Real world question for practice.

A senior network engineer is asked repeatedly by his supervisor (a senior partner) to "lock down" the portion of the network that holds employee personal information. After the engineer fails to do this for many months, there is a breach and someone makes way with several social security numbers and other personal information. She opens credit card accounts, get's loans, and maxes out all the credit cards. Naturally the employees (and previous employees) who were victimized, files law suits. In court the engineer openly admits that he ignored many verbal directives by his supervisor to take measures to prevent this. The engineers job description clearly states that he is responsible for securing the network at all costs. His job description also spells out that it's his responsibility to create security policies and procedures. Again not performing well the roles set forth in his job description, the engineer has failed to create any policies.

In court, who will most likely be found to be at fault? And why?

Find more posts tagged with

Comments

eurotrash

the engineer's manager/supervisor for not making sure that the engineer did in fact do his job?

seuss_ssues

Although the admin is at fault for not doing his job, in the end senior management is ultimately responsible. The "Buck" stops there"

keep the questions coming.

keatron

Suess and Omni are both right. Executive management will probably be hit pretty hard for not having any solid policies. Also, they won't be looked upon favorably for pushing the policy creation task off on the network engineer. A common mistake that is still made in business is thinking that the "computer people" are responsible for creating policies. He might in part be responsible for actually "implementing" the policies or help to implement them, but policies are meant to be set by executive management then enforced and adhered to by the appropriate personnel. In companies where the IT team or the Infosec team is small or non-existent, the responsibility of policy creation still falls on the shoulders of executive management. This is usually where an outside consultant would be brought in to help or advise. It's a tricky but necessary task to seperate corporate culture from the court of law. While the engineer could have very easily been fired or punished per the company's perspective, the court has a completely different set of rules that often times don't match so well with corporate culture. The sensible thing would be to make sure you have a skilled legal professional involved when creating corporate or policies. And if it's IT or Infosec related, get one who specializes in that area. I've seen to many companies be loyal to a legal entity that they've used for years to only get burned when their infosec or acceptable use policies lean to the left of what the company's state law says.

Keep in mind that Infosec is starting to parallel the accounting world in many ways. "Back in the day" when there was accounting fraud, companies usually got off by firing the heads of accounting. But if you look at the situation post Enron/Andersen, the owners and executives are the heads that are put on the chopping block in court. You need only look at all the recent (last 3 years or so) media attention given to banks and other financial institutions who negligently allowed people's confidential and private information to be compromised, to see why infosec is headed down the same road accounting has been/is going down. Everyone knows about SOX 404 and HIPPA, but that's just the beginning, more and more of these types of compliance initiatives will come in the near future.

Good answers by both of you guys.

More to come.

Webmaster

Great stuff!

I was wondering if it would be safe to say, that in addition to being responsible for creating and enforcing policies, the data owner (the organization, hence executive management) is always responsible for what can happen with the data?

JDMurray

Also, a job description is not a legally binding contract. It is therefore impossible for a job description to make the engineer legally "responsible for securing the network at all costs."

keatron

jdmurray wrote:

Also, a job description is not a legally binding contract. It is therefore impossible for a job description to make the engineer legally "responsible for securing the network at all costs."

Exactly, and this is where a lot of company owners and executives get burnt big time in court. And it always comes as a shock to them

It all goes together to the point that the days of writing off responsibility in job descriptions are over (exactly what happened in the accounting world). Furthermore, when it comes to SOX compliance and similar compliance standings, there is increasing attention being focused on job descriptions of this nature. Job descriptions can be a good starting point to present a good picture of present controls and where the weaknesses are. To many security consultants go in and immediately start beefing up technological controls without giving much thought to actual processes and chains of responsibility. Many companies are still trying to force their IT personnel to become overnight security professionals.

sart

All too true...
I interviewed very recently for a security position I was technically qualified for, but the company had already known heads-up and beforehand that there are some soft skills in written security policies, planning, disaster recovery, responsibility, and legal experience.

See, once you are responsible to take care of something it becomes your responsiblity to take care of it when things become "not right".

Once you monitor it, you're suddenly responsible for it. You have to monitor things in to an extent that it's not negligance if you happen to miss something in your logs. What if he /had/ and it got broken to anyway?

The security business can be scary to the security professional...

Ten9t6

Webmaster wrote:

Great stuff!

I was wondering if it would be safe to say, that in addition to being responsible for creating and enforcing policies, the data owner (the organization, hence executive management) is always responsible for what can happen with the data?

Exactly...They are responsible as the data owners....but everyone will "feel the pain". Companies that lose personal information tend to have a hard time staying in business. Even if they do stick around, everyone knows what roles down hill. The engineer will get it to.....as he should.

You should always be evaluating your security. Multiple people and policies had to fail to get into this situation.

