C841 Task 2 - Ethical Challenges faced in Cybersecurity PDF

Preview

Summary

A case study for ethical standards in cybersecurity and how ethics and security policy can go hand in hand. Justify the adoption of a set of standards for ethical behavior and the implementation of said standards....

Description

David Putnam Student ID: 001238552

A1a. Ethical Guidelines and Other Organizations: Organization 1 International Systems Security Association (ISSA) ISSA is an internationally recognized professional association of cybersecurity professionals. It was founded in 1984 with the purpose: “To promote a secure digital world (Developing and Connecting Cybersecurity Leaders Globally, n.d.).”

1. 2.

Ethical Guideline: “Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of or is detrimental to employers, the information security profession, or the Association (ISSA Code of Ethics, n.d.). Applicability: Nadia Johnson caried on a personal relationship with Carl Jaspers: Apparent Quid Pro Quo.



    



Nadia held oversite responsibility over the Business Intelligence (BI) unit. Recommendation for performance/merit increases regularly high marks. Gifts exchanged frequently on personal occasions. Ultimately, Nadia failed to perform proper security audits which, had they been properly performed, would have discovered and even potentially prevented several cases of Illegal activity. Security Reports were falsified to executives reporting compliance.

A1a. Ethical Guidelines and Other Organizations: Organization 2 International Information System Security Certification Consortium (ISC2): ISC2 is an internationally recognized certification authority dedicated to development and standardizing industry best practices.

1. 2.

Ethical Guideline: “Act honorably, honestly, justly, responsibly, and legally. (Code of Ethics | Complaint Procedures | Committee Members, n.d.)” Applicability:

1.  

 

   

 

  

Act honorably: TechFite Sales professionals used Intellectual Property (IP) of potential clients which did not choose to use TechFite Services to assist in the development of competing client products. Carl Jaspers encouraged the use of “dumpster diving” to gather strategic business information about competing businesses. Act honestly: False client accounts used to increase appearance of BI unit sales Same false accounts might have been used for off-the-book transactions Nadia falsified reports to executive management concerning compliance with policy. Act responsibly: Nadia failed to perform the basic duties of oversite for the BI unit leading to the propagation of illegal and unethical behavior. Act legally: TechFite Employees monitored and penetrated the systems of internet-based businesses. TechFit employees used dummy accounts to infiltrate various TechFite departments and access confidential information.

A1a. Ethical Guidelines and Other Organizations: Organization 3 Strategic & Competitive Intelligence Professionals (SCIP): “A global non-profit community of Intelligence Strategists; leaders who leverage insights, best practices, and unimpeachable ethics to drive growth and reduce risk in strategic choices.” Ethical Guideline:

1.

2.

Always in Compliance - To comply with all applicable laws, domestic and international Applicability:

1. 2.

Violation of CFAA:

1. 1. 2.

2. 3.

BI dummy accounts used to infiltrate and access confidential TechFite documents in various departments. Penetration of various internet-based company networks.

Violation of ECPA: Use of TechFite staff and systems to surveille the network traffic of other companies. Violation of SOX: Falsification of sales data using fake client lists and transactions.

A2. Unethical Practices Use of TechFite systems to surveil, monitor, and penetrate internet-based competitors:

1.

Sara Miller (Senior Analyst) in the BI unit regularly and openly used Metasploit on TechFite Systems to scan the systems of other internet-based companies.

1. 1. 2.

1.

Subordinates: Megan Rogers and Jack Hudson participated in scanning activities and were encouraged by Miller when resultant scans led to success for the team. Hudson coordinated efforts with third-party entities to gather competitive intelligence. Active Surveillance and dumpster diving were common methods coordinated.

Pattern of Use of IP from customers who declined TechFite services to develop products and services on behalf of current clients in direct competition with owner clients.

2.

Carl Jaspers executed a nondisclosure agreement (NDA) with both

1. 1.

1. 2. 3.

2. 1.

2. 3.

Orange Leaf: Orange Leaf in turn provided answers to a set of questionnaires including technical information about Orange Leaf ’s products. Orange Leaf decided not to hire TechFite Other TechFite client launched similar products months after. Union City Electronic Ventures Proprietary information found in the hands of competing entity months later

Client files and contracts are not kept segregated from each other and no plan or technology was evidentially in development to do so. All workstations in the BI unit have admin rights and can access any files.

A3. Factors Lack of Conflict-of-Interest Policy for in-house relationships.

1.

Nadia Johnson was in a position that required oversite over the organizational performance of the unit for which Carl Jaspers was the lead.

1. 1.

1.

2.

The personal relationship held outside of TechFite effected the way in which Nadia performed her job. Nadia falsified executive reports to indicate Business Intelligence (BI) unit compliance with company security policies. 1. Failed to perform audit on client database to check for legitimacy of sales accounts. 2. Failed to audit account security privileges and usage. 3. Failed to audit Data Loss Prevention (DLP) measures in place to protect confidential information. Apparent quid pro-quo coverup.

