Employee Termination Check List - PowerPoint

Document Sample
Employee Termination Check List - PowerPoint Powered By Docstoc
					The RCMP Tech Crime Unit
             &
Information Systems Security
         Presented to:
            ISSA
       January 26, 2005
  E Div. Technological Crime Unit

• Who / What is the Tech Crime Unit
  anyway?
  – Mandate is:
     • to conduct technical analysis of computer storage
       medium
     • to conduct investigations of true computer crime
       (unauthorized access, mischief to data)
  E Div. Technological Crime Unit

• Who / What is the Tech Crime Unit
  anyway?
  – Unit created in July 2002 and subsequent
    transfer of 5 members
  – Unit has grown to current size of 14 regular
    members and two support staff
  E Div. Technological Crime Unit

• Who / What is the Tech Crime Unit
  anyway?
  – Approx. half of our members have undergrad
    degrees
  – Permanent posting to the Tech Crime Unit
    requires successful completion of an 18 month
    understudy program
  – Training is always ongoing
  E Div. Technological Crime Unit

• Who / What is the Tech Crime Unit
  anyway?
  – Non personnel resources
     • In addition to the RCMP computer equipment, we
       maintain our own 21 TB san to support our technical
       analysis work.
                   New Laws
• Criminal Code Production Orders
  – These are a court order similar to a general
    search warrant
     • They replace a search warrant in that it dose not
       technically require a search.
     • Required to produce the records when and in the
       form demanded in the production order.
• In the future you may see Preservation
  Orders
• So…. What do you do when…

 – Your data is destroyed
So…. What do you do when…

 – Your data is destroyed
 – An unauthorized user has gained access
• So…. What do you do when…

  – Your data is destroyed
  – An unauthorized user has gained access
  – Data has been modified

By an intentional act…
                  Priorities
• Objectives (Primary)
  – Maintain the function / operation of your
    system
                  Priorities
• Objectives (Primary)
  – Maintain the function / operation of your
    system

  – Maintain the integrity of your system
                  Priorities
• Objectives (Primary)
  – Maintain the function / operation of your
    system

  – Maintain the integrity of your system

  – Prevent further security problems
                 Priorities
• When there is a security breach, it may be
  too late to start logging.

  – MOTO: - Have logging in place; make sure that
    your business can continue
                  Priorities
• When there is a security breach, it may be
  too late to start logging.
  – MOTO: - Have logging in place; make sure that
    your business can continue

  – Turn on all logging that is possible. Save log
    files (reports) from all routers possible.
        Secondary Objective
• When do you call the police?
         Secondary Objective
• When do you call the police?

  – When you know (or believe) that you have an
    intentional security breach (criminal offence)

     • A criminal code offence requires “intent”.
        Secondary Objective
• What are the offences?
         Secondary Objective
• What are the offences?

  – Mischief to Data
     • Dual / maximum 5 years
         Secondary Objective
• What are the offences?

  – Mischief to Data
     • Dual / maximum 5 years


  – Unauthorized Use of Computer (Access)
     • Dual / maximum 10 years
         Secondary Objective
• What are the offences?
  – Mischief to Data
     • Dual / maximum 5 years

  – Unauthorized Use of Computer (Access)
     • Dual / maximum 10 years

  – Other Criminal Code offences – but not “Theft
    of Information”
         Secondary Objective
• What do police require to initiate an
  investigation?
         Secondary Objective
• What do police require to initiate an
  investigation?

  – A reason to believe that an offence has taken
    place.
     • Obviously, the more information that can be offered,
       the more quickly we can investigate.
        Secondary Objective
• When will police take action??
        Secondary Objective
• When will police take action??

  – We do not normally investigate attacks on
    home computers
         Secondary Objective
• When will police take action??

  – We do not normally investigate attacks on
    home computers
  – UNLESS:
     • Threat of physical harm
     • Threat of Damage to property
     • Related to other serious matter
         Secondary Objective
• When will police take action??

  – We will investigate business related matters

     • Threat to livelihood
     • Loss of jobs
         Secondary Objective
• Who do you contact??

  – Contact your local police agency (911 is
    probably not appropriate )
           Secondary Objective
• Who do you contact??
  – Contact your local police agency (911 is
    probably not appropriate )

  – Advise your local police agency that our unit is
    available to assist / investigate if they are not able to
    fully respond.
      • We will assign a priority and respond on that basis
        Other Considerations?
• Should you notify upstream / downstream?
  – That‟s your call…

     • What are the risks to the other system /
       organization?
     Other Considerations?
What is the risk to your organization ?

      If you notify…

      If you don‟t notify…
     Other Considerations?
What is the risk to your organization ?