Kenny

Chivalry1

Wow this is a great post. I am inline with all opinions. Many companies attempt to make IT department internal security analysts and consultants, and to perform annual internal audits. A company, in my opinion, cannot perform a TRUE internal security audit. This type of information needs to come from a independant security consultant or source. IT departments are apart of the companies culture. Which means that although you would like to tell the CEO to stop taping his password to his monitor

, you really cant for fear of losing your job. So there is a BIG conflict of interest. Again GREAT post!

keatron

Chivalry1 wrote:

Wow this is a great post. I am inline with all opinions. Many companies attempt to make IT department internal security analysts and consultants, and to perform annual internal audits. A company, in my opinion, cannot perform a TRUE internal security audit. This type of information needs to come from a independant security consultant or source. IT departments are apart of the companies culture. Which means that although you would like to tell the CEO to stop taping his password to his monitor , you really cant for fear of losing your job. So there is a BIG conflict of interest. Again GREAT post!

I agree and you are doing a good job of validating my point that those of us in Infosec are getting closer and closer to running parallel to accounting. What company is allowed to audit their own financial records and books

: Right. NONE!!!!!

JDMurray

Chivalry1 wrote:

Which means that although you would like to tell the CEO to stop taping his password to his monitor , you really cant for fear of losing your job.

Well, this depends on where you work. In the USA, we have a thing called "at will employment." This means that any employee can be instantly terminated by an employer without notice and with no reason given. It also works both ways, allowing an employee to self-terminate without giving notice or reason.

In the USA, if your CEO refuses to stop taping his/her password to their monitor, you still need to (re)act in a politically correct manner to keep your job. If you get upset, give the CEO a lecture on common sense, tell other people how "stupid" the CEO is, etc. then you'll find yourself being escorted to the front door by security at five o'clock that same day--with no reason given and no recourse possible.

http://www.rbs2.com/atwill.htm

keatron

jdmurray wrote:

If you get upset, give the CEO a lecture on common sense, tell other people how "stupid" the CEO is, etc. then you'll find yourself being escorted to the front door by security at five o'clock that same day--with no reason given and no recourse possible.

No doubt about it

Chivalry1

Which makes the whole situation a CATCH 22.

keatron

Chivalry1 wrote:

Which makes the whole situation a CATCH 22.

And if you sit the CISSP be ready for a ton of "Catch 22" type questions concerning the Security Management domain. And it's really not a Catch 22. You just have to go about getting the point across in an effective way. Awareness is one place to start. And this would usually be "general" awareness, not directed personal attacks.

Chivalry1

So Keatron in a sense you are looking at informing executive powers of companies in more of a general sense. EX: A company wide email stating that is not good practice to leave passwords in open places. And to inform them of the security risk and effects that a compromised password can cause to the company. Not specifically pointing out anyone individual. And redirecting them to the companies security policy.

I think that in most cases (99%) upper executives will fully support this ideal. But will the executives follow the practice, in my experience most dont.

*SideNote: It will be some years keatron before I sit the CISSP. Maybe sometime in the distant future the SSCP. But I heard these exams are no joke!*

keatron

Chivalry1 wrote:

So Keatron in a sense you are looking at informing executive powers of companies in more of a general sense. EX: A company wide email stating that is not good practice to leave passwords in open places. And to inform them of the security risk and effects that a compromised password can cause to the company. Not specifically pointing out anyone individual. And redirecting them to the companies security policy.

This is why you implement a top down approach. Create an urgency by stating facts. Fortunately the media has actually helped us in this area by repeatedly covering stories of companies getting compromised and losing information (one of the more recent was a large well known company losing backup tapes that held thousands of clients personal information). When you put these things into an understandable perspective and have ample documentation of court cases to show how execs were made to pay, you usually end up on the right track. After you have this kind of awareness/buzz generated, the execs will usually agree to being instrumental and "being in the know" concerning creation of new policies. They're more likely to comply if they had a role in creation. Of course over time this newness wears off and they might slip back into old habits, but this is why awareness should be a regular initiative, not a one time pop.

Chivalry1 wrote:

*SideNote: It will be some years keatron before I sit the CISSP. Maybe sometime in the distant future the SSCP. But I heard these exams are no joke!*

I've taken many certification exams over the last 10 years and nothing I've seen even comes close. Of course, I've never seen CCIE Lab nor the Juniper Labs.

Paul Boz

At various organizations that I visit or interact with I see upper management pushing policy creation on IT / lower management all the time. I get a ton of kickback from upper management when I make them aware that they should be in charge of driving policies and that pushing them to lower management / IT will just make them diluted and no one will pay attention to them.

In the same token, these are the people who also pay for IT Audits, vulnerability assessments, pen testing, and social engineering only to fulfill regulatory or auditor requirements. If you pay for valuable security services to be performed and don't use the opportunity to improve your organization you probably won't want to have a hand in policies either.

I handle about a dozen accounts a month (on-site with maybe 2-3 of them) and it is very rare for me to see good policies. Typically the policies are not well written, have big holes in them, are not distributed and enforced correctly, etc. Usually it is directly attributable to the policy building skills of upper management. There are three scenarios that I see. Either 1, upper management has very strong policy builders which results in outstanding policies, 2, they have bad policy building skills, write their own policies, and they stink, or 3, they have bad policy building skills and as a result delegate policy creation to lower management. 2/3 of these scenarios result in bad policies.