No protection for IP. All BI unit employees have access to all client files/projects from any computer terminal.

2.

Systems are not segregated for Account Creation, Sales, and Accounting duties.

1. 1.

1.

Same employee can create an account, make sale, account for sale/billing Violates GAAP and consequently SOX.

Client data is kept in the same area on the network without regard to security or source.

2. 1. 2. 3.

No segregation of system resources. No segregation of client data. Employee access to all clients despite current/past project assignment.

Lack of designed security for respecting of IP leads to employees considering data as free and clear to use in whichever project they are participating in.

3. 1. 2.

Data from one client’s project can currently be easily accessed and referenced for use on a competing client’s proposal/project. Data from failed proposals are retained beyond needed/recommended security/legal requirements.

B1. InfoSec Policies Chinese Wall Methodology of Data segregation:

1.

Client IP data was collected and maintained without regard to data security or confidentiality. IP Theft.

1. 1. 2.

IP from Orange Leaf and Union City Electronic Ventures was accessed and used by TechFite BI unit team members for use in/by competing client projects. All TechFite Client data stored in same area of system without encryption or access control mechanisms in place to prevent data leakage.

Unneeded IP data was collected by Carl Jaspers prior to proposal acceptance increasing the requirement for IP protection mechanisms to be in place and utilized.

2. 1.

No such mechanisms were used or considered in designing the BI Unit systems and applications.

Policy of Least Privilege, Dual Control, and Separation of Duties: All BI Unit accounts had access to client account creation, sales, and billing processes for all clients. Beyond risking sales fraud, (which was found in the creation and use of 3 special accounts) certain accounts for previous employees were used on a regular basis with elevated privilege to access other confidential TechFite department systems and documents without authorization. These accounts were used frequently to review confidential data and confidential reports intended for the executive team.

2.

Account creation, maintenance and auditing, and retirement should require separation of duties and dual control.

1. 1.

Dummy accounts were requested and created by Carl Jaspers on behalf of former employees and found still active long after employee termination.

Client account creation requires application filled out by sales personnel and submitted to and vetted by account managers. Account managers create the accounts. Sales personnel document sales invoices, billing specialists work with client billing departments for collecting on sales invoices. Periodic Account auditing required to be performed by Information Security and Accounting staff in joint action.

2.

3. 1.

Client accounts are vetted again for validity and deactivated/suspended pending review of irregularities found.

B2. SATE Components Chief Information Security Officer will be tasked with the oversite and management of Security Awareness Training and Education (SATE) program.

1.

CISO approves course content and format.

1.

Formats can include in-person, a-synchronous in-person, Online learning course module through learning management system, and/or printed material, based on the specified content importance and priority.

1.

CISO determines required courses by employee role in company.

2. 1. 2.

1. 2. 3.

All employees required to participate in Code of Conduct and Ethics, General Security Awareness, and Conflict of Interest avoidance courses. More specialized awareness training required for employees holding managerial/oversite responsibilities, or those with more specialized positions such as HR, Accounting, ITSM, C-Suite executives. SOX CFAA ECPA

Required Participants

2. 1. 2.

All employees will participate to varied degrees based on role within the company. Trainers will be Subject Mater experts contracted for development of learning materials or course specific training.

B2a. SATE Program Communication The TechFite SATE program will be communicated in three ways:

1.

New employees:

1.

Participate through orientation courses required to be completed before first day in position. Continued periodic training like existing employees.

1. 2.

Existing employees:

2.

Receive notification through email explaining the implementation process of the SATE programs: Timing, specific required courses, justifications. Discussion with manager in 1 on 1 meetings.

1. 2. 1.

Additional requirement of satisfactory completion of periodic training as part of performance evaluation.

Non-completion of initial and/or periodic refresher training warrant disciplinary action.

3. 1. 2. 3.

Initial training will be required to be completed within 6 months from implementation. Periodic refresh courses required on annual basis. Employees promoted within the company into management/oversite position will be required to take additional supplemental courses related to their new position within 2 months from start of new position.

B2b. SATE Program Justification Personal relationships between managers/overseers and employees.

1.

SATE Program Mitigation: Course on Avoiding Conflict of Interest.



Will discuss what constitutes a conflict of interest and why it is needed to be avoided. Will discuss company expectations of disclosure and compliance to gift policies.

 

Theft/Mis-use of IP: Intellectual Property of clients being discussed with/provided to non-party entities despite NDA.

2.

SATE Program Mitigation: Course on legal and ethical responsibilities with regards to client data.

 

  



Clearly define requirement of data generation, isolation, retention, and destruction. Only data required for the specific projects in contract or past projects will be collected and retained. Data will be kept on isolated domains within the organization Employees may not work on two competing projects/client accounts.  Segregation of TechFite Systems in a Chinese Wall methodology to limit employee access to client accounts. When an employee leaves one project, all access is removed to that projects files/systems.  Employees cannot readily move from one client to competing client project/account. Non-compete clause in client contracts with TechFite. If a proposal is rejected by a client, only minimal project terms/details will be retained for legal records, all other client-specific technical specifications will be purged from TechFite systems.

