Legally Defensible Security
Something that usually happens with a certain frequency is that some information system or online business is a victim of malicious acts by competitors, mafias or unhappy employees. If this happens it is a legal obligation (National Security Framework or GDPR) for the victim to report what happened to the competent authority. This authority does not try to “catch the bad guy” to try to restore the victim, but to look for and understand patterns, campaigns and/or techniques of widespread malicious acts and try to cut them off and prevent them as effectively as possible.
But if your business has been robbed or broken into, that’s done and it’s going to be very difficult to find the perpetrator, let alone bring him to a judge, let alone have him convicted to return what he stole.
In this context, in security there is the concept of “Legally Defensible Security” and, given the value of the information assets that more and more companies manage, it is becoming more popular and implemented. Let’s get to it.
The point of security is to keep bad things from happening while supporting the occurrence of good things. When bad things do happen organizations often desire assistance from law enforcement and the legal system for compensation. To obtain legal restitution you must demonstrate that a crime was committed, that the suspect (assuming you find him) committed that crime, and that you took reasonable efforts to prevent the crime. This means your organization’s security meets to be legally defensive.
If you are unable to convince a court that your log files are accurate and that no other person other than the subject could have committed the crime, you will not obtain restitution. Ultimately, this requires a complete security solution that have strong multi factor authentication techniques, solid authorization mechanism, and impeccable auditing systems.
Additionally, you must show that the organization complies with all applicable laws and regulations, that proper warnings and notifications were posted, that both logical and physical security were not otherwise compromised, and that there are no other possible reasonable interpretations of the electronic evidence. this is a fairly challenging standard to meet. Thus, an organization should evaluate its security infrastructure and redouble its effort to design and implement, even little by little, legally defensible security.
Author: Javier Jiménez (Linkedin)