Best IT Blog

Sample Visio – Simple ITIL Security Operations Workflows

Simple sample Security Operations Workflows and interactions. In order to create a good IT operations runbook.

This is the level of details that should be flowed out and documented step for step.

Free – Visio Document download

Visio Work Flows


Comments Off on Sample Visio – Simple ITIL Security Operations Workflows

Sample – EPHI (HIPAA) – Administrative Technical Controls

Posted in Compliances (1300),Security (1500) by Guest on the February 16th, 2012

Thank you for your visit.

If you like what you have found on our site please backlink our site and blog.




Security Management Process  § 164.308(a)(1) Risk Analysis
    Risk Management
    Sanction Policy
    Information System Activity Review
Assigned Security Responsibility § 164.308(a)(2)  
Workforce Security § 164.308(a)(3) Authorization and/or Supervision
    Workforce Clearance Procedure
    Termination Procedures
Information Access Management § 164.308(a)(4) Isolating Health Care Clearinghouse Functions
    Access Authorization
    Access Establishment and Modification
Security Awareness and Training § 164.308(a)(5) Security Reminders
    Protection from Malicious Software
    Log-in Monitoring
    Password Management
Security Incident Procedures § 164.308(a)(6) Response and Reporting
Contingency Plan § 164.308(a)(7) Data Backup Plan
    Disaster Recovery Plan
    Emergency Mode Operation Plan
    Testing and Revision Procedures
    Applications and Data Criticality Analysis
Evaluation  § 164.308(a)(8)  
Business Associate Contracts and Other Arrangements § 164.308(b)(1) Written Contract or Other Arrangement


Comments Off on Sample – EPHI (HIPAA) – Administrative Technical Controls

Anatomy of a Web Application

Posted in Compliances (1300),Security (1500) by Guest on the February 16th, 2012

Without any protection, holes and backdoors exist at every layer waiting to be exploited 

Each layer of the application has its own unique vulnerabilities. A vulnerability fixed at one layer may still be exploited at another layer. An exploit at any layer of the application effects the integrity and behavior for the entire application


Comments Off on Anatomy of a Web Application

Sample Visio – ITIL – Risk Governance

Posted in ITIL - Change Management - Help Desk (95),Visio Samples - Stencils (457) by Guest on the February 15th, 2012

 If you backlink our site and you provide an email address, we will email this free visio drawing to you without obligations.

Thank you,


Comments Off on Sample Visio – ITIL – Risk Governance

Sample – EPHI (HIPAA) – Physical Technical Controls

Posted in Compliances (1300),Security (1500) by Guest on the February 15th, 2012

Thank you for your visit.

If you like what you have found on our site please backlink our site and blog.




Facility Access Controls § 164.310(a)(1) Contingency Operations
    Facility Security Plan
    Access Control and Validation Procedures
    Maintenance Records
Workstation Use  § 164.310(b)                                                                 
Workstation Security  § 164.310(c)  
Device and Media Controls § 164.310(d)(1) Disposal
    Media Re-use
    Data Backup and Storage
Comments Off on Sample – EPHI (HIPAA) – Physical Technical Controls

Sample – EPHI (HIPAA) – Technical Security Controls

Posted in Compliances (1300),Security (1500) by Guest on the February 15th, 2012

Thank you for your visit.

If you like what you have found on our site please backlink our site and blog.




Access Control § 164.312(a)(1) Unique User Identification
    Emergency Access Procedure
    Automatic Logoff
    Encryption and Decryption
Audit Controls  § 164.312(b)  
Integrity § 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information
Person or Entity Authentication § 164.312(d)                                            
Transmission Security § 164.312(e)(1) Integrity Controls


Comments Off on Sample – EPHI (HIPAA) – Technical Security Controls

Sample – Infrastructure: Operations Support Policy

Posted in Compliances (1300),Security (1500) by Guest on the February 15th, 2012


This policy defines the basic elements required for the Corporate Information Systems Operations Support.  


To obtain reasonable assurance that computer operations activities provide scheduled, monitored, and secured processing as well as the timely identification of problems. 


The scope of this policy includes all personnel, including external vendors, who have access to or are responsible for operating or maintaining the production systems for any and all systems located at the corporate facilities 


Management will implement automated scheduling tools to perform batch processing.

Automated job scheduling software allows management to schedule jobs based on a variety of factors including criticality, run-time, and capacity, etc.  For example, large jobs are usually run when the system is not running at peak capacity.  If invalid programs are executed or if valid programs are executed in the wrong sequence, invalid items may be recorded or valid items may be inaccurately or incompletely recorded.

