Tech Policies and Practices

Meeting Outline

1. Getting ready to work on policies & practices 2. Policy priorities for legal aid and defender organizations3. Impact of Covid-19 on the landscape & related policy priorities4. Walking through a draft work from home policy5. Moving policies and practices forward through your organization6. Example - Intranet posting guidelines7. Next Steps

Engaging Your Organization- Proactive vs Reactive● Form a tech committee

○ Volunteers from various departments and managerial levels. No IT expertise needed. ○ Discuss long-term & short-term projects; solicit feedback on what the priorities ought to be.○ Valuable assistance with the non-IT aspects of IT projects.○ Can be your focus group, earlier adopters, and mentors

● Form specific committees for specific projects● Don’t be the only IT voice in your organization

○ Get the executives, supervisors and senior staff to communicate for you.

Anticipate potential obstacles● Hardware

○ Company issued device vs. personal devices

● Shadow IT○ Ad-hoc unofficial IT systems deployed by users or departments (other than IT)

shortcomings

● Staff adapting to other changes at the same time● Competing IT priorities● Executive buy-in● User buy-in

● Limited resources (time, money, hardware, software)

General Tech Policy Priorities for the Legal Aid & Defender Communities

General Organizational Security Policies

● Policy Overview & Intro● General Risks & Security Posture

○ need-based access● Responsible Parties – to manage & update● Policy Enforcement – testing and achieving

compliance● Personnel Security Policy

○ On/Off-boarding, Security Awareness ● Physical security of data (printed and

electronic) & systems (servers, backups)● Endpoint security (servers, PCs, phones)● Service security on-site & in the cloud (email,

collaboration, case management, etc.)

● Systems Use Monitoring ● Equipment/software life-cycle and

maintenance ● Confidential Data Storage

○ Which Systems○ Encryption of Data, Servers, User

Equipment○ Access

● Data Retention● Data/System Backup/Recovery● E-mail Backup and Retention● Data Destruction (cloud, backups, servers,

end-user devices, copiers)● Business Continuity / Disaster Recovery

Policy and, separately, Procedures

Acceptable Use Policies

● General Use/Purposes● Security Awareness Program● No Expectation of Privacy/Company Owned

Systems & Data● Passwords/Systems IDs● Internet Access & Use● Social Media and Web-Based Email Use ● E-mail Communications

○ Outgoing Messages ○ Email with Confidential Data ○ Data Sanitizing – Metadata Cleanup ○ Business Messages ○ Personal Messages ○ Confirm Transmissions○ Phishing/Spoofing ○ Suspicious Attachments ○ Reporting Suspicious Emails

● Laptops/Tablets and Remote Access ● Wi-Fi Access/VPN (inside and outside the office) ● Non-Firm Owned or Controlled

Tablets/Laptops/Macs/PCs ● Bring Your Own Device (BYOD)● Firm Workstations (Desktop and Laptops) ● Malware Prevention ● Data Classification ● Data Handling

○ Public Data Handling ○ Confidential Data Handling ○ Clean Desk/Office Policy○ Physical Document Disposal

● Reporting any suspicious activity / reporting any lost or stolen technology

Additional Policy Areas Important to Legal Aid and Defender Organizations

● Communications & Connectivity Policies (access to and movement of data)

○ Remote Access Policy○ Wireless Communication Policy○ Firewall / Perimeter Intrusion Prevention

System (IPS) Management Policy○ Encryption - General Guidance○ Email Use Policy○ Data Leakage Prevention (DLP) Policy○ Malware Prevention/Zero Day Exploit

(Web/Email)

● Access Control Policies (the locks and keys)○ Authentication Policies○ Password Policy○ Multi- Factor Authentication Policy○ Account Lockout Policy ○ Screen Locking Policy○ Creation and Use of Privileged Accounts○ Service / Utility Accounts○ Vendor/Third Party Accounts○ User Accounts

● Data Classification and Data Handling (understanding and managing the data you collect and manage)

○ Data Classification Policy○ Data Handling Policy○ Ethical walls (across practices & users)

