RSAC USA 2017 You Can’t Take It With You! Discussion Framework

During the RSA USA Conference 2017, in San Francisco, I facilitated a Peer-to-Peer session, held on Thursday, February 16, at 4 pm. The session title is:
You Can’t Take It With You! How to Manage Security When Personnel Depart (Session P2P2-R11)

The session description is:
How can you manage information security when people leave your organization? Expanding on the popular 2016 P2P session, let’s talk best practices for managing IT security for the off-boarding process.

This blog posts on the topic of my Peer-to-Peer session and presents the discussion framework I used in the session. It includes topics for consideration, including some that we did not have the opportunity to talk about in the session.

Context for discussion
  • “Off-Boarding” processes involves both People and Technology
  • Departure types – People
    • Human, emotional, belonging/identity aspects
    • Employees
    • Contractors
    • Interns
    • Guest workers
    • Visitors
  • Departure types — Process
    • Individual
      • Resignations (voluntary)
      • Terminations
      • Contractual
      • Internship
      • Visits
    • Group
      • Reorganizations
      • Spin-offs
      • Outsourcing
      • Organizational sales
      • Contractural
  • Team – cross functional
    • Planning
      • HR, Legal, Risk Management, IT, Payroll, Facilities, Physical Security
    • Process execution
      • HR, Legal, IT, Payroll, Facilities, Physical Security
  • Policy & Process design
    • Some call this “Off-boarding”
    • Processes different for different departure types
    • Policy framework, authoring, update
    • Process definition: A process that links HR, IT and other groups, to ensure personnel access to information systems, networks, applications and physical locations is disabled.
    • “Checklist” approach for consistency and completeness
  • Training, Operations & Audit
    • Tabletop exercises
    • Controls monitoring
    • “Residual” access
    • Incident response
Risks for consideration (particular to this issue)
  • Company information on personally owned computing devices and computing services
    • Forcing use of company-owned devices
    • Forcing management of personally owned computing devices
    • Restricting through policy company information uploaded to computing services
  • Departure of people in special roles, such as sys admin, manager, security, audit
  • Shared accounts (yes, they shouldn’t but maybe do exist)
  • Reluctant departures
  • Contacts back to the business
  • Special relationships with vendors and / or customers
  • Social media monitoring
  • Transition periods
    • End-of-day, end-of-contract, wind-down, guesting
  • Controversial: Moral and psychological balancing
  • Model for addressing risk and mitigation
Issues for consideration
  •  Events vs. transitions
    • Immediate departure events with no access
    • Transition phases with access limitations
  • Complete knowledge of every department impacted by departure
    • Different for different companies, divisions and job descriptions
    • Address really custom stuff, like special privileges, access and assets
  • What has the departing person got? (asset inventory & retention)
    • Internal network access
    • Remote access
    • Systems access
    • Internal application access
    • External application access
    • Social media access
      • Intentional upload
      • Unintentional upload
    • Computing assets
      • Laptops
      • Smart phones
      • Portable disks (data and backup)
      • Memory sticks
      • Other storage devices
    • ID badges
    • Credit cards
    • Authentication token devices
    • Company applications and data on personal devices
    • License recovery
    • Any and all other company-owned property
  • Exit interview
  • Archiving & information stewardship
    • Assignment & responsibilities of new ownership
    • Do not delete accounts, but make them inactive, with new ownership
    • Attribution risk?
    • Records review and assimilation
    • Scheduled destruction
  • Legal requirements
    • Intellectual property ownership and monitoring
    • Personal property ownership
    • e-discovery mitigations and restrictions
  • Other
    • Impulse to take
    • Prediction: HR -> legal -> IT (behavioral analytics)
    • Most property is taken within 90 days of departure
    • 50% admitted to taking property after departure
    • Most digital assets are taken via email, cloud, memory stick
    • Target critical roles for monitoring

Please contact me with any additions, ideas or questions on this material. I will update these framework notes with the feedback I receive.

 

RSAC USA 2017 You Can’t Take It With You! Discussion Notes

During the RSA USA Conference 2017, in San Francisco, I facilitated a Peer-to-Peer session, held on Thursday, February 16, at 4 pm. The session title is:
You Can’t Take It With You! How to Manage Security When Personnel Depart (Session P2P2-R11)

The session description is:
How can you manage information security when people leave your organization? Expanding on the popular 2016 P2P session, let’s talk best practices for managing IT security for the off-boarding process.

The session was almost completely full, and almost every one contributed to the conversation. A variety of points of interest were made, coming from different backgrounds and issues, with talk flowing around the room. This is the direct connection opportunity Peer-to-Peers sessions give within the larger conference, attended by more than 40,000 people.

Shortly after the session concluded I wrote out notes capturing what I remembered of the conversation, which I share here.

