WIXLIB

editor@issa.orgLegal, Privacy, Regulation, EthicsThom Barrie – Editor, the ISSA JournalPrivacy?Where tobegin?For about half ayear now I’ve beennoticing that whenlanding on a webpage I may or maynot have visited before, a rotating banner ad seems to know me. For example,on the site I just hit following a googlesearch, the banner rotated among threecompletely unrelated sites that I havefrequented: one stock photography, onemusic equipment, and one local mutual fund, and then a couple generics:disk cleaner and DDoS guide. The firsttime, I was “pleasantly” surprised—thephotography site—thinking to myself,“hey, I buy stuff here. Cool,” until it thendisplayed images I had either put in alight box and/or purchased. How doesthis site know I visited those sites, specifically ones on which I had laid downmoney? And the music site? Hadn’t beenthere for a couple years, except the otherday when I clicked an email link.That “pleasant” surprise quickly turnedto well not exactly outrage but leaningthat way. Perhaps I should be outraged.When did I sign up for this? The mereact of googling signs over my ability notto be tracked? I’m feeling a little spiedupon. If Google is serving up an enhanced user experience for me, I say nothanks. I already go to those sites whenI want something. I don’t need to feelsomeone or something is looking overmy shoulder. And this isn’t even the massThe information and articles in this magazine have not been subjected to anyformal testing by Information SystemsSecurity Association, Inc. The implementation, use and/or selection of software,hardware, or procedures presentedwithin this publication and the resultsobtained from such selection or implementation, is the responsibility of thereader.Articles and information will be presented as technically correct as possible, to4 – ISSA Journal February 2017Editor: Thom Barrieeditor@issa.orgsurveillance we’ve been apprised of andshocked over. Well, maybe a part—thepart that’s watching my every move, myevery keystroke, my every mouse click.And I’m not talking about key-loggingmalware. Is there a difference?I’m reminded of a chat I had with MarkWeatherford, one of the keynoters at theDallas conference. His talk was aboutthe Cloud, and he waxed eloquently andpersuasively about the subject. I myselfam not convinced, and I mentionedthat as I walked him to the elevator. Helooked at me and said he understoodand fundamentally agreed with me, butit’s what we have and what we will have.It’s market driven. Think about that.Is privacy market driven? Market forces certainly wish to extract every bit ofbehavior, every bit of interest, every bitof whatever might differentiate me so itcan sell me something, so it can strokesome “pleasure” zone it has discoveredand bring me back for more.Now if that banner ad had served up adifferent photography site, I probablywould still have been in the “pleasant”frame of mind. They tipped their hand,exposing a bit of the process. Will thischange my behavior? No. It is what it isand what it will be; and I suspect it willonly get worse.Enjoy the issue. Our writers do a muchbetter job of dealing with legal, regulation, and yes, privacy than I. Sadly,ethics did not garner much interest thismonth.—Thomthe best knowledge of the author andeditors. If the reader intends to makeuse of any of the information presentedin this publication, please verify and testany and all procedures selected. Technical inaccuracies may arise from printingerrors, new developments in the industry, and/or changes/enhancements tohardware or software components.The opinions expressed by the authorswho contribute to the ISSA Journal aretheir own and do not necessarily reflectAdvertising: vendor@issa.org866 349 5818 1 206 388 4584Editorial Advisory BoardJames AdamsonPhillip Griffin, FellowMichael Grimaila, FellowYvette JohnsonJohn Jordan, Senior MemberMollie Krehnke, FellowJoe Malec, FellowDonn Parker, Distinguished FellowJean Pawluk, Distinguished FellowKris TanakaJoel Weise – Chairman,Distinguished FellowBranden Williams,Distinguished FellowServices DirectoryWebsitewebmaster@issa.org866 349 5818 1 206 388 4584Chapter Relationschapter@issa.org866 349 5818 1 206 388 4584Member Relationsmember@issa.org866 349 5818 1 206 388 4584Executive Directorexecdir@issa.org866 349 5818 1 206 388 4584Advertising and Sponsorshipsvendor@issa.org866 349 5818 1 206 388 4584the official policy of ISSA. Articles maybe submitted by members of ISSA. Thearticles should be within the scope of information systems security, and shouldbe a subject of interest to the membersand based on the author’s experience.Please call or write for more information.Upon publication, all letters, stories, andarticles become the property of ISSAand may be distributed to, and used by,all of its members.ISSA is a not-for-profit, independent cor-poration and is not owned in whole or inpart by any manufacturer of software orhardware. All corporate information security professionals are welcome to joinISSA. For information on joining ISSAand for membership rates, see www.issa.org.All product names and visual representations published in this magazine arethe trademarks/registered trademarksof their respective manufacturers.