Personnel access to the job processing software will be based upon user job responsibilities and verified to be appropriate on a recurring basis.

System access required to modify job scheduling software should be restricted to computer operations personnel.

All processing exceptions and errors will be recorded and reviewed by management.

Processing errors and exceptions, including job appends, should be automatically flagged for subsequent management review and follow up.  Job scheduling software and/or application system should automatically provide for: – resubmission of approved and corrected errors; – maintenance of error or aged transactions; – suspense queues and/or reports; – logs of executed programs; and – logs of processed and rejected transactions.

Management will establish a procedure to ensure that system problems are centrally recorded and monitored for timely resolution.

When users have problems, they should have a point of contact to ensure timely resolution. Following the reporting and recording of a problem, appropriate resolution activities should occur. The factors to ensure adequate problem resolution are: – Timeliness, through prioritization; – Scale, through commitment and allocation of adequate resources; – Integrity, through implementation of a suitable    solution without causing further problems; and – Monitoring, to permit escalation, if needed.

The rest of this is available through our purchasable document packages at:


Comments Off on Sample – Infrastructure: Operations Support Policy

Security / Privacy Regulations Timeline

Posted in Compliances (1300) by Guest on the February 14th, 2012
Comments Off on Security / Privacy Regulations Timeline

The Business Information Supply Chain

Posted in Business (600),Compliances (1300),Security (1500) by Guest on the February 13th, 2012
Comments Off on The Business Information Supply Chain

The value of Securing Your online Link

Posted in O S (375) by Guest on the February 12th, 2012

Internet crime rising

With all the advent of the internet in just about all spheres, including e-commerce to be able to shopping as well as networking, world wide web has become one of the biggest means of communication on the planet. Instances of incorrect use regarding important information just like bank card information as well as other financial info, in addition identification thefts are on a truly alarming improve. More, because most with the internet surfers select shared web hosting providers as opposed to dedicated servers, the likely decision is with regard to miscreants in order to make use of person Internet protocol handles and grab data. The particular smartphones, which are the buy of the day, make it more challenging in order to tackle internet criminal offense since they have raised using web one thousand times. Wi-Fi contacts can be easily breached as well as criminal offense dedicated. Additionally, it isn’t surprising the applications written regarding web usage possess loopholes that may be positioned by a seasoned nuller who is able to misuse the info given that don’t assume all online hackers are usually honest hackers. Trojans are another major web risk. So that you can battle this particular crime, cyber security continues to be beefed up considerably recently. Measures tighter as compared to allotment associated with passwords are being employed in buy to safe the usage of web. On an individual person stage, there are several steps you can take in order to protected your web link.

Inserted methods testing

Tests inlayed systems can be extremely useful in reducing internet crime. Testing entails plenty of activities like assessing the safety steps, making understanding regarding the features with the program, getting this focus on numerous programs test the being compatible and also tests the common performance. embedded systems testing would be the technique of analyzing all these requisites regarding a good inlayed program. While there is absolutely no exact classification as to embedded methods, they can be taken up wise gadgets which can be used for connection and information technology reasons like cell phones, computer systems along with or perhaps without world wide web online connectivity, radio along with other signal transmission as well as receptor gadgets. Assessing the efficiency of the systems, that are for some reason logged online, might help inside limiting cyber crime. Typical checking can be important regarding inserted techniques. Since new infections and also coughing tries are a continuous procedure, monitoring the safety of the program also needs to be described as a steady procedure.


AFDX stands for Avionics Full-Duplex Turned Ethernet and is also probably the most effective means of curtailing cyber offense. This idea entails use of committed data transfer. Quality of Service (QoS) will be provided in addition to it. AFDX is surely an sophisticated method of limiting illegal admittance into methods as well as increasing security measures. A number of the essential top features of this system tend to be Conclusion techniques, Switches and also back links. Minimizing interne criminal offense has become of the most basic needs of the day, following which; unique professionals are increasingly being competent in the utilization and also screening associated with inlayed methods and also AFDX. Although these kinds of unique safety measures perform aid in lowering crime, the rate of world wide web mishaps will be continuously increasing and hence, there’s a must deal with the situation at the root level.


Comments Off on The value of Securing Your online Link

HIPAA – Identitiy and Access Management SOC Dashboard Considerations

Posted in Compliances (1300),Security (1500) by Guest on the February 12th, 2012

What a Security Operations Center IAM dashboard should present.