  • Defense contractor needs to track much more closely activity during employment, and before and after termination; looking to fold in social media activity
  • Onyx software to track activity
  • DLP is used to track activity, but the package used was biased toward Windows, which was a problem in a mixed platform environment
  • Network segmentation for departures
  • Most concerning activity happens just before, and within 30 days after termination
  • HR is often involved, but not prepared for IT-oriented issues
  • Large group changes, in the specific case a merger, overwhelmed HR and IT processes
  • Particular roles cause concern; specific case cited was sales people leaving with customer lists
  • People issues and technology issues
  • Identifying residual data can be particularly difficult for people who have had different roles through the years; existing processes focus on cleanup of the current (last) job, but have difficulty moving back through the previous roles
  • Risk incurred by transition periods, where some access is provided after termination or departure announcement
  • Concern about resignations, where the organization has no control visibility until the departure is announced by the person
  • Contractors are not trained to the level of employees, leading to risk
  • Issues with company data on personal devices; what access, impose agent control, how to reclaim or remove data upon departure
  • Issues balancing privacy with monitoring, particularly in countries with differing privacy requirements
  • Who is the driver of departure processes? It varies. Sometimes HR, sometimes Legal, never IT Sec. Driver gives momentum which supports funding and teaming

Please contact me with any additions, clarifications or questions. I will update the notes with the feedback I receive.

RSA Conference USA 2017

The RSA USA Conference for 2017, in San Francisco, took place last week. Each year my experience is similar: the time is so compressed, the experience is intense, I meet great new people, and I always learn something new.

Below I have copied my agenda for the week, so you know what sessions I attended. Please contact me if you have any comments or questions about these sessions.

Mon 2/13  ——
10a – 12p  SEM-M05
How-to-Series: Year One Innovators and Entrepreneurs, David Blumberg, Michael DeCesare, Theresa Gouw, Patrick Heir, Steve Hero, Jay Leek, Troels Oerting, Ted Schlein, Cat Zakrzewski

1p – 4:30p  ISB-M01
Innovation Sandbox: Top 10 most innovative startups

Tue 2/14  ——
8a – 10:30a  Keynotes
* Planning for Chaos, Zulfikar Ramzan, CTO, RSA
* Brad Smith, President, Microsoft
* Sweating the Small Stuff on a Global Scale, Andrew Young, SVP/GM, Intel Security
* The Cryptographers’ Panel (Paul Kocher, Whitfield Diffie, Susan Landau, Ronald Rivest, Adi Shamir

1:15p – 2p  EXP-T09
Regulating the Internet of Things, Bruce Schneier

2:30p – 3:15p  EXP-T10
Ted Schlein and Michèle Flournoy on the Future of Security and Defense

3:45p – 4:30p  HTA-T11R
Meet and Greet with the macOS Malware Class of 2016, Patrick Wardle, Synack

Wed 2/15  ——
8a – 8:45a  PNG-W02
Beyond Stuxnet: State of the Art in Cyberwarfare and Weapons, Kim Zetter, Gary Brown, Oren Falkowitz, Roy Katmar

9:15a – 10 a  EXP-W03
Hacking Exposed: Real-World Tradecraft of Bears, Pandas and Kittens, Dmitri Alperovitch, George Kurtz, CrowdStrike

10:30a – 12p  Keynotes
* The Seven Most Dangerous New Attack Techniques, and What’s Coming Next, Alan Paller, Michael Assante, Ed Skoudis, Johannes Ullrich, SANS

1:30p – 2:15p  PRV-W10
Resurrecting Privacy in the Cloud: A Privacy Engineering Implementation, Michelle Dennedy, Alissa Cooper, Michele Guel, Harvey Jang, Cisco

2:45p – 3:30p  GRC-W11
Crown Jewels Risk Assessment: Cost-Effective Risk Identification, Doug Landoll, Lantego

4p – 5:00p  Keynotes
* Radical Innovation: Revolutionizing the Future of Cybersecurity, Hugh Thompson
* The Great A.I. Awakening: A Conversation with Eric Schmidt, Google

Thu 2/16 ——
7a-7:45a BOF2-R01C
Birds of A Feather: Multifactor Authentication Redefined, Wendy Nather, Duo Security

8a – 8:45a  AIR-R02F
One-Hit Wonders: Dealing with Millions of Anomalies, Chris Larsen, Symantec

8:45a – 9:15a SBX2-R1
Ransomeware, Drones, Smart TVs, Bots: Protecting Consumers In the Age of IoT, Terrell McSweeny and Aaron Alva, Federal Trade Commission

9:15a – 10a  FON1-R03
Focus-on session: One-Hit Wonders, Chris Larsen, Symantec

10:30a – 11:40a  Keynotes
* Topics of Leadership and Teamwork with Dame Stella Rimington, MI5

1:30p – 2:15p  PDAC-R10F
How to Delete Data for Realz: This Presentation Will Self-Destruct In…, Davi Ottenheimer and Ian Smith

2:45p – 3:30p  FON3-R11
Focus-on session: How to Delete Data for Realz, David Ottenheimer and Ian Smith

4p – 4:45p  P2P2-R11
You Can’t Take It With You! How to Manage Security When Personnel Depart, Kenneth Morrison, Morrison Consulting

Fri 2/17 ——
9a – 9:45a  EXP-F01
The Future: Revealed, Ben Jun and Hugh Thompson

10:15a – 11a  MBS-F02
IoT End of Days, Chris Henderson, IBM

11:30a – 12:15p  CXO-F03
Corporate Security: Where the Physical and Digital Worlds Collide, Shawn Henry, CrowdStrike