Sabett’s BriefWhat? More Privacy TrainingRequirements?By Randy V. Sabett – ISSA Senior Member, Northern Virginia ChapterOk, everyone out there with afederal contract raise yourhand if you think you are providing enough privacy training for yourteam. Hey, no one’s looking, so you canput your hands down if you really don’tthink you are though you may wantto know that effective January 19, 2017,you are now required to ensure that youremployees receive annual privacy training if they (1) handle personally identifiable information (PII), (2) have accessto a system of records, or (3) design, develop, maintain, or operate a system ofrecords. The DoD, GSA, and NASA recently issued new rules, adding Subpart24.3 (Privacy Training) to the FederalAcquisition Regulation (FAR) and a newstandard contract clause (FAR 52.224-3)implementing the new requirements.Based on the OMB definition for PII, thenew requirements define PII as information that can be used to distinguishor trace an individual’s identity, eitheralone or when combined with other information that is linked or linkable to aspecific individual. Similar to other expansive definitions of PII, this one is notlimited to account numbers, social security numbers, or credit card numbers.Examples of PII include an individual’sname, social security number, biometric records, date and place of birth, andmother’s maiden name. According tothe new rules, a “system of records” isa grouping of information from whichinformation is retrieved by the name ofthe individual or other unique identifierassigned to that individual.Under the new privacy training regulations, contractor employees withthe specified access to PII and systemsof records must receive initial privacytraining and additional training annually. The training must be role-based(meaning that the training providedwill depend on the assigned duties ofthe contractor employees), provide bothfoundational and more advanced levelsof instructions, and include measures totest employees’ knowledge level.At a minimum, the privacy trainingmust cover: The provisions of the Privacy Act of1974 (5 U.S.C. § 552a), including penalties for violations Appropriate handling and safeguarding of PII Authorized and official use of a system of records and PII Restrictions on the use of unauthorized equipment to create, collect,use, store, disseminate, or otherwiseaccess PII Prohibitions against unauthorizeduse of a system of records or PII Procedures to be following in theevent of a suspected or confirmedbreach of a system of records or unauthorized disclosure of PIICompanies may provide their owntraining to employees or use trainingprovided by another source, unless thecontracting agency specifies that onlyagency-provided training is acceptable.Companies will also be required tomaintain records of employees’ privacytraining and provide those records tothe contracting agency upon request.The new regulations apply to all contracts, including contracts at or belowthe simplified acquisition threshold andcontracts for commercial items or com-mercially availableoff-the-shelf items.The privacy training requirements alsoflow down directly to subcontractor employees who have the specified access toPII and systems of records.Companies with federal governmentcontracts should review their employees’ access to PII and systems of records to determine whether the newregulations affect their employee training requirements. As we so often sayin the infosec world—people are thenumber one cause of problems. Whilehuman-caused problems may never becompletely eradicated, training can bea good way of addressing this issue. Onthat note, I’m headed off now to sometraining of my own only this traininginvolves a Labrador retriever, a newspaper at the end of the driveway, and ahandful of cookies.About the AuthorRandy V. Sabett, J.D., CISSP, is Vice Chairof the Privacy & Data Protection practicegroup at Cooley LLP (www.cooley.com/privacy), and a member of the boards ofdirectors of ISSA NOVA, MissionLink,and the Georgetown Cybersecurity LawInstitute. He was a member of the Commission on Cybersecurity for the 44thPresidency, named the ISSA Professionalof the Year for 2013, and chosen as a BestCybersecurity Lawyer by WashingtonianMagazine for 2015-2016. He appreciatesthe contributions of his colleagues to thismonth’s column. He may be reached atrsabett@cooley.com.February 2017 ISSA Journal – 5

Herding CatsThink Global, Act LocalBy Branden R. Williams – ISSA Distinguished Fellow, North Texas ChapterIwork for a global company, likemany of you doout there. We areincreasingly askedto perform tasks that have all kinds oframifications when you consider howaccessible our world has become andhow our global economy works. Many ofyou know I have an obsession with tea.Over the last two years, I have broadened my palette and found new teassourced directly from farms in Taiwan,China, and India. Thanks to a globaldemand and tremendous ecosystemaround tea production and distribution,I am able to find tea brokers that I trustto get me quality product directly fromthose farmers to my home in Texas.Consider how different things are now.Any business who decides to get a website is now a global business, whichmeans that business owners must comply with a whole host of new kinds oflaws they probably are not aware of.We recently had a situation in my company where a global policy came intoconflict with local laws in certain sovereign nations. The policy made sensefrom the global entity’s perspective, butonce the policy began to roll out, localstaff members quickly realized there wasan