTS:

- Password history must be kept to prevent the reuse of passwords
- Stored passwords are classified as Confidential Data and must be encrypted

Conclusion
A Password Policy is not just an efficient method of communicating good password management practices, but it is also an implement for enforcement. A well-written and implemented Password Policy can significantly reduce the amount of risk to the organization’s information.

Download the SAMPLE PASSWORD POLICY.

Next in the series: “Information Security Policy 101 – Physical Security Policy”

Previous: “Information Security Policy 101 – “Network Access Policy”
Read more!

Wednesday, July 18, 2007

107,000 More Records Compromised



This time it's 27,000 names, addresses, and credit cards numbers lost by Kingston Technology Company and 80,000 names, addresses, and social security numbers lost by the Louisiana Board of Regents.

Kingston Technology (27,000)
Wouldn't you know it, there is no mention of this breach anywhere on Kingston's homepage.

Apparently the data was taken through unauthorized access of purchase information made at www.shop.kingston.com. What makes this interesting is that this breach supposedly happened in September, 2005 but went undetected until "recently".

Who is the victim?
"After confirming what data was accessed and who was affected, Kingston had to gather the appropriate contact information and arrange for consumer protection services and materials to notify the impacted consumers," the spokesman said.

Sound Familiar?
"The note added that, for the moment at least, there is no evidence that the illegally accessed data has been misused"

Kingston has an impressive track record of protecting information, and I get the feeling that they will only improve.

News: Computerworld
Letter to the New Hampshire Attorney General

Louisiana Board of Regents (80,000)
The Louisiana Board of Regents has a link on their homepage to some additional details.

I have to admit, this one has me a little miffed! I do not like how the data was compromised, how long it took to detect it, or the official Board of Regents (BOR) response.

The Compromise
A student found/stumbled on the data using Google. The student found a database of student names and 150 other files that he claimed contain up to 75,000 more names of students and employees. This information was accessible from the Internet without any protection whatsoever. According to BOR:

Groups Potentially Affected

Any student who was enrolled in the 10th grade at a Louisiana public high school and took the EPAS (Educational Planning and Assessment) Plan test between 2001 and 2003.
Any Louisiana public college or university faculty or staff member who was employed in either 2000 or 2001.


It is unclear how long the data may have been exposed, but it may have been "as long as two years".

The Response
The official response leaves something to be desired, for sure! Basically, all the BOR seems to have done is make the data inaccessible and offer some tips for those who may have been affected. How about STOP USING SOCIAL SECURITY NUMBERS AS IDENTIFICATION!!!

While researching this incident, I found a document titled "File Layout STS Student Transcript System". Data Element Name: State Identification Number --> Social Security Number, if available. Otherwise, a temporary number assigned according to LDE guidelines.

News: WDSU News Channel 6
Read more!

Information Security Policy 101 – Network Access Policy



Part 10 in the Information Security Policy 101 Series

This is now the 10th entry into the “Information Security Policy 101” series. Are these policies starting to blur at all? Are they all starting to look the same? Believe it or not, the policies look similar on purpose and there are statements in one that may be found in another (also on purpose). The repetition can make things a little boring for the information security personnel, but it really does help “normal” people retain the information.

The Network Access Policy is found in many organizations, or at least the language of the policy statements. Often I will find Network Access Policy statements included in an Acceptable Use Policy instead. Tomayto tomahto.

As always…

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Network Access Policy is to establish the rules for the access and use of the %ORGANIZATION% network infrastructure. These rules are necessary to preserve the integrity, availability and confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Network Access Policy aptly applies to any person or entity that access the organization’s network either locally or through a WAN, VPN, modem, wireless, etc.

SAMPLE:
Audience
The %ORGANIZATION% Network Access Policy applies equally to all individuals with access to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Network Access Policy
The Network Access Policy is a simple policy that should outline some basic ground rules that people need to follow when using the organization’s network.

NOTE: Although the statements in a policy may seem basic and common sense to the author, don’t assume that they are for everyone.

STORY: I once had a user complain to me that a policy I wrote for a client company was too simple and common sense.

