Lesson 5: Organizational and Operational Security

Laws vary around the world, but for purposes of information security, you need to understand forensics and proper hiring and firing procedures. Without understanding the legal issues involved in these two areas, you might destroy the evidence needed to convict someone who has caused your company damage, and you might open your company up to electronic attack from a disgruntled employee.

After this lesson, you will be able to

Understand why data preservation is important after an attack
Understand what evidence chain of custody is
Understand human resources concerns
Understand employee privacy concerns

Estimated lesson time: 15 minutes

Preserving Data

Forensics is applying science to law. For information security, forensics is the investigation and analysis of a computer for the purpose of gathering potential legal evidence. For this to occur, data has to be preserved, and a strict chain of custody protocol must be followed. Forensics specialists (typically working for law enforcement agencies) are called in to gather evidence. You must be aware of the nature of the evidence they are gathering so that you don't inadvertently destroy it. When electronic evidence is gone, it's gone.

Chain of Custody

When you are preserving data in an attempt to prosecute someone who has breached your security, it is not only important to preserve the data, but also to identify the chain of custody for the evidence collected to ensure it is admissible and defendable in a court of law.

Chain of custody procedures ensure the integrity of the information collected by tracking its handling and storage from the point of collection to final disposition of the evidence. This procedure is used after you have been attacked and are attempting to collect data that will be used to prosecute the attacker.

For instance, if your company's Web site was hacked and the attackers downloaded an application that you sell, then you would need to collect as much data as possible to prosecute the thief. The data would have to be gathered, handled, and stored properly to be used as evidence. This includes limiting access to the evidence, documenting who handled the evidence, when it was handled, and why it was handled.

Documentation of this process must include the date and purpose each time evidence is handled or transferred, and identification of each individual in the chain of custody.

Human Resource Concerns and Privacy Issues

Managing information security also includes working with the Human Resources department of your company to ensure that when an employee leaves the company, his or her access to the company's data is terminated. You must be aware of your role in protecting the company by ensuring that you change the former employee's password and revoke his or her access rights.

Privacy issues are a sensitive subject for some employees. These employees feel that what they do with the computer they use in the office is their own business, and believe the e-mail they receive is legally viewable by only them. According to a Privacy Rights Clearinghouse fact sheet on employee monitoring, employers can do the following:

Monitor what is on a computer screen.
Monitor and review e-mail.
Monitor phone calls.
Maintain and acquire phone records.

Often, employers place logon banners on their systems advising users that monitoring activities take place and use of systems implies consent to this monitoring.

Privacy regulations vary greatly from country to country. You must be cognizant of local laws when managing issues related to privacy.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in Appendix A, "Questions and Answers."

You discover that an intruder has compromised your company's C-I-A triad. Of the choices listed below, which is the most appropriate action you should take in response to this threat, and why?
1. Attempt to identify the person that compromised the system.
2. Preserve the log files for a forensics expert.
3. Empty the log files so that you can try to capture specific data if another attack occurs.
4. Leave any log files with the company's receptionist so that the forensics expert can find them.
If an employee is fired, what should you do as an information security specialist?

Lesson Summary

Forensics is the investigation and analysis of a computer for the purpose of gathering and preserving evidence.
When an employee is terminated, you must remove his or her ability to access information to minimize the chance of retaliation.
When an attack occurs, preserve the data so that a forensics expert can attempt to gather enough information to find and eventually prosecute the attacker. When you preserve data, you do not need to collect the data; you simply need to make sure you do not destroy the data.
Your company's employees do not own the e-mail they receive in their e-mail account at work, nor is the telephone theirs. The e-mail stored in an employee's account is subject to review by the company, as are their telephone records and calls.
When the company dismisses an employee, you must change passwords or disable his or her accounts to prevent access to company information. A disgruntled employee can wreak havoc on the C-I-A triad.