issue. Globalization might put youbetween a rock and a hard place, so tospeak. Do I violate corporate policy ordo I break the law?As we start to expand some of our operations into these areas, we’re also discovering something else. Local lore, orthe common body of legal knowledgethat is handed down from professionalto professional, sometimes will affectthe amount of resistance you will getwhen trying to implement change. Forexample, an initiative to move email6 – ISSA Journal February 2017into a cloud service to save money mightbe met with a response of, “We can’t legally do that. Our email has to reside onservers inside the country.”Global policies andinitiatives can be beneficialto your company, butyou need to ensure localvariability can exist to keepyou in line with regulationsand laws.As a US citizen with no training in another country’s laws much less my own,I’m not the right person to give an authoritative response; but you can betthat if I try to roll out a project that violates a law somewhere, I’m going to haveto answer for it. Since I am not qualifiedto respond to such a statement, I reallydon’t know if the person was just tryingto resist change or if what he said wastrue. Time to turn to the experts!What I have started doing when I run upagainst barriers like this is ask for a fulllegal opinion, with references, so that wehave a solid document from which todesign the ultimate solution. This isn’tcheap to do, but I feel that it is necessaryin order to keep in line with local lawswhen running a global organization.What I find is that through this process,we all learn something. The local employees may have been correct, but theydidn’t include challenges to the statuteor rule present in case law.In some cases, the lore is just that. Lore.Over time, this common knowledgedrifts farther from the facts and needsa course correction. A full legal opinioncan provide this correction.Another common problem I’ve runacross is how different groups like tohold on to data—sensitive or not—farbeyond the usefulness inside the business. Back in the early days of PCI DSS,we often had analysts tell us they neededto retain data for seven years. What theyreally needed was a record of the transaction, not the full payment method.Another common push back is the “Wehave to store everything indefinitely because we’re on a legal hold.” Sometimesthis is correct, but most of the time it isoverstated. Asking for the documentation that states what must be held andfor how long will help clarify exactlywhat must be done.As our accessibility of our planet continues to grow, we all need to think globallybut act locally. Meaning, global policiesand initiatives can be beneficial to yourcompany, but you need to ensure localvariability can exist to keep you in linewith regulations and laws. Don’t justtake someone’s word for it, however.Find an authoritative source and makesure to get referenced documentation.You should be able to follow the reference and validate the documentationpresented to you. If there is an exampleof money well spent with a lawyer, this isit. And the resulting documentation canbe used for years to come!About the AuthorBranden R. Williams, DBA, CISSP,CISM is a seasoned infosec and payments executive, ISSA DistinguishedFellow, and regularly assists top globalfirms with their information security andtechnology initiatives. Read his blog, buyhis books, or reach him directly at http://www.brandenwilliams.com/.

Perspective: Women in Security SIGWIS SIG Mission: Connecting the World, One Cybersecurity Practitioner at a TimeDriving Cybersecurity Change –Political Transition as CatalystBy Rhonda Farrell – ISSA Fellow, Northern Virginia ChapterTransitions of any kind are often keen fodder for change. Themost recent US presidentialtransfer of power brings a golden opportunity to reshape the trajectory of thecybersecurity landscape. Where is thefocus likely to be and what are the majorissues likely faced within 2017, you ask?Of course, “it depends” upon your perspective. The following offers a global,domestic, and local examination of thetrends within cybersecurity for 2017.Legislation, regulations, and cyber lawThe global and domestic landscapes arerife with cybersecurity challenges thatwill merit review and action within2017. A review of recent cybersecuritylegal-, policy-, and technical-related literature reveals the following topical areas as being on the forefront across theglobe over the course of this year. [1][3]. Attribution-related improvements(technological, policy, and legislative) Bilateral cybersecurity agreementsand arrangements (increase in creation and implementation) Cloud computing litigation surrounding the term “reasonable protections” Consumer protections (constitutional rights protection) Cryptocurrencies and blockchaintechnologies Cyber radicalization and cyber terrorism. Drone jacking Emerging cybercrime methods, including ransomware (peaks by mid2017, potentially heavily targetedtowards healthcare facilities), and cybercrime-related international datasharing Encryption (legislation and technologies) Global focus on initiation and revision of cybersecurity legislation andassociated policy Hactivism from an infrastructurestandpoint (voting machines, damvalves, plant safety systems) Internet jurisdiction challenges Internet of Things, especially withinthe cybersecurity and data protectionareas. Heavily forecast to be a potential attack vector (also ransomwaretarget) and source of pilfered dataand metadata.State focusHigh on the agenda of many states is thepassing of legislation regarding minimum privacy and security