Policy Sound-Off - Responding to Email Requests

Phishers are coming up with increasingly sophisticated ways to encourage corporate users to open emails. Two recent incidents using two different attack methods help illustrate the increased threat.

In the first, a large retail grocery chain narrowly escaped a $10 million loss when employees were instructed via email to begin depositing funds to a new bank account for two existing vendors. In this case of very narrow “spear phishing” the attackers clearly had specialized knowledge about the company operations that made the emails seem legitimate. They targeted specific individuals within one organization, making detection more difficult.

Another recent phishing attack involves fake email messages claiming to come from the Equal Employment Opportunity Comm (EEOC). In this attack, the fake emails claim to be notifying the company of an employee complaint made against the organization. This is one of the many examples of phishers playing on the desire of employees to comply with state and federal legislation. In these attacks, many organizations are targeted but with a more credible-sounding business message. In both the narrow and broad approaches, attacks are getting more sophisticated and often contain logos and content that is stolen directly from the organization being spoofed in the emails.

Does your organization have a formal policy on how your employees and contractors should respond to external requests for sensitive information? Are employees educated on the various types of phishing attacks, including where and how to report a suspected attack?

(Note: For organizations that wish to include phishing attacks in their formal training and awareness programs, the January 2008 issue of Protecting Information will cover social engineering in more detail.)

Security Policy on Social Networking Sites

Social Networking sites present some unique challenges for organizations that must attract and keep young workers. Is the use of social networking sites at work a necessary perk or an unacceptable risk to corporate information? Some argue that organizations must allow access to social networking and other Web 2.0 sites to help attract a more "fickly" twenty-something workforce that are used to life online. Others say that the risks are simply too great, both in terms of wasted time and potential for infected computers.

The Fall 2007 issue of the security awareness newsletter Protecting Information covers the most common risks of social networking sites. In the issue Rebecca Herold describes several incidents where employees were terminated based on content posted on their personal pages on various social networking sites. Clearly this issue is going to grow as fast as the number of people that use social networking sites - now estimated at over 200 million.

Does your organization block social networking sites? Is social networking addressed within your information security policies? What are some of the concerns that you feel should be addressed in policy?

Effective Security Policy Management - Part 2

Part 2 of 7: Seven Elements of an Effective Information Security Policy Management Program

Effective Security Policies Part 2. Defined Policy Document Ownership

Security Policies can be viewed as contract between senior management, employees and third-parties about the ways in which the organization will protect information. By definition, a contract is between parties, and in the case of written security and privacy policies one of the parties is always senior management.

Each written security policy document should have a defined owner and/or author. This statement of ownership is the tie between the written policies and the acknowledgement of management’s responsibility for updating and maintaining information security policies. The policy author also provides a point of contact if anyone in the organization has a question about specific policies. Many organizations have written information security policies that are so out-of-date that the author is no longer employed by the organization.

Another area of responsibility that should be documented within written security policies is the executive sponsor. The executive sponsor is a C-level manager or executive that puts the final “stamp of approval” on each document. A high-level executive sponsor demonstrates to all employees that your organization is serious about information security in general, and security policies in particular. Ideally, this is the CEO or equivalent top executive within the organization. In some larger organizations, this might be the head of large region or perhaps the Chief Operating Officer. Within the requirements of Sarbanes-Oxley, senior management must actually sign a written document attesting to the adequacy of the organization's internal controls. Written policies are a key part of these internal controls.

In some cases, the executive sponor is listed as part of each published policy document. In other cases, the sponsoring executive may issue a seperate memorandum stating the importance of information security and that following published policies is required for continued employement within the company.

Effective Information Security Policy Management - Part 1

How mature is your information security policy program? Do you have a set of outdated documents stored in a binder or intranet site? Or do you have a documented management program that keeps your policies up to date, your users informed and your internal auditors sleeping at night?

This is the first article in the series: Seven Elements of an Effective Information Security Policy Management Program. In this series we review seven key characteristics of an effective policy management program. These characteristics are culled from leading practices, security and privacy frameworks, and incidents involving information security policies. Organizations can use this quick checklist to evaluate the maturity of their existing management program.

Part 1: Written documents with version control

Even though it seems obvious, nearly every information security standard and framework specifically requires information security policies to be written. Since security policies define management’s expectations and stated objectives for protecting information, policies cannot be “implied” – but have to be documented. Having a “written policy document” is the first key control established within the international standard ISO/IEC 1-7799:2005, and is critical to performing both internal and external audits. But what are some characteristics that make for an effectively-written policy document?

Policy documents should be written in plain and simple language. Many information security and privacy policies are written in legalese that is difficult for end users to read and understand. Since user education and training is a key component of all information security frameworks, clear, user-oriented language is critical. If your information security policies are written by either the information technology (IT) or legal department, make sure you employ a technical writer or other editor who can help simplify the language of your documents.

