11 January 2015

Legal Risk: Forensic Analysis of Supply Chain...

Corporate environments where a dedicated Chief Information Security Officer (CISO) works along side the General Counsel (GC) to tackle Operational Risk Management (ORM), continues to be a significant challenge.  The introduction of court certified tools for forensic analysis of information on both desktop and mobile devices to include phones, tablets and anything with a storage capability (USB Jump Drives) has created an executive level debate.  "What" information will we perform forensic analysis on, "why" and "when" will we do it?

The "Why" question is most obvious, like the analysis of DNA, the zeros and ones (0's and 1's) that make up the digital fingerprints (user names, passwords), blood-type (e-mail, SMS) and other behavioral evidence is important to associate the identity of the person(s) using a certain digital device. In addition, the ability to track the whereabouts of a particular digital device via GPS metadata or IP address, can also provide additional context and evidence, to be considered in the forensic examination.

The "What" information is in many cases going to be preceded by the "When" and has much to do with the policy in place within the corporate environment.  Modern "Acceptable Use Policy" may spell out that any device can be examined at any time, if it is a corporate issued and owned product.  Personal devices allowed in the workplace may be subject to a completely different set of policy doctrine, that falls under state and federal statutes.

The "When" question could be on a continuous basis and tied to a particular event, such as an employee who has given notice to leave the organization.  The event could also be as a result of an alarm or alert that the Information Security team receives from an automated system, within the corporate network.  So back to the challenges faced by the CISO vs. the GC on the Operational Risk Management process and addressing all of these issues.  Is it a legally sound manner that also achieves a "Defensible Standard of Care?"
Now imagine all of this going on oblivious to the confines of a small-to-medium size enterprise (SME). These organizations are typically defined as under 1000 employees yet can be defined further by the type of business and industry.  Now imagine that this particular SME, is operating within the Defense Industrial Base and is in the professional services supply chain of the top three U.S. government contractors, who are bidding on the next generation bomber for the U.S. Air Force.  What do we mean by supply chain?  This particular SME, is one of the outside counsel for Lockheed Martin, Boeing or Northrop. Yes, this law firm is in the information supply chain, working on legal matters associated with a top tier defense contractor.
If you are the GC and CISO at LM, Boeing or Northrop, what controls and policies do you have in place or service level agreements (SLA) that spell out the process to forensically examine the mobile devices of the lawyers and associates of your outside counsel? When?  Why?  The public disclosure of law firms and their associates being the target of nation states espionage is several years old.  When was the last time as a GC or CISO you had a closed door summit with the information supply chain of law firms working for your Defense Industrial Base (DIB) corporation in the U.S.?  If you are a SME law firm, working in the supply chain of the DIB, What, Why and When are you using Forensic Analysis with all of your Partners, Associates, Paralegals and other people in your legal ecosystem?

Operational Risk Management (ORM) spans every department and every employee.  It requires prudent application of the use of forensic analysis, as a vital component of a comprehensive counterintelligence program.  And remember the why.  Spear Phishing of law firms has been a major warning since 2009 and over six years later, it is still growing because it remains so effective.

No comments:

Post a Comment