Number of Requestable Products Average Request Processing Time New Rule Violations Employees by functional area Pending Requests
Entitlement Assignments with / without requests Employees by status Pending Attestation Instances Number of Internal and External Employees Top 10 Departments (Members)


Comments Off on HIPAA – Identitiy and Access Management SOC Dashboard Considerations

HIPAA – Identitiy and Access Management Considerations

Posted in Compliances (1300),Security (1500) by Guest on the February 12th, 2012




Implementation Specification

Technical Access Control Unique User Identification
    Automatic Log-off
  Audit Controls  
  Person or entity Authentication Strong Authentication
Physical Facility for access controls Physical Access
Administration Security Management Process Risk Management
    Activity Review
  Workforce Security Termination Procedure
  Information Access Management Isolation Healthcare Clearing House
  Security Incident Procedures Login Monitoring


“HIAA” – Health Insurers Association of America and “AAHP” – American Association of Health Plans members


Comments Off on HIPAA – Identitiy and Access Management Considerations

What is Data Retention Compliance?

Posted in Application (380),Compliances (1300),Security (1500) by Guest on the February 11th, 2012

The ability to stipulate specific life cycle for different types of corporate IT documents.

1) Data usability and accessibility, the document must be in a useful form, e.g. viewable / reusable. The retrieval must meet the business process requirements.

2) Data security, the document must be held so as to prevent uncontrolled access.

3) Data integrity, the data must be warranted as an unaltered rendition of the data.

4) Data integrity includes such technologies as:

  •  Multi path I / O
  •  Clustering
  •  High Availability (HA)

Corporate Policies, Standards, best practices and regulations drive data retention requirements.


Comments Off on What is Data Retention Compliance?

Security Operations – Security Guidance

Posted in Compliances (1300),Data Center - SOC - NOC,Security (1500) by Guest on the February 10th, 2012

Secure by Design

  • Design for defense-in-depth
  • Plan for security management
  • Design system architecture for security
  • Build network threat models

Secure by Default

  • Minimize the network attack surface
  • Deny access by default
  • Use security features in Windows Server 200x, Unix, MVS and Risc OS’s

Secure in Deployment

  • Software maintenance
  • Security policy
  • Educate users on security
  • Customers…Understand the value of protecting their assets, their data and customer transactionsDesire a single, simple solution to complex, daily problemValue a low Total Cost of Ownership


Comments Off on Security Operations – Security Guidance

Mitigating Emerging Threats from Employee Computing

Posted in Business (600),Compliances (1300),Security (1500) by Guest on the February 9th, 2012

Comprehensive solution to manage employee use of corporate computing resources…

  • Personal Surfing
  • Instant Messaging
  • P2P
  • Spyware
  • Unauthorized Applications
  • Employee Hacking
  • Virus Outbreak….
  • 70% of Porn is downloaded between 9am and 5pm

All Internet Content Carries a Risk!

  • Web, Email, IM and P2P – Strongest solution to emerging hybrid / blended threats (e.g. MyDoom, ‘Phishing’)
  • Content is king – from databases to dictionaries to signatures
  • Relevant solutions must learn while they work – Artificial Intelligence


Comments Off on Mitigating Emerging Threats from Employee Computing

Regulatory Roundup

Posted in Business (600),Compliances (1300),Security (1500) by Guest on the February 8th, 2012
Comments Off on Regulatory Roundup

Security / Privacy Regulations Timeline

Posted in Compliances (1300),Security (1500) by Guest on the February 8th, 2012
Comments Off on Security / Privacy Regulations Timeline

PACS (Picture Archiving and Communication Systems)

Posted in Business (600),Security (1500) by Guest on the February 8th, 2012

PACs – Various Network Technologies, Bandwidths and Typical Transfer Times for Radiological Imaging.

Network Technology Bandwidth Chest Radiograph 8.4MB Chest CT Scan50MB
T1 1.54Mb/s 43 sec 4.3 min
Ethernet 10Mb/s 6.7 sec 40 sec
Fast Ethernet 100Mb/s 0.7 sec 4 sec
ATM 155Mb/s 0.4 sec 2.6 sec
Gigabit Ethernet 1Gb/s 0.07 sec 0.4 sec

Comments Off on PACS (Picture Archiving and Communication Systems)

Just a few Laws Protecting Businesses

Posted in Business (600),Compliances (1300),Security (1500) by Guest on the February 8th, 2012

Depending on the organization’s business, there may be several laws that govern the protection of information

  • California Database Breach Notification Act  (SB1386)
  • Computer Security Act of 1987
  • Computer Fraud and Abuse Act of 1986
  • European Union Data Privacy Directive

ASCA – Administrative Simplification Compliance Act

  • Addresses Transactions and Code Sets
  • Allows a covered entity, other than small health plans, to apply for a 12 month extension
  • Testing is required by April 15, 2003

Privacy Modification NPRM

  • Simplifies implementation requirements for Privacy regulation, but doesn’t change date
  • Adoption or modification expected in August
  • Does not effect our product positioning, but could effect policies.