Current Environment Driving Policy Priorities● Working from home● Working with clients and tribunals remotely● Sharing space with roommates/family● Using personally-owned, unmanaged smartphones & computers ● Unsecure & unmanaged home technology (consumer grade, unmanaged

modems, firewalls, printers, and wireless access points)● Necessity is the mother of invention> use of unapproved tools & tech● The national cyber-security threats are greatly increasing● Exposure to risk is much greater ● Soon - working part-time back in the office/courts

Priority Policy AreasFor End Users

a. Emergency Work from Home b. Acceptable Use c. Security Awareness Training

For Operations

d. Email Securitye. Network Security (on-site & in the cloud)f. Case and Document Management

g. Data Retention & Destructionh. Backup and Disaster Recoveryi. Onboard & Offboarding Staff & Volunteers

Emergency Work from Home Policy ● Different from standard telework policy

● Includes tech & non-tech recommendations

● Assess how other policies are relevant

● Consider impact of work from home on other firm policies

● Tailor to your technologies & needs as an organization

○ Not one size fits all

Managing Risk

● More dynamic & complex environment = more risk

● Stresses the role of the end user in the security of

client and firm data

● Partnership between IT, supervisors and the users

● Rapid, but cautious adoption of new technology

○ Be patient with your IT staff, don’t go rogue

Supervision

● Regular check-ins & office hours

● Work schedule and availability

● Time tracking

● Training & coaching on new tools & practices

● How are we supporting our supervisors?

Work from Home Environment

● Thoughtful about the environment

● Work environment that works for an

extended period

● Basic technology guidance

● Navigate other adults and children

● Maintaining confidentiality and security

Let’s take a look at the draft policy

Scenario: Establishing a tech committeeYour organization needs to establish a tech committee to identify priorities and guide change management

Consider● Getting buy-in from your executive director● Putting out a call for volunteers. Here is CFR’s communication.● Collaborating on the timed meeting agenda with tech committee volunteers● Delegating tasks and setting deadlines at the meeting● Forming separate project committees when the discussion starts getting “into the weeds”.

Scenario: New/Updated Security PoliciesYour organization needs to adopt new policies or adapt existing security policies for work from home.

Consider● Meeting with your tech committee to identify the most pressing security concerns● Forming a security policies committee to work on and pilot the policies● Providing cyber security webinars for your staff before you announce the new policies● Introducing your new security policies in a webinar and soliciting feedback● Making it mandatory for staff to acknowledge that they have read the new policies● CFR example- summer legal interns

○ Deploying limited resource vs. allowing them to work on personal laptops○ Sharing confidential client and company information○ Onboarding new staff remotely

Scenario: Adopting a new toolYour organization needs to adopt a new tool for collaboration

Consider● Meeting with your tech committee to create a timeline for training and transitional period● Contacting the tool’s developer to inquire about providing trainings● Recording the trainings or creating a collection of “how to” videos for staff (Youtube is great for this)● Emphasizing the benefits of the new tool/policy/protocol● Creating sets of directions tailored to users within your organization● Making yourself and other IT staff available via chat or video conference for “walk in” hours● CFR example- adopting e-sign software for client documents

○ Had to be done ad hoc○ Train staff and clients○ Budgetary limitations

Next Steps● Use this slide deck as a reference ● Tailor the draft eWFH policy to fit

○ https://www.just-tech.com/featured/sample-emergency-work-from-home-policy/

● Sans security policy templates○ https://www.sans.org/information-security-polic

y/?&category=

Questions

● Ben Chan (bchan@cfrny.org) or ● John Greiner (jgreiner@just-tech.com)

Other Security ResourcesSANS● https://sans.org

Krebs on Security● http://krebsonsecurity.com

Threat Post● https://threatpost.com

Graham Cluley● https://grahamcluley.com

Security Ledger● https://securityledger.com

Sophos ● https://nakedsecurity.sophos.com

Privacy Rights● https://www.privacyrights.org

IT Toolbox● http://security.ittoolbox.com

CIS● https://www.cisecurity.org

US-CERT● https://www.us-cert.gov/ncas/tips