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- Remote users may connect to the %ORGANIZATION% corporate networks only after formal approval;
- Remote users may connect to %ORGANIZATION% Information Resources using only the protocols approved by %ORGANIZATION% IT;

Conclusion
The Network Access Policy is simple and you may be able to get away with ditching it in favor of adding the required statements to your Acceptable Use Policy. This decision is up to you. The business assessment exercise could help you in this decision. I almost always separate the policy statements for easy-of-reference, simplified reviews and changes, and reinforcement through repetition.

Download the SAMPLE NETWORK ACCESS POLICY.

Next in the series: “Information Security Policy 101 – Password Policy”

Previous: “Information Security Policy 101 – “Network Configuration Policy”
Read more!

Use Firefox? Upgrade to 2.0.0.5 Now

The Mozilla Foundation, makers of the popular Firefox Web browser announced the release of version 2.0.0.5 yesterday (7/17) and all users are strongly encouraged to upgrade.

There are three "Critical", two "High", one "Moderate, and two "Low" risk vulnerabilities addressed in this upgrade.

To upgrade:

1. Open Firefox
2. Click Help
3. Click Check for Updates.
4. Click "Download & Install Now"



5. Click "Restart Firefox Now"



For more information:
http://www.mozilla.org/projects/security/known-vulnerabilities.html
http://secunia.com/advisories/26095/

Read more!

Tuesday, July 17, 2007

Western Union Breach



Western Union admitted that personal data on as many as 20,000 customers was compromised due to a poorly secured database accessed by “hackers”. Names, addresses, phone numbers, and credit card information is all among the data stolen in the heist.

I looked around the Internet for an official response from Western Union and found nothing. I did notice something ironic on their homepage, http://www.westerunion.com/ though.



The section labeled “Protect Yourself from Fraud” immediately caught my eye. I guess one thing you could do is not do business with Western Union, but this won’t help you much if you are already one of the unfortunate victims!

The “Standard” Response
There seems to be some “standard” responses amongst companies that are losing data belonging to their customers. Mind you it is easy to play “Monday morning quarterback” with security breaches, but honest public disclosure, tangible assurance and change, and open communication with my customers would be near the top of my response list.

Standard Response #1:
“We are not aware of any ID theft or any kind of fraudulent use that was made from this information.” This sounds eerily familiar. Certegy responded to their recent 2.3 million record breach with “No Fraudulent Activity or Identity Theft Detected” in their press release. To be honest this means nothing to me. Just because the company has not detected any fraudulent activity does not mean that none has occurred or that none will in the future as a result of the disclosure.

Standard Response #2:
“It (Western Union) also offered to pay for one year of credit monitoring to affected customers.” From the letter sent to the victims of the Pfizer breach (17,000 victims) “support and protection package includes a credit monitoring program for one year.” I do like how Pfizer has responded although there are rumblings that they took too long to notify victims.

Western Union Breach
As I stated earlier, I still cannot find any “official” response from Western Union so it is hard to comment on their response. Among the things I would like to know are how the vulnerable database was accessed, what is Western Union doing to prevent future breaches, and any other information that can help me as a consumer feel confident that they take the security of my data seriously. The Certegy breach was a case of a criminal DBA, is this a case of an DBA with poor skills?

Content for this article refers to information originally reported by the New York Post, here.
Western Union has been in the news for a security breach before.


Feel free to comment!

Read more!

Information Security Policy 101 – Network Configuration Policy



Part 9 in the Information Security Policy 101 Series

Most network configuration policies are fairly straightforward.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Network Configuration Policy is to establish the rules for the maintenance, expansion and use of the network infrastructure. These rules are necessary to preserve the Integrity, Availability, and Confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically a Network Configuration Policy applies to all individuals in an organization.

SAMPLE:
Audience
The %ORGANIZATION% Network Configuration Policy applies equally to all individuals with access to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Network Configuration Policy
Although many organizations do not have a separate Network Configuration Policy, many of the statements are important enough to communicate in one form or another. Some organizations will include these statements in other information security policies. I prefer to separate.

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- %ORGANIZATION% IT owns and is responsible for the %ORGANIZATION% network infrastructure and will continue to manage further developments and enhancements to this infrastructure
- To provide a consistent %ORGANIZATION% network infrastructure capable of leveraging new networking developments, all cabling must be installed by %ORGANIZATION% IT or an approved contractor.

Conclusion
Read through the sample policy, and together with the business assessment, determine if a Network Configuration Policy makes sense in your organization.