The Risk Mitigation

Information Risk Analysis

  • Identify what your business data is worth to you

Security Policy

  • Clearly document your security objectives


  • Have senior people responsible for information security


  • Make cost-effective resource commitments to information security 

To name a few what others should be considered?

Comments Off on Just a few Laws Protecting Businesses

Sample – Information Lifecycle

Posted in Business (600),Compliances (1300),Security (1500) by Guest on the February 7th, 2012
  1. Authorization
  2. Delivery
  3. Usage
  4. Storage
  5. Destruction 

Research indicates access to confidential documents is mostly granted without data owners’ prior approval. Sometimes, this is due to undefined owners. IT organizations should ensure data owners are identified and their authorization is sought prior to granting access or distributing “confidential” documents outside the organization. This will ensure data owners are aware of the need, benefits, and risks of giving access to third parties.


Research shows confidential document delivery is performed on ad hoc basis, favoring convenience instead of security. IT organizations should establish distribution policies (e.g., by secure mail, by hand, by encrypted e-mail). Recipients should be made aware of the document delivery medium and be requested to acknowledge receipt.

1) Upon document delivery, the conditions of use should be stated to recipients (e.g., it cannot be distributed or shared with third parties without the owner’s prior authorization). The implications of not adhering to the conditions for use should also be clearly declared.

2) Recipients must be made aware of the best practices for storing confidential documents (e.g., they cannot be stored on laptops or publicly available PCs).

3) Conditions of use should emphasize the exigent need for destroying the document once the need for access is fulfilled. Given this, recipients should be requested to return the document to the sender or destroy it in accordance with supplied guidelines. The ramifications for not doing so should also be affirmed.


Comments Off on Sample – Information Lifecycle

Sample Word – Data Classifications and Encryption Requirements

Posted in Compliances (1300),Networking (340),Security (1500) by Guest on the February 7th, 2012

What is Confidential Information?

  • Any information not known to outsiders that has value to the Corporate or whose premature disclosure would help competitors or be harmful to the Corporate.
  • Can include physical, electronic, or oral information.
  • Must be classified and protected according to guidelines set in Global Enterprise Information Classification Policy.

Free – Document download

See Encryption Matrix Document for details. 

Protecting Your Sensitive Data
An important aspect of security is protecting sensitive data from being read, changed, copied, or destroyed by unauthorized persons. Protection is especially important in today’s business world, where trade secrets can be worth millions of dollars, client confidentiality must be safeguarded, and government regulations often mandate that particular information not be disclosed.

What is Sensitive Data?
Sensitive data is any information that should be viewed and manipulated only by trusted parties. For practical purposes, the sensitive data that you might have stored on your computer or that you might access on the network can be divided into two categories: sensitive business data and sensitive personal data.

Sensitive Business Data
Sensitive business data includes any information related to the business or organization that could cause harm to the organization, its clients, its partners or any individual if it were deleted or made available to unauthorized users. Such information includes, but is not limited to, the following:

  • Clients’ or business partners’ personal information collected in the course of doing business, such as names, addresses, phone numbers, social security numbers, financial information, medical records, legal matters, and account numbers.
  • Employees’ personal information, including salary information (unless the organization is a public entity), disciplinary records, employment history, medical history, and criminal history.
  • Financial information about the organization (other than that required to be disclosed by law), business strategies, and future business plans.
  • Trade secrets, research and development information, and patent plans.

Sensitive Personal Data
Sensitive personal data you might have stored on your computer or on the network includes:

  • Your home address and telephone number.
  • Social security number, driver’s license number and other identification numbers.
  • Bank account information and credit card information (if you perform financial transactions online).
  • Medical information such as health insurance claims and correspondence with health care providers.
  • Legal information.
  • Internal employee information. 

Where Data Exists
Data is located in many different places, including the following:

  • Your Web browser’s cache (Temporary Internet Files) and history folder can reveal what Web sites you have visited, as can the cookies folder and the Favorites list.
  • The My Downloads folder can reveal files that you have downloaded.
  • Your e-mail program’s temporary folder can contain copies of file attachments that you have received with e-mail.
  • Word processing programs create temporary files while you are working that may not be deleted when you delete the main file. Many other application programs also create temporary files.
  • The Windows clipboard can show data that you have cut from documents.
  • Your Instant Messenger (IM) program may be set to log your conversations to a file. Its contact or “buddy” list will reveal persons with whom you communicate.
  • Your My Recent Documents folder shows what files you have worked on.
  • Media Player software’s history and playlists can reveal what audio and video files you have played.
  • Your contacts list can reveal persons with whom you exchange e-mail, as can the address autocomplete feature in your e-mail program.
  • Your calendar program may reveal your activities for past days.
  • Information you have deleted may still exist in memory (if the computer has not been turned off) or in virtual memory (the page file or swap file on the hard disk).
  • Copies of e-mail messages you have sent or received may still exist on the server or on the sender’s or recipient’s computer.
  • Backup tapes may contain copies of files even though you have deleted the originals.


