Cyber Security - LEA - PPP

Cyber Security – PPP

For Investigations/Risk/Fraud/Security Manager and individuals who would want to safeguard themselves and limit liability of thy and their organisation. Views expressed are personal.

Security personnel must balance issues related to privacy and security when dealing with stakeholders and law enforcement agency (LEA) as part of their due diligence and legal obligations.

Generally, security professionals choose the career because of an interest in technology of security or the levels of inquisitiveness to know things beyond technology. There are very few professionals who understand the gratitude and interactions that one has to have with LEA.

For the last few years working with issues related to cyber security I have experienced that in any incident it is the individual’s behavior which is the biggest risk in security. There are varieties of profiles with whom one has to deal; you have minors, teenagers, professionals, amateur, etc… (list is illustrative) who are either affected or involved for incidents like defamation, identity theft, credit card misuse, being framed as mule, illegal activities using technology, unauthorized access, etc.

The information security field has matured and is continuously on improvement, the potential and area of risk management is increasingly used for discussing new strategies and tactics for mitigation. Privacy is the first level forming a consistent and strong philosophy for information security. It is difficult to achieve privacy without security and security without concern of privacy results in ignoring the human angle of the intellectual legacy that the current world represents.

Security Incidents are reasonably handled; they fade in memory over a period of time. Privacy breach are lethal, they are “One to Many” meaning once there is breach the information that is captured can be used ‘n’ number of times and at anytime, anywhere. E.G. a fake account can be opened, a credit card can be issued, stalking and harassment, etc.

Privacy is a prime motivator. Understanding the magnitude and complexity of the problem will help you develop a solid working relationship with LAE, and better use of public private partnership for establishing set of procedures, incident handling mechanism, better agreements and policy, will help you,

1. Due diligence and legal obligation as your institution/individual capacity

2. Ensure minimum interaction and requests to and from LEA and

3. Protect the privacy of individual/institution

Your Responsibility:

Assume your organisation has the responsibility to meet any valid legal request made by law enforcement agency. In a typical scenario, it means you have to find all relevant information requested as it exists on as is basis within the parameters of your organization’s environment and compliance policy. You do not reinvent or recreate the scenario. E.G: if there is a search warrant issued for searching your premises and if your servers are not in a position to provide with the details or the data have not been collected or maintained by you, you are not responsible to modify the environment to meet the request or not responsible for creating or building new systems to collect the data that you would not otherwise gather at that particular instance. However, for future needs you may like to maintain the details as your diligence; at the same time having the understanding and working knowledge if you ignore the facility of getting relevant information you are not excused for the same. This will vary on case to case basis.

Your Team:

As security professionals, one can sometimes get easily drawn into LEA investigation beyond formal expertise or relevance. In such situations one’s role is and should be restricted to provide with information that is required to comply with a court order, search warrant of legal documents.

To handle such requests, it is always advisable to have a team consisting of a security professional, legal representative and in house compliance officer. A letter of authority should be obtained from the head of the organisation to get involved and work on the given incident.

Security professional can help with technical understanding and details, legal representative can guide you with the procedural requirements and interpret the warrant or validity of documentation, deadlines, confidentiality, integrity. Their actions will prevent unavoidable and silly mistakes. Security representative handles collecting tha actual information that is to be furnisehed and advises on the existing technological abilities and limitations.

There has to be flexibility in the way this team functions. Jointly this team can also respond to in house matters and any issues that arise during the course of responding to the request. Gradually, the team will learn to act for each other if the need be. It can also act as an emergency response team where immediate help is not available.

To Be Continued.

Regards

“Human Behaviour is the Biggest Risk in Security – Vicky Shah”