innovative-csi.com Blog

Reacting to Massachusetts Privacy Law- Controlling third-party relationships

2008-11-23T23:35:55Z

Recent passing of Massachusetts 201 CMR 17.00 in November of 2008 on the protection and guidelines for privacy of data that requires businesses, individuals and third-party relationships to implement a written comprehensive security plan by May 1, 2009.

Organizations need to understand privacy liability when dealing with third party relationships and customer or client data. Too many companies fail to understand that transferring of data to third-party vendors does not transfer the liability and responsibility of protecting the data. Organizations need to maintain the controls of the data as it would be covered in your own corporate environment even if the data does not fall physically under the brick and mortar walls of the corporation. Maintaining the security of the organization’s information and information processing facilities can provide more of a challenge when dealing with third-party relationships. Organizations must do their due diligence by continuously monitoring by auditing and assessing the relationship in order to stay on top of the security vulnerabilities that those relationship might posse. The communication transfers should cover what is accessed, processed or managed by external parties. We need to understand what data they will be housing at their location or need access to within your organization process or environment. Controls need to be implemented to manage relationships and protection of the data from an overall security plan which includes these controls. The identification of the risk should include all third-party relationships and address the sensitive data that is possessed along with the critical loss for business operations. The protection of the data should fit the impact level of the criticality of the data. Organizations can setup controls and contractual obligations that are relevant to the external party. Some of the questions that should be asked of your third-party relationships are:

What asset protection do you have in place to protect the data in storage, transition, and during communication?
What is the detail description of the product or service that will be provided?
What is the access control policy, what data will be accessed and who will be accessing the data?
What arrangement will be made to report, notify and investigate breaches both internally and externally?
Who will be monitoring the process?
Is there a conflict of interest if further analysis needs to be preformed both legally and ethically?
What is the target level of service and unacceptable levels of services?
What is the respective liability of the organization and customer data?
Who owns the intellectual property rights, copyright and protects collaborative work?
Do you have a written security program in place that certifies the process?

In addition, be aware of State laws in Private Investigation that inhibit third-parties to monitor and track individuals through the computer and network systems for collection of potential evidence. The planning and development of the third-party relationships should ensure that there is no misunderstanding between the organization and the vendor services. The organization’s security program should not be sacrificed to adhere to third-party agreements. Taking responsibility of your data will ensure that you will be protected and provide a level of security and collaboration between you and your vendors.

Computer Forensic changing environment!

2008-09-02T18:02:36Z

Rapid changes in computer forensics investigations are starting to shape the future of the industry and solidify the profession. If you are not adaptable to change then computer forensics is not the place for you. The constant change in the industry and technology advances the profession into multiple areas of growth for the industry. One of the major changes with computer forensics professionals is the nationwide acceptance of states going to a professional investigator licensing under state law. The last time I checked 42 states had something on the books under licensing computer forensics professionals. It is easier to track the states not on the books than the ones that are on the books . Many challenges will need to be worked out as the individual states license the profession. The need for affiliation with other states will become a necessity to meet the common practices of the computer forensics industry due to our national and global environment. This change is good for the profession of computer forensics, but states should take a closer look at best practices and knowledge from the computer forensics professionals into account. I would venture to say that the license professional investigator may someday have federal regulations as computer forensics investigations are so transverse across multiple states and/or countries. It will be interesting how the field and state regulations play out over the next few years. Should States engage in reciprocal and standardizing the process between States or should this be regulated at a federal level?

As the battle goes on about defining the profession, technology is advancing the industry to provide more information to the computer forensic investigator. The latest trend is memory analysis that is providing detailed information that the investigator did not think of in past investigations. Memory forensics is providing clear analysis of the whole picture when it comes to the investigation. The advantage of memory analysis is that it is putting you at the crime spot with your camera in hand. Vital state information of the machine is becoming key in the process of computer forensics. The value of live investigations provides rapid response, meets the challenge of large network topology, and circumvents encrypted file systems. The analysis with live investigations becomes a quick and easy way to find out the state of the system with accessible areas like current user activity, running processes, handles, registered drivers, physical memory analysis, system info, network connectivity and attached peripherals. The amount of information provides investigators the ability to connect the dots a lot faster and/or provide a pre-incident triage of the computer before arriving on the scene. The challenge that live investigations creates is a total paradigm shift in the investigation process. The investigation becomes a proactive thought process to implement. What comes with the paradigm shift is another level of education for the legal profession and the process of memory analysis is looking at the state of the system in a constantly changing environment. In a live environment, users are still using the computer and changing the system state all the time. Remember you have your camera in hand and the snap-shot is a moment in time which is very different than the post-mortem analysis. Will the courts accept the premises of memory analysis or will they struggle and continue to revert back to the post-mortem process?