Comments Off on Sample Word – Data Classifications and Encryption Requirements

What should a buyer look for in an MSSP?

Posted in Compliances (1300),Data Center - SOC - NOC,Security (1500) by Guest on the February 7th, 2012

Let us now discuss the key elements that a prospective buyer should look for in a MSSP: 

  • Confidentiality of Company Information: Understand how the prospective service provider ensures confidentiality of its customer’s information- this would particularly apply to security policies, network diagrams, and other information required providing the service.
  • Service Level Agreements (SLA): These agreements essentially quantify the service level or the key measurable. For example, guaranteed availability of the firewalls, the time required to validate, confirm, and implement a rule base change. Rule base change turnaround varies. It would take longer if we perform proper analysis of the proposed change to the whole firewall rule base, followed by a confirmation for the client’s signoff. However, for changes that do not require providing consulting would take considerably lesser time.
  • Network Operating Centers (NOC): Check the NOC with respect to physical security practiced. Ideally, restricted access should be provided within the premises; the service provider should directly employ employees; always a couple of employees should enter the operating center together. There should be alternative supplies for power, cabling, telecommunication links, Air conditioners. There should be disaster recovery sites for the NOCs.
  • Disaster Recovery: Look for a service provider who has provision for a disaster recovery site and well-established and practiced procedures. Incase, your managed firewall is deployed at the service provider’s NOC/POP (network operating center/ point of presence), check for the disaster recovery measures that have been established to provide you service continuity. Scheduled dry runs should be performed.
  • Vulnerability Testing: Typically these tools are developed for either network vulnerability analysis on intranets, application servers, web server, firewalls, or developed for host-based analysis on client machines. The network tools perform network probes on applications, operating systems and routers for any network-based vulnerability. However, host based tools analyze each host for a range of standard security weaknesses.  
  • Monitoring: Human administrators cannot provide round the clock monitoring for system health, hacking attempts, and unauthorized access. Measurement of performance, filtering it, and producing alerts whenever thresholds are reached is, best done by using software’s. This would ensure for efficiency and effectiveness in monitoring services.
  • Encryption: Any communication (e.g., rule base changes, remote administrations, remote system reboots) between the managed firewalls and the NOC (Network Operating Centers) should be performed through encrypted data. This would avoid the chance of an Internet based spoofing.
  • Intrusion Detection: The Intrusion Detection system deployed at the MSSP should be configured such that it does not raise too many false alarms. This would ensure that the MSSP team is not flooded with too much information, and handle the incidents with efficiency and effectiveness.
  • System Backups:  Systems back up should be taken regularly. The service provider should be able to restore the firewall/IDS including all base rules, without any difficulty.
  • Change request procedures:  Best practices recommend that a change request be recorded, validated and processed in a reliable and consistent way. The service provider should validate that the request for change in the configuration has come from an authentic person. The designated security management representative of your organization must duly sign this request. All the changes should become a part of the Change Control System.
  • Management reports: These reports would give you an insight to the effectiveness and efficiencies of the security products deployed. They would typically incorporate a snapshot of the work that is completed within the time frame, scheduled changes, and performance with respect to the SLA’s.


Comments Off on What should a buyer look for in an MSSP?


Posted in Compliances (1300),Firewalls (75),Security (1500) by Guest on the February 7th, 2012

Firewalls: In this section we will take a look at the 3 basic types of firewalls – packet filters, proxy firewalls and the stateful inspection firewalls – and will look at the pros and cons of each.

Packet filters: These are basically screening routers that control the flow of data in and out of a network by looking at information in the packet header:

  • Source Address
  • Destination Address
  • Protocol used for transferring the data

The firewall is programmed to allow or deny the traffic based upon the protocol and source & destination addresses. A policy could look something like this:


Source Interface Destination Protocol Action


External Internal ANY ANY DROP Anti-Spoofing rule
External ANY Internal HTTP ACCEPT Inbound HTTP to Web server
Internal External Any HTTP ACCEPT Outbound HTTP
Internal External ANY Telnet ACCEPT Outbound Telnet
ANY External ANY Internal ANY DROP Drop all not explicitly allowed

Packet filters are very efficient and cost effective since a single screening router can protect an entire network by acting as a choke point. They are considered to be the most effective against certain types of attacks such as the IP Spoofing attack. (For example: A rule to deny all inbound traffic that has source address from the internal network will take care of hackers trying to spoof IP addresses from the internal network.)