      If you notify…

      If you don‟t notify…




What is the ethical thing to do?
       Other Considerations?
• Share information

  – This is one of the strongest defense
    mechanisms that is available
           How does it work?
• You‟ve suffered (are suffering) an attack

• You‟ve notified the police

• You‟ve notified related organizations for their
  protection / information

• NOW WHAT??
          How does it work?
• Secure your system (priorities)

  – Ensure that your business / operation can
    continue.
         How does it work?
– To assist police (or civil) investigation

   • Make and keep notes / chronological journal of
     events and actions

   • Retain all backups
         How does it work?
– To assist police (or civil) investigation

   • Make and keep notes / chronological journal of
     events and actions
   • Retain all backups

   • If possible remove & retain the current hard drives
     and restore the system on replacement hard drives.
         How does it work?
   If not…

Obtain and preserve a “bit image” copy of your
 system at the point that you are aware of the
 attack.

   • Linux „DD‟ works well (Ghost would be a second
     choice)
   • Ensure that the destination drive has been „wiped‟,
     not just reformatted
          How does it work?
• If an image of the system is not possible…

  – Make & retain copies of all of the log files
    possible
          How does it work?
• Police investigation can take considerable
  time.

  – Jurisdictional issues may prevent prosecution
           How does it work?
• IF we go to court….

  – Detailed statements from all persons will be
    required.
     • Much better quality easier to do if notes kept from
       the time of the attack.
           How does it work?
• IF we go to court….

  – Detailed statements from all persons will be
    required.
     • Much better quality easier to do if notes kept from
       the time of the attack.


  – Court will likely be a year or two away and will
    be at least a week in duration.
          How does it work?
• Disclosure…

  – Police and Crown Prosecutors will have to
    disclose ALL evidence upon which the case
    relies
     • Exception: Confidential information
          How does it work?
• Confidential Information…

  – This must be dealt with on a case by case basis.
          How does it work?
• Confidential Information…

  – This must be dealt with on a case by case basis.

  – Disclosure may be limited to only a portion of
    the confidential information
          How does it work?
• Confidential Information…

  – This must be dealt with on a case by case basis.

  – Disclosure may be limited to only a portion of
    the confidential information
  – Disclosure may be made to a third party
          How does it work?
• Confidential Information…

  – In a „worst case‟ scenario a decision may have
    to be made to proceed or withdraw from the
    prosecution
         Don‟t be a “Client”
• Enough about “when you suffer an attack”

• How can you prevent “an attack”??
          Don‟t be a “Client
• The boring and the usual!….
          Don‟t be a “Client
• The boring and the usual!….

  – Keep your service packs up to date
          Don‟t be a “Client
• The boring and the usual!….

  – Keep your service packs up to date
  – Ensure your authentication system is current
    and meets your security requirements
          Don‟t be a “Client
• The boring and the usual!….

  – Keep your service packs (software) up to date
  – Ensure your authentication system is current
    and meets your security requirements

  – TEST YOUR BACKUP / DISASTER
    RECOVERY!!!
         Don‟t be a “Client
• Do you have policy?…
          Don‟t be a “Client
• Do you have policy?…

  – Separation of Duties
          Don‟t be a “Client
• Do you have policy?…

  – Separation of Duties

  – Required authentication
           Don‟t be a “Client
• Do you have policy?…

  – Separation of Duties

  – Required authentication

  – Employee Termination procedures
     • A check list might be helpful
          Don‟t be a “Client
• Are your employees aware of your policy?

  – Can they report a problem to a confidential
    person… and do they know who that person
    is?
           Don‟t be a “Client
• Have you had an independent review of
  your policies / security / disaster recovery??

  – A fresh look can be invaluable
          Don‟t be a “Client
• Where‟s the threat??

  – A vulnerable system will eventually be hit from
    an external source
          Don‟t be a “Client
• Where‟s the threat??

  – A vulnerable system will eventually be hit from
    an external source

  – A secure system may also be hit from an
    internal source
          Don‟t be a “Client
• Information from my contacts in private
  industry as well as my experience
  indicates…

  – You are at least as likely to be compromised
    from an internal threat as from an external
    threat.
           Don‟t be a “Client
• We are happy to respond to your request for
  an investigation….

  – We sincerely hope that you don‟t have to call!!
      Don‟t be a “Client
          S/Sgt. Bruce Imrie
            Regional Coordinator
Vancouver Integrated Technological Crime Unit


    ITCU Lab: 604-598-4087
   Unit Pager: 604-473-2858
Email: bruce.imrie@rcmp-grc.gc.ca

				
DOCUMENT INFO
Description: Employee Termination Check List document sample