B2b. SATE Program Justification Creation and use of fake customer accounts: Three false client accounts were created in the BI Unit database. Accounts were used to manipulate appearance of profitability of the BI Unit through false sales and cost charges.

1.

SATE Program Mitigation:



TechFite systems were infiltrated, and confidential documents were accessed without authorization through using accounts from former employees whose accounts were not disabled and retired after their termination.

2.

SATE Program Mitigation:



Compliance training about Legal and Ethical responsibilities under CFAA. Course on company Policies and procedures for account creation, maintenance and auditing, and retirement. – specialized for Managerial Staff.

  

Principle of Least Privilege

C. Ethical Challenges and Mitigation Conflict of Interest:

1.

Nadia Johnson caried on a personal relationship with Carl Jaspers: Apparent Quid Pro Quo. BI Unit employees have access to all client files.

1. 2.

Mitigation:

2.

Conflict of Interest Policy:

1. 1.

2. 3. 4. 1.

No personal relationships allowed between management and employees or between those with oversite responsibilities and those they are meant to oversee. No gifts allowed greater than a value of $10 in any year between employees No gifts allowed to or from clients with value greater than $50 in the year. Employees are only allowed access to accounts they are directly involved with. No employee may be involved in projects of competing clients.

C. Ethical Challenges and Mitigation (cont.) 1. 2.

Use of IP from current or former client proposals by/for other client projects/proposals. Mitigation Recommendations:  Segregate staff and data storage archives for each client.  Limit type and amount of data collected from each client to only that which is

required for the competent creation of the proposal prior to client acceptance. 

Further limitation to only data/technical specification needed to complete work on project.

 Limit access by employees to any client data;  Must have need to know  Must not be working on other client projects/proposals of direct conflict.  Limit time/purpose for data storage after events:  Client Proposal creation  Proposal acceptance  Proposal rejection  Project implementation  Project termination/acceptance  Client relationship termination

D. References/Sources                 

Code of Ethics. (n.d.). ISSA International. Retrieved March 8, 2021, from https://www.issa.org/code-of-ethics/ Code of Ethics | Complaint Procedures | Committee Members. (n.d.). Retrieved March 8, 2021, from https://www.isc2.org:443/Ethics Computer Fraud and Abuse Act (CFAA) | Practical Law. (n.d.). Retrieved February 27, 2021, from https://content.next.westlaw.com/Document/I210618b5ef0811e28578f7ccc38dcbee/View/FullText.html?transitionType=Default&contextData =(sc.Default) Cybersecurity Certification and Training | (ISC)2. (n.d.). Retrieved December 28, 2020, from https://www.isc2.org:443/About Developing and Connecting Cybersecurity Leaders Globally. (n.d.). ISSA International. Retrieved March 10, 2021, from https://www.issa.org/about-issa/ Electronic Communications Privacy Act of 1986. (n.d.). Retrieved February 27, 2021, from https://it.ojp.gov/privacyliberty/authorities/statutes/1285 ISSA Code of Ethics. (n.d.). ISSA International. Retrieved December 28, 2020, from https://www.issa.org/issa-code-of-ethics/ Lesson 13: Criminal Law and Tort Law Issues in Cyberspace -uCertify. (n.d.). Retrieved February 9, 2021, from https://wgu.ucertify.com/?func=ebook&chapter_no=13#03bDp Member Dashboard. (n.d.). Retrieved December 28, 2020, from https://www.isc2.org:443/Dashboard Membership & Event Policies. (n.d.). Retrieved March 10, 2021, from https://www.scip.org/page/Membership-EventPolicies?&hhsearchterms=%22code+and+ethics%22 SCIP, C. M. (n.d.). About SCIP - Strategic & Competitive Intelligence Professionals. Retrieved March 13, 2021, from https://www.scip.org/page/About-Us uCertify. (n.d.-a). Lesson 5: Security and Privacy of Consumer Financial Information. UCertify. Retrieved December 29, 2020, from https://wgu.ucertify.com/?func=ebook&chapter_no=5 uCertify. (n.d.-b). Lesson 5: Security and Privacy of Consumer Financial Information. UCertify. Retrieved December 30, 2020, from https://wgu.ucertify.com/?func=ebook&chapter_no=5 uCertify. (n.d.-c). Lesson 8: Corporate Information Security and Privacy Regulation. UCertify. Retrieved January 7, 2021, from https://wgu.ucertify.com/?func=ebook&chapter_no=8 uCertify. (n.d.-d). Lesson 8: Corporate Information Security and Privacy Regulation. UCertify. Retrieved January 9, 2021, from https://wgu.ucertify.com/?func=ebook&chapter_no=8 uCertify. (n.d.-e). Lesson 11: Intellectual Property Law. UCertify. Retrieved January 19, 2021, from https://wgu.ucertify.com/?func=ebook Zotero | Downloads. (n.d.). Retrieved December 28, 2020, from https://www.zotero.org/download/...