Another advantage is the ease of availability, since most routers come with basic packet filtering capacity. However their filtering capacity is limited to the information they get from the network layer which is the source and destination address and the protocol information. As a result they are not able to analyze the data within the packet. It is easy for a packet with a malicious data to pass through. Another disadvantage is that it is not possible do to partial filtering. Meaning you cannot set a rule to allow only a specific user to connect to the ftp server or to transfer only specific files. There is also a possibility of incorrectly configuring a packet filter thereby generating security holes in the network. 

Proxy Firewalls: These types of firewalls work as transfer agents between the internal host and the external server. The idea is to protect the internal host from being directly exposed to the outside world. The proxy firewall accepts requests from the internal hosts for connections to the outside world, changes their IP addresses and sends the request with the changed IP to the outside server. It maintains a table for relating the internal IP with the translated IP so that when it receives a response from the outside server it can direct that to the appropriate internal host. 

There are two types of proxy firewalls; Circuit-level proxies and Application-level proxies.

Circuit-level proxies: It creates a circuit (connection) between the internal host and the outside server by acting as an agent without interpreting the application level information. It is more like a packet filter with the ability to hide the client. The advantage of circuit-level proxies is that they can be implemented with a large number of protocols as they don’t have to comprehend the information at the protocol level. The disadvantage is that once a connection is established it is always possible to send malicious data in the packets.

Application-level proxies: Also known as Application Gateway or Application Firewall, it performs all the basic functions of the circuit-level proxy with better traffic monitoring. The application gateway is able to comprehend information at the higher levels in the TCP/IP stack up to the application layer. The features of an Application-level proxy can be summarized in the following points:

Does not allow direct connections between an internal host and an external server under any circumstances.

  • It can understand and interpret commands in the payload portion of the packets. (Which even stateful inspection firewalls are not able to do.)
  • It provides a robust authentication and logging mechanism.

Although considered to be the most secured and advanced firewalls they still have some limitations.

  • You may need a different proxy for each of the protocols.
  • Certain type of protocols may not be supported.
  • Large amount of information from a large number of packets have to be analyzed, which may lead to high processing time and overheads.

In general proxy firewalls provide reliable security with good logging mechanisms. They however suffer from the following disadvantages:

  • Not all applications are designed to use a proxy
  • The proxy setup can be complicated
  • They usually require modified clients and/or modified procedures 

Stateful Inspection Firewalls: Traffic decisions are made by not only looking at the packet contents but also by correlating the incoming traffic to the earlier outgoing requests. It does so with the help of a dynamic state table. The state table keeps a record of past communications such as a request made for a particular file by the internal host along with the source and destination address, port numbers and so on. This record is called a state. When the external server responds with a file the firewall does a state table look up to decide whether such a request had been made and if it has been, the packet is allowed in or else is discarded by the firewall. Of course this is subject to all the other security criteria being met.

For example, we can say that only outgoing traffic is enabled whereas the incoming traffic is disabled unless specifically requested. Most basic attacks such as port scanning are immediately taken care of at the firewall.


  • No application level security is provided.
  • Stateful inspection is possible only for connection oriented-protocols such as the TCP.
  • Stateful Inspection firewalls do not look at the packets as closely as an application gateway firewall and it also does not provide any verification of protocols.


Comments Off on Firewalls

Seizing and Searching Computers and Computer Data

Posted in Compliances (1300),Security (1500) by Guest on the February 7th, 2012

With the explosion of computers and technology, investigators of all types are more often faced with analyzing computer-generated and/or maintained information relevant to their cases.  The U.S. Department of Justice has issued as guidance to prosecutors and agents “Federal Guidelines for Searching and Seizing Computers”.  These guidelines are the product of the Computer Search and Seizure Working Group, whose members were drawn from the FBI, Secret Service, IRS, DEA, ATF, DOJ, Homeland Security, Customs, the Air Force, and US Attorneys’ offices.

The guidelines include general principles of search warrants, consent searches, chain of custody, and other legal aspects as well as addressing the technological aspects of searching and seizing computers.  In this summary, the focus will be on the technological aspects, but the guidelines provide a good primer on operating in the legal environment of prosecutors and law enforcement.

