IT Security Policy Documentation

Detailed Written Procedures | Paperwork

Regulators should not to overemphasize documentation as a form of data security.  Paperwork per se does not protect sensitive data.

In practice, overly detailed documentation can hinder enterprise security, because threats, technology and enterprises themselves change very rapidly.  Keeping very detailed documentation up-to-date can be a distraction and a source of confusion.  Security should focus on substance.

Regulatory authorities can be tempted to emphasize documentation because it is easy to audit.

Fine for D.A. Davidson

The Financial Industry Regulatory Authority (FINRA) fined stock broker D.A. Davidson & Co. $375,000 after a hacker stole personal data on 192,000 Davidson customers.

This incident caused no identity theft among customers.

Does Imperfect Documentation Justify Fine?

A key reason for the fine, according to FINRA, is that Davidson’s security documentation was incomplete: “D.A. Davidson failed to . . . establish and maintain a system, including written supervisory procedures, reasonably designed to achieve compliance with Rule 30 of Regulation S-P.” FINRA Letter of Acceptance, Waiver and Consent No. 20080152998.

According to Rule 30, “[e]very broker, dealer . . . must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to: (1) insure the security and confidentiality of customer records and information . . .”

Let’s look more carefully at what FINRA said about Davidson’s lack of documentation.  It said: “The Firm also did not have finalized and implemented written procedures in place for its information security program that, among other things, should have been designed to protect confidential customer information.”

Was There a Substantive Shortcoming?

So what were the particular shortcomings in the documentation? FINRA said:

1. “The Firm did not have any written procedures in place for the review of system web server logs, nor an intrusion detection system.”

2. “Even if it had detected the intrusion, the Firm did not have written procedures setting forth an information security program designed to respond to intrusions.”

This lack of documentation needs to be seen in context.
 Davidson did have a security program (including a firewall and a practice of regularly reviewing perimeter security logs) under the care of IT professionals. It had recently engaged with security auditors and consultants and had implemented the “majority” of their recommendations.

FINRA did not say that Davidson had no security documentation, or that Davidson’s IT professionals were incompetent.  From what FINRA said, it appears Davidson did have documentation, maybe quite a bit. Some of it was not finalized; in IT security today, nothing is ever final because technology and threats change constantly.

Further, FINRA did not find that Davidson responded poorly to the incident once it was discovered.  In fact, FINRA cited a series of intelligent steps that Davidson took when it learned of the break-in (such as taking down the firm’s web site, contacting law enforcement and hiring an outside consultant for remediation).

Should Regulators Expect InfoSec Perfection?

Security is very difficult.  FINRA does not talk about that in this Davidson ruling.  Regulators are imprudent to expect perfection. Security perfection does not exist.

FINRA did not analyze how difficult it would have been for Davidson to become invulnerable to attack.

It is easy for a regulator to look back with the benefit of hindsight and say, “Oh, you forgot to review web logs.”  What is much harder is for an enterprise like Davidson – on a prospective basis – to find, evaluate and close off all possible vulnerabilities, while at the same time providing good service to customers at a good price.

Why a Fine for Failing to State Common Sense?

One of the two documentation shortcomings FINRA cited was intrusion response procedure.  What magic did FINRA think was missing in the documentation to inform IT professionals how to respond to an intrusion? Intrusions come in a multitude of flavors, and the flavors change over time.  The most competent intrusion response procedure to document would be general: “In the event of a suspected intrusion, strive to investigate it, keep records of the investigation and take appropriate steps to mitigate it, based on the circumstances.” So what is the problem about not explicitly writing this sentence in documentation?  The sentence is just common sense to IT professionals.

FINRA’s report does not tell whether Davidson had other evidence that its professionals knew how to respond to an intrusion, such as training, experience or discussions recorded, for example, in email.

FINRA’s emphasis on formal documentation worries me because it gives the impression that documentation in and of itself is really important to regulators. Such an impression can cause enterprises to overdo the paperwork, creating long, rigid, expensive documents to show to auditors and regulators.

What's More Important, Paperwork or Substance?

Leaders at the SANS Institute have long criticized FISMA (law requiring information security in Federal government agencies) as a misguided and wasteful call for paperwork rather than substantive security.  See comments by Alan Paller and Ed Skoudis, SANS NewsBites, April 23, 2010, Vol. 12, Num. 32 .

–Benjamin Wright, Legal Issues Instructor, SANS Institute

Social Media Investigation

Deception by Spouse or Employer

A responsible investigator should think carefully before misrepresenting his identity on a social network in order to gather information. In, for example, a divorce or insurance case, a private investigator might be tempted to falsely identify himself as a friend or acquaintance in order to trick the target of investigation to “friend” the investigator and unwittingly reveal the secrets available only to the target's circle of approved friends.

Historically courts have been suspicious of private investigators who use deception to persuade targets to lower their guard.  Courts have construed the deception as a violation of privacy.

Just as an investigator should normally shun misrepresentation, the principal (such as a spouse in a divorce case) who hires the investigator should monitor the investigator's work to prevent misrepresentation, lest the principal also be held liable for the privacy violation.

See Hawkes v. Commercial Union Insurance Company, (Maine Supreme Judicial Court, January 16, 2001), which held an insurance company could be liable for invasion of privacy by an independent private investigator working for the company. The plaintiff, Hawkes (the person suing the company), had submitted a worker's compensation claim for on-the-job injury, which the company was investigating. The company was suspicious whether Hawkes possessed a legitimate claim for a work-related injury. So it engaged a private investigator to surveil Hawkes and gather evidence. The investigator used false pretenses to gain entrance into the Hawkes home. The court held that the investigator and the company had invaded Hawke's privacy. The court required the company to pay for the invasion.

In the physical world an undercover police officer can generally claim to be someone he is not.  Do the same rules apply for an undercover officer in cyberspace?  Generally speaking, a police agency sending undercover officers online is wise to subject the online activity to written procedures, judicial supervision and management supervision.

Update: Some surmise that FBI is scanning social networking sites like Facebook for combinations of words that suggest criminal activity. One report suggests this monitoring led to the arrest of a man in the UK who was threatening to shoot people at a school. 

–Benjamin Wright

Mr. Wright teaches investigation law at the SANS Institute.