Download the SAMPLE NETWORK CONFIGURATION POLICY.

Next in the series: “Information Security Policy 101 – “Network Access Policy”

Previous: “Information Security Policy 101 – “Incident Management Policy”
Read more!

Monday, July 16, 2007

Information Security Policy 101 – Incident Management Policy



Part 8 in the Information Security Policy 101 Series

Let’s start off with a scenario. Bill Johnson works as the Information Security Officer of a medium-sized regional bank and its Monday morning. Bill receives a phone call from the bank service desk reporting that a laptop was lost or stolen over the weekend. Uh oh, Bill doesn’t have incident response policy or procedures.

Try to put yourself in Bill’s shoes for a moment. What risk does this incident pose? Does the laptop contain regulated data, i.e. social security numbers, credit card numbers, other personally identifiable (PII) data, etc.? Does the laptop contain usernames and passwords? Will this incident make the evening news? Who should Bill notify? Should Bill contact the authorities, i.e. local police, Secret Service, FBI, etc.? Panic might begin to set in for Bill. Maybe Bill should just drop everything, run, and find a new profession.

Bill shouldn’t have to worry about how to respond to such an incident.

All companies large and small should have an incident management program. What the program looks like and how it is run will differ from company to company as expected, but they all start with policy.

NOTE: The first actions taken following an incident are often critical and could dictate the entire course of an investigation. If an incident is handled incorrectly, cause identification and eventual prosecution could be impossible.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Incident Management Policy is to describe the requirements for dealing with computer security incidents. Security incidents include but are not limited to: virus, worm, and Trojan horse detection, unauthorized use of computer accounts and computer systems, as well as complaints of improper use of Information Resources as outlined in the Acceptable Use Policy.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Incident Management Policy applies to all individuals in an organization. The policy is meant to be referred to by personnel charged with incident response.

SAMPLE:
Audience
The %ORGANIZATION% Incident Management Policy applies equally to all individuals that use any %ORGANIZATION% Information Resource

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Incident Management Policy
The Incident Management Policy is intended to communicate what is expected of personnel when confronted with an incident pertaining to information resource confidentiality, integrity, and/or availability. The policy provides the vital framework necessary to develop detailed incident response procedures.

NOTE: Incident response procedures will detail (preferably step-by-step) how personnel are expected to respond to an incident. Incident response procedures should be tested on a regular basis (quarterly, semi-annually, or yearly).

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- %ORGANIZATION% management will establish and provide overall direction to an %ORGANIZATION% Incident Response Team (IRT)
- %ORGANIZATION% IRT members have pre-defined roles and responsibilities which can take priority over normal duties

Conclusion
Do yourself a favor and create an incident management program. The incident management program does not need to be complicated and account for every possible scenario that could occur. Supporting procedures can be written in such a manner to be flexible enough to apply to most conceivable incidents. Incidents WILL occur, so be prepared!

Download the SAMPLE INCIDENT MANAGEMENT POLICY.

Next in the series: “Information Security Policy 101 – Network Configuration Policy”

Previous: “Information Security Policy 101 – “Data Classification Policy”
Read more!

Thursday, July 12, 2007

Information Security Policy 101 – Data Classification Policy



I will forewarn you, data classification can be a real doozy. The policy is simple enough to write and the concepts are simple enough to sell, but adoption and implementation is usually a whole different story. If done well the benefits can far outweigh the risks.

The purpose for most data classification projects (yours may differ) is to identify the data that is sensitive to an organization, classify (or label) this data, and apply appropriate controls based on the sensitivity-label pair.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Data Classification Policy is to provide a system for protecting information that is critical to the organization, and its customers. In order to provide more appropriate levels of protection to the information assets entrusted to %ORGANIZATION%, data must be classified according to the risks associated with its storage, processing, and transmission. Consistent use of this data classification policy will facilitate more efficient business activities and lower the costs of ensuring adequate information security.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Data Classification Policy applies to all entities that interact with data in any tangible manner.

SAMPLE:
Audience
The %ORGANIZATION% Data Classification Policy applies equally to any individual, or process that interacts with %ORGANIZATION% Information Resources in any tangible manner. All personnel who may come in contact with Confidential information are expected to familiarize themselves with this Data Classification Policy and consistently use it.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Data Classification Policy
The Data Classification Policy differs from most other information security policies due to the additional information required. The Data Classification Policy will introduce new concepts, roles, and responsibilities.

