Tech Policies and Practices€¦ · Bring Your Own Device (BYOD) Firm Workstations (Desktop and...
Transcript of Tech Policies and Practices€¦ · Bring Your Own Device (BYOD) Firm Workstations (Desktop and...
Tech Policies and Practices
Meeting Outline
1. Getting ready to work on policies & practices 2. Policy priorities for legal aid and defender organizations3. Impact of Covid-19 on the landscape & related policy priorities4. Walking through a draft work from home policy5. Moving policies and practices forward through your organization6. Example - Intranet posting guidelines7. Next Steps
Engaging Your Organization- Proactive vs Reactive● Form a tech committee
○ Volunteers from various departments and managerial levels. No IT expertise needed. ○ Discuss long-term & short-term projects; solicit feedback on what the priorities ought to be.○ Valuable assistance with the non-IT aspects of IT projects.○ Can be your focus group, earlier adopters, and mentors
● Form specific committees for specific projects● Don’t be the only IT voice in your organization
○ Get the executives, supervisors and senior staff to communicate for you.
Anticipate potential obstacles● Hardware
○ Company issued device vs. personal devices
● Shadow IT○ Ad-hoc unofficial IT systems deployed by users or departments (other than IT)
shortcomings
● Staff adapting to other changes at the same time● Competing IT priorities● Executive buy-in● User buy-in
● Limited resources (time, money, hardware, software)
General Tech Policy Priorities for the Legal Aid & Defender Communities
General Organizational Security Policies
● Policy Overview & Intro● General Risks & Security Posture
○ need-based access● Responsible Parties – to manage & update● Policy Enforcement – testing and achieving
compliance● Personnel Security Policy
○ On/Off-boarding, Security Awareness ● Physical security of data (printed and
electronic) & systems (servers, backups)● Endpoint security (servers, PCs, phones)● Service security on-site & in the cloud (email,
collaboration, case management, etc.)
● Systems Use Monitoring ● Equipment/software life-cycle and
maintenance ● Confidential Data Storage
○ Which Systems○ Encryption of Data, Servers, User
Equipment○ Access
● Data Retention● Data/System Backup/Recovery● E-mail Backup and Retention● Data Destruction (cloud, backups, servers,
end-user devices, copiers)● Business Continuity / Disaster Recovery
Policy and, separately, Procedures
Acceptable Use Policies
● General Use/Purposes● Security Awareness Program● No Expectation of Privacy/Company Owned
Systems & Data● Passwords/Systems IDs● Internet Access & Use● Social Media and Web-Based Email Use ● E-mail Communications
○ Outgoing Messages ○ Email with Confidential Data ○ Data Sanitizing – Metadata Cleanup ○ Business Messages ○ Personal Messages ○ Confirm Transmissions○ Phishing/Spoofing ○ Suspicious Attachments ○ Reporting Suspicious Emails
● Laptops/Tablets and Remote Access ● Wi-Fi Access/VPN (inside and outside the office) ● Non-Firm Owned or Controlled
Tablets/Laptops/Macs/PCs ● Bring Your Own Device (BYOD)● Firm Workstations (Desktop and Laptops) ● Malware Prevention ● Data Classification ● Data Handling
○ Public Data Handling ○ Confidential Data Handling ○ Clean Desk/Office Policy○ Physical Document Disposal
● Reporting any suspicious activity / reporting any lost or stolen technology
Additional Policy Areas Important to Legal Aid and Defender Organizations
● Communications & Connectivity Policies (access to and movement of data)
○ Remote Access Policy○ Wireless Communication Policy○ Firewall / Perimeter Intrusion Prevention
System (IPS) Management Policy○ Encryption - General Guidance○ Email Use Policy○ Data Leakage Prevention (DLP) Policy○ Malware Prevention/Zero Day Exploit
(Web/Email)
● Access Control Policies (the locks and keys)○ Authentication Policies○ Password Policy○ Multi- Factor Authentication Policy○ Account Lockout Policy ○ Screen Locking Policy○ Creation and Use of Privileged Accounts○ Service / Utility Accounts○ Vendor/Third Party Accounts○ User Accounts
● Data Classification and Data Handling (understanding and managing the data you collect and manage)
○ Data Classification Policy○ Data Handling Policy○ Ethical walls (across practices & users)
Current Environment Driving Policy Priorities● Working from home● Working with clients and tribunals remotely● Sharing space with roommates/family● Using personally-owned, unmanaged smartphones & computers ● Unsecure & unmanaged home technology (consumer grade, unmanaged