standards [2].This includes reference and adherenceto the Center for Internet Security (CIS)Critical Security Controls. Californiahas found teeth in sub-regulatory guidance based on California Civil Code§ 1798.81.5. The legislation provides arequirement for enterprises to put inplace “reasonable security proceduresand practices appropriate to the natureof the information to protect the personal information from unauthorizedaccess, destruction, use, modification,or disclosure.” A minimum of six additional states have also adopted statutesrequiring entities that collect and retainpersonal information from consumers to employ reasonable procedures orreasonable security measures to protectsuch information, including Florida,Utah, Arkansas, Nevada, Maryland,and Rhode Island. Another example isIllinois’ Personal Information Act (815ILCS §530/5), which requires an entity holding “personal information con-cerning an Illinoisresident” to “implement and maintainreasonable security measures to protectthose records from unauthorized access,acquisition, destruction, use, modification, or disclosure” [2] and an associatedbreach.The lack of case law (no precedent) andwith little guidance from attorney generals has pundits forecasting a heavy focus on fleshing out a fuller legal meaning to those terms in 2017.Two additional areas of focus are statebreach law harmonization calls and additional breach notification statutes forIllinois, as well as California, Nebraska,Oregon, and Rhode Island. Lastly somestates will be also be expanding the definition of personal information to include an email or userid [2][3].PrivacyIn the realm of privacy, the focus continues to be on personal and data privacy regarding the Internet of Things (IoT)as well as a plethora of social media protections [1].Standards and guidanceA review of recently released NIST-authored guidance also offers a keen lookinto the future focus of cybersecurity.Late 2016 and early 2017 brought thefollowing useful guidance to our practitioners. These are informative and interesting, and challenge the current state ofcybersecurity on both an effectivenessand technical level [4][7][8][9][10][11]. Baldrige Cybersecurity ExcellenceBuilder: key questions for improving your organization’s cybersecurityperformanceContinued on page 36February 2017 ISSA Journal – 7

Security in the NewsNews That You Can Use Compiled by Joel Weise – ISSA Distinguished Fellow, Vancouver, BC, Chapter andKris Tanaka – ISSA member, Portland ChapterFBI Let Alleged Pedo Walk Free Rather Than Explain How They Snared Himhttp://www.theregister.co.uk/2017/01/06/fbi lets people off to keep methods secret/Warning: This article may enrage you. However, it does raise some interesting points. For example, why didn’tanyone suggest having the network investigative technique (NIT) code escrowed and evaluated by an independentlab? As the article states, this is turning into a legal minefield. We need to step carefully and quickly inorder to figure out a better way.Best Buy Technicians Flagged Customers’ Computers with Signs of Child Porn for FBI, Lawyers Sayhttp://www.vancouversun.com/news/world/best technicians flagged customers computers with signs child/12680947/story.htmlHere’s another question for the legal minefield, “If a customer turns over their computer for repair, do theyforfeit their expectation of privacy, and their Fourth Amendment protection from unreasonable searches?” According to Best Buy, the answer is “yes.” A spokesman for the retailer said that they have a “moral and legalobligation” to turn over any material that may be considered child pornography to law enforcement, and thispolicy is shared with customers before any repair work begins on their computers. It’s legal, but is it ethical– especially if the FBI offers payment for the information?Organizations Challenged with Cybersecurity Framework ationFor those of you who are into security compliance and governance, this article points to research sponsored byTenable and the Center for Internet Security that will more than likely validate what many of you are experiencing; namely, there are numerous issues with implementing one’s chosen framework. On a positive note, at leasta lot of organizations are now considering the adoption of a security framework.The Cybersecurity Law Reporthttp://www.cslawreport.com/As this is our legal issue, I thought I would include a site that can be used for general research on all thingscybersecurity and the law. There’s something for everyone here; however, I particularly like the data privacyand due diligence sections. Enjoy!FTC Sues D-Link over Failure to Secure Its Routers and IP Cameras from er-security.htmlThe really intriguing thing about this article involves the FTC violations mentioned in the lawsuit: “Falsification about security in its router and IP camera user interfaces and promotional materials” and “Falsely claimingthat reasonable measures have been taken to protect its devices.” That’s a serious broadside to vendors.Breach Response: Trump Confirms Russian Hacking irms-russian-hacking-campaign-aide-says-a-9622I would be remiss if I didn’t include at least one article on the Russian hacking of the recent US election.Let’s forget about the politics of the situation. What really scares me is the threat that any country c

CISSP, Fellow Treasurer/Chief Financial Officer Pamela Fusco Distinguished Fellow Board of Directors Debbie Christofferson, CISM, CISSP, CIPP/IT, Distinguished Fellow Mary Ann Davidson Distinguished Fellow Rhonda Farrell, Fellow Geoff Harris, CISSP, ITPC, BSc, DipEE, CEng, CLAS, Fello