The First Test for Michigan’s Public Act 146

2008-08-14T00:26:51Z

Less than two months old Public Act 146 will be put to the challenge. Public Act 146 impacts the computer forensics industry by requiring all investigators to become licensed in the State of Michigan. Individuals and companies must meet the qualifications by the Act that is administered by the Department of Labor and Economic Growth (DLEG). Public Act 146 was immediate effective on May 28, 2008 and holds stiff penalty of a four year felony charge for non-licensed individuals.

Reported in ComputerWorld on August 12^th 2008, Belcamp, Maryland based MediaSentry parent company SafeNet had complaints filed against the company for violations of the new Public Act 146 for the investigation of students from Central Michigan University and University of Michigan. According to the SafeNet website, “they help clients detect and deter unauthorized distribution of copyrighted content and prosecute those who engage in media and software piracy.” Read more of the details in the article by ComputerWorld: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9112467&pageNumber=1

This news is interesting on several levels as the new law takes form in the State of Michigan. Is the new law actually doing some good by protecting the legitimacy of the profession of Computer Forensics investigations? Or is this a tactical approach for the defense? As the Act claims it first victim it will be very interesting how this will play out over the next few months.

Breaking down the process of the Public Act 146

2008-07-22T14:24:21Z

Public Act 146 impacts the computer forensics industry by requiring all investigators to become licensed in the State of Michigan. Individuals and companies that meet the qualifications have had to scramble due to the immediate effective date of May 28, 2008 and the stiff penalty of a four year felony charge for none licensed individuals. The time table you can expect is roughly about two weeks for the collection of information you will need to meet the required qualifications listed below in the link. The application time can range from 4 to 16 weeks to receive the license. The last time I checked they posted 12 to 16 weeks to be safe.

The problem that people in the industry are facing is that the act was implemented/rolled out without any planning or grace period to adjust to the new act. The impact of this new law has affected our current clients and case load prior to the act passing. The application time period is not fast enough and there will be no time to compensate for the loss of current and potential business. We have been one of the lucky ones to have a diversified array of services in information security to absorb the impact of this act passing.

The Computer Forensics Industry and DLEG will have to work closely together to bring Public Act 146 and the industry into compliance. The concerning area that will have a greater impact on the industry is the affiliations with other states on computer forensics investigations. As the network grows and grows in a global economy so does the need for speed and availability of accessing the data in any location. Public Act 146 has impacted the security and IT industry tremendously from computer forensics, eDiscovery and monitoring of individuals. According to the act an investigation starts when you are targeting or questioning an individual’s:

(e)(ii) – the identity, habits, conduct, business, occupation, honesty, integrity, credibility, trustworthiness, efficiency, loyalty, activity, movement, whereabouts, affiliations, associations, transactions, acts, reputation or character of a person.

In the IT world this could be the tracking of IP addresses, MAC address, VOIP, email address, etc., that would link the computer to the individual. This is where I would express extreme caution based on the general statement of targeting individuals. The impact reaches beyond the computer forensics professional and now applies itself to all investigations as any investigation in today’s working world deals with some kind of computer based evidence that will be used to prove an individual’s wrong doing.

I believe that Public Act 146 will be good for the industry once we get through the scramble of compliance with the act. Overall Public Act 146 will become a milestone for the information security industry and serve to increase the amount of professionalism that should be expected by the professionals in the field.

Forms & Publications – Private Detective Form http://www.dleg.state.mi.us/dms/results.asp?docowner=BCSC&doccat=Private+Detectives&Search=Search

www.michigan.gov/commerciallicensing

How does the Holistic Security approach lead to better results for the organization?

2007-06-29T18:57:48Z

The holistic approach establishes within the risk assessment the need for understanding the security posture of the organization. Once we understand the critical aspects of the organization, it is then and only then that can build the foundation to establishing a solid security base. The assessment will help the organization recognize the direction of the business needs to start to build the security plan. In the 21st century it is hard not to think globally for small, medium, and large businesses. The establishment of the security foundation should follow the business that is currently in place and the future. Establishing international standards for security is an approach to meet the business needs and protect the organization’s assets. ISO 17799/27001 is the beginning in building a solid security core foundation that will address all forms of business that take place in the general business world and into the digital information age of global economics. The holistic approach breaks down the walls and maps the process to the foundation to comply. Thus cutting the cost and providing a good return on investment for organization and reducing confusion.

Where do I start when preserving data in Electronic Discovery?

2007-03-30T14:26:09Z

Preservation starts with having a good plan with protocols in place to achieve positive results. Having an incident response plan in place is critical to the success and reduction of stress to a thin IT staff. The plan should involve or integrate the use of an expert available to consult you in the process. Planning will serve as the framework to reduce the risk of exposure and maximize the benefit of electronic discovery. The key steps for the electronic discovery process are the following:

Preparation
Preservation and Collection of evidence
Examination of evidence
Analysis of evidence