modems, firewalls, printers, and wireless access points)● Necessity is the mother of invention> use of unapproved tools & tech● The national cyber-security threats are greatly increasing● Exposure to risk is much greater ● Soon - working part-time back in the office/courts
Priority Policy AreasFor End Users
a. Emergency Work from Home b. Acceptable Use c. Security Awareness Training
For Operations
d. Email Securitye. Network Security (on-site & in the cloud)f. Case and Document Management
g. Data Retention & Destructionh. Backup and Disaster Recoveryi. Onboard & Offboarding Staff & Volunteers
Emergency Work from Home Policy ● Different from standard telework policy
● Includes tech & non-tech recommendations
● Assess how other policies are relevant
● Consider impact of work from home on other firm policies
● Tailor to your technologies & needs as an organization
○ Not one size fits all
Managing Risk
● More dynamic & complex environment = more risk
● Stresses the role of the end user in the security of
client and firm data
● Partnership between IT, supervisors and the users
● Rapid, but cautious adoption of new technology
○ Be patient with your IT staff, don’t go rogue
Supervision
● Regular check-ins & office hours
● Work schedule and availability
● Time tracking
● Training & coaching on new tools & practices
● How are we supporting our supervisors?
Work from Home Environment
● Thoughtful about the environment
● Work environment that works for an
extended period
● Basic technology guidance
● Navigate other adults and children
● Maintaining confidentiality and security
Let’s take a look at the draft policy
Scenario: Establishing a tech committeeYour organization needs to establish a tech committee to identify priorities and guide change management
Consider● Getting buy-in from your executive director● Putting out a call for volunteers. Here is CFR’s communication.● Collaborating on the timed meeting agenda with tech committee volunteers● Delegating tasks and setting deadlines at the meeting● Forming separate project committees when the discussion starts getting “into the weeds”.
Scenario: New/Updated Security PoliciesYour organization needs to adopt new policies or adapt existing security policies for work from home.
Consider● Meeting with your tech committee to identify the most pressing security concerns● Forming a security policies committee to work on and pilot the policies● Providing cyber security webinars for your staff before you announce the new policies● Introducing your new security policies in a webinar and soliciting feedback● Making it mandatory for staff to acknowledge that they have read the new policies● CFR example- summer legal interns
○ Deploying limited resource vs. allowing them to work on personal laptops○ Sharing confidential client and company information○ Onboarding new staff remotely
Scenario: Adopting a new toolYour organization needs to adopt a new tool for collaboration
Consider● Meeting with your tech committee to create a timeline for training and transitional period● Contacting the tool’s developer to inquire about providing trainings● Recording the trainings or creating a collection of “how to” videos for staff (Youtube is great for this)● Emphasizing the benefits of the new tool/policy/protocol● Creating sets of directions tailored to users within your organization● Making yourself and other IT staff available via chat or video conference for “walk in” hours● CFR example- adopting e-sign software for client documents
○ Had to be done ad hoc○ Train staff and clients○ Budgetary limitations
Next Steps● Use this slide deck as a reference ● Tailor the draft eWFH policy to fit
○ https://www.just-tech.com/featured/sample-emergency-work-from-home-policy/
● Sans security policy templates○ https://www.sans.org/information-security-polic
y/?&category=
Questions
● Ben Chan ([email protected]) or ● John Greiner ([email protected])
Other Security ResourcesSANS● https://sans.org
Krebs on Security● http://krebsonsecurity.com
Threat Post● https://threatpost.com
Graham Cluley● https://grahamcluley.com
Security Ledger● https://securityledger.com
Sophos ● https://nakedsecurity.sophos.com
Privacy Rights● https://www.privacyrights.org
IT Toolbox● http://security.ittoolbox.com
CIS● https://www.cisecurity.org
US-CERT● https://www.us-cert.gov/ncas/tips