Before any search or seizure begins, a determination must be made of the computer’s role in the offense.  This determination drives decisions such as whether to seize the hardware, software, data, or all components and whether the search can be conducted on-site or the computer should be taken to a field office or laboratory.  Fourth Amendment rights apply to computer searches as well as traditional ones, and can affect the admissibility of any evidence subsequently found. 



Without going into the specific legal detail here, generally seizure of computer hardware can be justified on one of three theories: 

(1)   The hardware is contraband;

(2)   The hardware was an instrumentality of the offense; or

(3)   The hardware constitutes evidence of an offense.  In many cases, more than one theory may apply.  For example, when a hacker uses his computer to spread viruses, the computer may be both an instrumentality of and evidence of an offense.  When hardware is seized, it is important to be sure that required components be taken. 

In some cases, the computer workstation may be just a dumb terminal and the desired evidence (data) resides on a server.  At the same time, the investigators must take care to only seize required components to the extent it is possible to make that determination.  For example, in a networked environment the data could reside on any of multiple machines.  However, to protect the legality and admissibility of the evidence, the investigator should be able to articulate a reason for each component that is taken.

The computer must be transported from the scene properly to avoid damage to the evidence.  This may require researching the related operating manuals on how to secure the equipment, or may require having a technical expert assist in the seizure.  Before disconnecting cables, it is helpful to videotape or photograph the site and prepare a wiring schematic.  This will document the condition of the equipment at the scene and ensure the system can be reconfigured for later analysis.  Once this is done, the equipment should be disassembled, tagged and inventoried prior to the move. 

Any disks, drives, or other magnetic media should also be secured to prevent damage, such as avoiding strong magnetic fields, temperature extremes, or buildup of static electricity.  

Software And Data

Searches and seizures of data and software are more complex, and fall into two distinct groups:

(1)   Instances where the data is stored on a computer at the search site, and

(2)   Those where the information is stored off-site and the computer at the search scene is used to access the off-site location. In some cases, the difference is insignificant.  On the other hand, there are certain unique issues that arise only in a networked environment.  A search warrant is required to be issued by a court in the district where the property is located.  Thus, if a network is involved, the data may reside on a computer in a different jurisdiction/district and a second search warrant may be required.  Furthermore, some computers may contain privileged information, such as that of doctors, lawyers, or clergy, and require extra care in being accessed. For these confidential fiduciaries, the computer data is very likely to  include confidential information about persons not connected to the investigation.  In 42 USC 2000aa-11(1) 

Congress has recognized a “special concern for privacy interests in cases in which a search or seizure for … documents would intrude upon a known confidential relationship such as that which may exist between clergyman and parishioner; lawyer and client; or doctor and patient.”  A search warrant can be used if using less intrusive means would substantially jeopardize the availability or usefulness of the materials sought; access to the documents appears to be of substantial importance to the investigation; and the application for warrant has been recommended by the US Attorney and approved by the appropriate Deputy Assistant Attorney General.   

Congress has also expressed a concern for publishers and journalists in the Privacy Protection Act, 42 USC 2000aa. Generally speaking, agents may not search for or seize any “work product materials” (defined by statute) from someone “reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or similar form of public communication.”  In some cases, a court may appoint a special master to search a computer containing privileged information and identify that, which is pertinent to the case.  

The guidelines caution investigators to ensure the master is neutral computer expert with no connections to the investigated parties.  Understandably, if the person who holds the documents is a target rather than a disinterested party, the rules are different.  In those cases, the investigator may get a warrant to search. the files, but the warrant should be narrowly written to include only information that is pertinent to the investigation.

As with hardware, computer data can be contraband, an instrumentality, or evidence of an offense.  In addition to the computer data files, computer printouts or manuals with handwritten notes may be significant to the case. Data may also be contained in laser printers (before they are moved), hard disk print buffers of some laser printers, some specialized keyboards, hard cards, or fax machines.  

These devices, and others, sometimes contain memory of varying sizes that holds data until it is overwritten or the machine is turned off.  Backup systems provide another source for obtaining data depending on how regularly and frequently data backups have been made. 

In networked systems, investigators could end up with nothing more than hardware if they have not gathered information, whether from sources or surveillance, on how the system is operated.  The file server which stores the programs and data files for the network can be in a separate physical location from the networked computers, perhaps in a different judicial district.  Electronic mail might be stored on a server until the addressee retrieves the messages.  Even deleted messages may be accessible from the network server if mail is backed up before the messages were deleted.  Voice mail systems are computer systems that can provide necessary evidence (data).  Again, messages may be accessible from the backup system even if they have been deleted.  