Roles and Responsibilities:
The following are typical roles and responsibilities defined in the Data Classification policy:

Data Owner
The Data Owner is normally the person responsible for, or dependent upon the business process associated with an information asset. The Data Owner is knowledgeable about how the information is acquired, transmitted, stored, deleted, and otherwise processed.

- The Data Owner determines the appropriate value and classification of information generated by the owner or department;
- The Data Owner must communicate the information classification when the information is released outside of the department and/or the organization;
- The Data Owner controls access to his/her information and must be consulted when access is extended or modified; and
- The Data Owner must communicate the information classification to the Data Custodian so that the Data Custodian may provide the appropriate levels of protection.

Data Custodian
- The Data Custodian maintains the protection of data according to the information classification associated to it by the Data Owner.
- The Data Custodian role is delegated by the Data Owner and is usually Information Technology personnel

Data User
The Data User is a person, organization or entity that interacts with data for the purpose of performing an authorized task. A Data User is responsible for using data in a manner that is consistent with the purpose intended and in compliance with policy.

Data Classifications
Confidential
Confidential Data is information protected by statutes, regulations, organizational policies or contractual language. Managers may also designate data as Confidential.

Confidential Data is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a “need-to-know” basis only.

Disclosure to parties outside of the organization must be authorized by executive management, approved by a Vice President and General Counsel, or covered by a binding confidentiality agreement.

Examples of Confidential Data include:

- Medical records
- Clinical trial data
- Credit card numbers
- Social Security Numbers
- Personnel and/or payroll records
- Any data identified by government regulation to be treated as confidential, or sealed by order of a court of competent jurisdiction
- Any data belonging to an %ORGANIZATION% customer that may contain personally identifiable information
- Patent information
- Regulatory filings

Internal
Internal Data is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Data is information that is restricted to personnel designated by %ORGANIZATION%, who have a legitimate business purpose for accessing such data.

Examples of Internal Data include:
- Employment data
- Business partner information where no more restrictive confidentiality agreement exists
- Internal directories and organization charts
- Planning documents
- Contracts

Public
Public data is information that may or must be open to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public data, while subject to organizational disclosure rules, is available to all %ORGANIZATION% employees and all individuals or entities external to the corporation.

Examples of Public Data include:
- Publicly posted press releases
- Publicly available marketing materials
- Publicly posted job announcements

Disclosure of public data must not violate any pre-existing, signed non-disclosure agreements.

NOTE: The policy MUST NOT define HOW data will be classified (or tagged), use standards, guidelines and/or procedures to communicate how the different types of data should be appropriately labeled.

SOME SAMPLE Classification Protections
Confidential
- When stored in an electronic format must be protected with a minimum level of authentication to include strong passwords, wherever possible.
- When stored on mobile devices and media, protections and encryption measures provided through mechanisms approved by %ORGANIZATION% IT Management must be employed.

Internal
- Must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure
- Must be protected by a confidentiality agreement before access is allowed

Conclusion
In my experience, the Data Classification Policy has been the most difficult policy to create and receive approval on. The most common and valid question I receive is “How will we ever comply?” Compliance with a Data Classification Policy has proven to be extremely difficult is most organizations due to a number of primary factors:

- People do not want to assume the responsibilities that come with their role, primarily the data owner
- Labeling standards are sometimes extensive and time consuming to write
- Data is strewn throughout the organization without centralized management
- Classifications assigned will vary from data owner to data owner and management is not “cut and dry”

Understand that information security is a science of evolution and it will take time to get data classification properly implemented. This is expected and accepted. All things in information security should start in policy and data classification is no exception. Approval of a policy does not mean formal adoption and compliance (we will cover post-approval of policy in “Information Security Policy 101 – Policy Approval” due on 7/30).

Download the SAMPLE DATA CLASSIFICATION POLICY.

TIP: Write your Data Classification Policy without worrying about the details of implementation, but at the same time make sure you will be able to implement each statement through the use of additional supporting documentation.

Next in the series: “Information Security Policy 101 – "Incident Management Policy”

Previous: Information Security Policy 101 – “Information Security Policy 101 - Backup Policy”

Read more!