Policy documents should also have a standard format so that they can be effectively managed and updated. The standard format not only enforces consistency among documents, it ensures that each document contains key elements that facilitate the overall management of the information security policies, such as the owner/author, title, scope and effective dates of the policy.

Written documents should also have a policy version number. A policy version number clearly articulates which version of the policy is in force at the time of publication, and helps maintain a version history of each document. Maintaining a version history is not only good practice for preserving digital evidence in case of a lawsuit, it also demonstrates that the organization was performing due-diligence by updating its security policies on a regular basis.

In order to facilitate a clear document history that can be reviewed by auditors, some form of access-controlled document management system should be used. It can be as simple as folders on a network drive or a full-blown document management system. Complete systems usually provide a detailed audit trail of all changes and updates to documents.

Required Acknowledgement of Security Policy Changes

Legal precedents are beginning to dictate a new standard for the notification of policy changes to your customers and employees. In the "old days" organizations would post changes to information security policies on the corporate intranet, and perhaps even notify employees that these changes occurred via email or some other means. However, in legal actions where employees were terminated for violating policy and then sued for improper termination, the conclusion was that mere notification is not enough. Organizations are expected to notify employees of important policy changes, but must go a step further and verify acknowledgement by employees affected by the change.

A recent case with a telecommunications provider seems to indicate that this standard applies to customers as well. The typical line in many online privacy policies goes something like "we reserve to change this policy at any time." While this practice is common, it is certainly not in the spirit of “open” communication with customers as outlined in OECD Privacy Principles. This ruling came as part of a class-action lawsuit where customers sued for terms of service changes that were applied automatically to their account. However, it seems likely that an equal case could be made for changes to privacy policies that would effect the collection of personal information.

I believe it is now "best practice" to require acknowledgement of important security and privacy policy changes. I am interested to hear if this is becoming standard practice in real organizations, or just the unrealistic musings of a policy "purist."

New legislation may help prosecution of ID theft

Companies that have their identities used in phishing scams have little recorse in stopping the attacks. However, new legislation proposed by the Justice Department would expand the ability of enforcement agencies to prosecute identity theft, and adds provisions that may help corporations who are used in phishing scams.

The "Identity Theft Enforcement and Restitution Act of 2007" would expand the reach of federal law to criminal activity that currently “slips through the cracks” of existing federal law. Among the many provisions, the law would increase the ability of the federal government to prosecute criminals by expanding the definitions of the criminal activity that defined “identify theft” and by addressing specific technologies such as spyware and keystroke logging. The bill would also expand the rights of victims to seek restitution for the hours spent recovering from ID theft.

Several provisions introduced in the bill may help corporations fight identify theft. For example, the law would close gaps in two federal statutes by making it illegal to use not just a person's identification but also the identification of a corporation or organization “such as the name, logo, trademark”, as is common in phishing attacks. Other language closes more gaps related to cyber-extortion as covered in the Computer Fraud and Abuse Act, by including threats “to steal or corrupt data on a victim's computer, or not repair damage the offender already caused to the computer."

Contractors fined for not following security policy

In July 2007, several contractors of Los Alamos National Laboratory were fined a total of $3.3 million for failing to adequately protect data as required in their contracts. The Department of Energy (DOE) initiated formal enforcement actions against specific current and former contractors, the reports said that investigations revealed that the contractors failed to prevent "a subcontractor employee's unauthorized reproduction of and removal of classified matter from the site." The DOE also issued a Compliance Order to Los Alamos, requiring corrective action to increase physical protection and cyber-security to safeguard classified information.

This is another example that illustrates the importance of two areas of security policy related to third-party contractors. First, information security requirements should be included in all written contracts (apparently so in this case). Second, the organization must establish procedures for periodic monitoring of all third-party contractors for compliance with information security policies. Information security policies made easy includes over 100 separate security policy controls for managing third-party relationships.

Regulatory Requirements for Information Security Policies

Some organizations still receive little management support or funding for a sound information security policy program. Within the last several years, however, numerous federal, state and international regulations have been passed that require the protection of information. Many organizations are now enhancing their information security policies in response to legal and regulatory requirements.

In some cases, these regulations are very specific about the requirements for written security and privacy policies. In other cases, a regulation simply requires safeguards that are "appropriate" for the size and type of organization. In these cases, enforcement agencies and auditors must defer to accepted best practices or frameworks for guidance, all of which require written policies. Examples of these are the Generally Accepted Information Security Principles (GAISP), Control Objectives for Information Technology (COBIT®) and ISO/IEC 17799.

This information security policy requirements table contains a partial list of security or privacy-related regulations and their specific information security policy requirements. Where appropriate, the list includes the security policy requirements of several key frameworks used to manage compliance with various regulations. Organizations may use this table to help build a case to senior management that written security policies are "not just a good idea, they're the law."