Another quirk of seizing data from a networked system is the need to control access to the files during the seizure.  When seizing paper files, the perimeter can be secured to prevent unauthorized access.  Electronic records on a network are more susceptible to alteration or destruction even while the seizure is underway.  Therefore, it is important to prohibit access to the data, either by software commands or by disconnecting the network cables to the computer. This should only be performed by an expert to avoid damaging the data or system. 

In deciding whether to search computer data at the scene or seize it to review at an off-site location, many factors should be considered.  Concerns for “best evidence” must be weight against the civil liability created by closing a business down.  Providing an exact image on a replacement drive to the business can satisfy your need for “best evidence” and limit any civil liability.  

The search warrant should be written as specifically as possible by focusing on the content of the records.  Then, as a separate logical step, investigators should address the practical aspects of whether the data can be searched on-site.  The volume of data may take days to search for relevant information, thus taking available data off-site becomes reasonable.  While data seized should be limited where possible, a search does not become invalid merely because some items not covered by the search warrant are seized.  As long as the investigators do not demonstrate flagrant disregard for the search warrant’s limitations, the items covered by the warrant will be admissible.  Sometimes documents are so intermingled that it is not feasible to sort them on-site.  Another factor to consider is location of the data.  When a search is conducted at a home, courts seem more understanding of the choice to seize the data and search it at an off-site location later.  As cited in United States v. Santarelli, 778 F.2d 609 (11th Cir. 1985), “To require an on-premises examination … would significantly aggravate the intrusiveness of the search by prolonging the time the police would be required to remain in the home.” 

Once the data has been obtained, analysts with specialized skills are often required to ensure the data is properly processed to maintain its integrity. These analysts use specially designed software utility programs to search for specific names, dates, file extensions, etc.  They can also recover deleted data, search for and expose hidden files, recover encrypted or password-protected data.  The analyst can assist in searching the data by using keyword searches and by printing file directories for the investigator

review.  Typically, the computer expert will prepare a mirror image of the computer’s files to allow the analysis to be conducted without harming the original data.  A well-intentioned investigator with amateur skills could inadvertently, but irretrievably, damage the data or admissibility of the evidence.  Computer experts have to track their procedures so they can recreate their steps in court if necessary.  Also, computer-literate suspects may install commands to destroy the computer’s data if a required password is not entered at periodic intervals, or some other hidden trap.

To ensure the proper expertise is available, information such as the operating system, the software being used, the hardware configuration, should be gathered.  Computer forensic experts can help prosecute cases with advice about how to present computer-related evidence in court.  Further, many are experienced expert witnesses and can help anticipate and rebut defense claims. 



Comments Off on Seizing and Searching Computers and Computer Data

Sample – Computer Systems Privacy Policy

Posted in Compliances (1300),Policies - Standards (600),Security (1500) by Guest on the February 7th, 2012

For the protection of corporate, it’s employees and clients.    

Employee Privacy

Corporate may collect, process, store and disseminate only that information regarding its employees which is necessary for the proper functioning of its business. 

Before corporate employees collect private information about workers, customers, or other people, the need for such information must first be documented and approved by the Chief Information Officer.

Computer systems may be used to automatically collect information about the performance of workers.  This information accurately and realistically reflects their job-related performance. 

Computer systems may be used to automatically collect information to manage and properly secure computer systems. 

Corporate makes no representations or guarantees of privacy in its Information Technology Systems, and Users should not have any expectations of personal privacy in using these systems. Corporate, at its discretion, reserves the right to access and disclose any and all electronic information for any purpose, including computer files and messages sent over its Information Technology Systems. 

 Use of Corporate’s Information Technology Systems constitutes the User’s consent to the Company’s access to, and waiver of the User’s privacy interest (if any) in, all messages, data, or files on, or information about, the Information Technology Systems.  

In general, corporate does not engage in blanket monitoring of employee communication.  However, it does reserve the right to monitor, access, retrieve, read and/or disclose employee communications when 1) a legitimate business need exists that cannot be satisfied by other means; 2) the involved employee is unavailable and timing is critical to a business activity; 3) there is a reasonable cause to suspect criminal activity or policy violation, or 4) monitoring is required by law, regulation or 3rd party agreement.


Customer Privacy

The collection of personal information about customers or potential customers is customary and expected. 

All customer records containing personal information that are in the possession of corporate will be used only for purposes directly related to corporate business. 

Access to this information must be strictly controlled on a need-to-know basis and the information must be used only for internal business purposes.  Unless the consent of the customer or potential customer is first obtained, all third party sale, exchange or other distribution is prohibited. 

Corporate computer supported procedures must never require the provision of customer personal information, which is unnecessary for the completion of a transaction, or for the provision of products or services.


Comments Off on Sample – Computer Systems Privacy Policy
« Previous PageNext Page »