In accordance with mandated organizational security requirements set forth and approved by management, Response CRM has established a formal set of information security policy and supporting procedures. This comprehensive policy document is to be implemented immediately along with all relevant and applicable procedures. Additionally, this policy is to be evaluated on a(n) [annual, semi-annual, quarterly] basis for ensuring its adequacy and relevancy regarding Response CRM’s needs and goals.
This policy and supporting procedures are designed to provide Response CRM with a documented and formalized information security policy in accordance with Requirement 12.1 of the PCI DSS standards. Additionally, this policy also serves as the organization’s primary, enterprise-wide information security manual. Compliance with the stated policy and supporting procedures helps ensure the safety and security of all Response CRM system components within the cardholder data environment and any other environments deemed applicable.
This policy and supporting procedures encompasses all system components within the cardholder data environment that are owned, operated, maintained, and controlled by Response CRM and all other system components, both internally and externally, that interact with these systems, and all other relevant systems.
- Internal system components are those owned, operated, maintained, and controlled by Response CRM and include all network devices (firewalls, routers, switches, load balancers, other network devices), servers (both physical and virtual servers, along with the operating systems and applications that reside on them) and any other system components deemed in scope.
- External system components are those owned, operated, maintained, and controlled by any entity other than Response CRM, but for which these very resources may impact the confidentiality, integrity, and availability (CIA) and overall security of the cardholder data environment and any other environments deemed applicable.
- Please note that when referencing the term “system component(s)” or “system resource(s)” it implies the following: Any network component, server, or application included in or connected to the cardholder data environment (Source: pcisecuritystandards.org glossary) or any other relevant environment deemed in-scope for purposes of information security.
Response CRM is to ensure that the information security policy adheres to the following conditions for purposes of complying with the mandated organizational security requirements set forth and approved by management:
- Chief Technology Officer (CTO) | Chief Information Officer (CIO): Responsibilities include providing overall direction, guidance, leadership and support for the entire information systems environment, while also assisting other applicable personnel in their day-to-day operations. The CTO | CIO is to report to other members of senior management on a regular basis regarding all aspects of the organization’s information systems posture.
- Director of Information Technology | Senior Information Security Officer: Responsibilities include also providing overall direction, guidance, leadership and support for the entire information systems environment, while also assisting other applicable personnel in their day-to-day operations, along with researching and developing information security standards for the organization as a whole. This will require extensive identification of industry benchmarks, standards, and frameworks that can be effectively utilized by the organization for provisioning, hardening, securing, and locking-down critical system components. Subsequent to the researching of such standards, the senior security officer is to then oversee the establishment of a series of baseline configuration standards to include, but limited to, the following system components: network devices, operating systems, applications, internally developed software and systems, and other relevant hardware and software platforms. Because baseline configuration can and will change, this authorized individual is to also update the applicable configurations, documenting all modifications and enhancements as required.Additional duties of the Director of Information Technology | Senior Information Security Officer include the following:
- Responsible for all major facets of information technology throughout the organization, such as management, recommendations as necessary
- Providing leadership, direction and guidance for current and existing projects
- Overseeing the development of all applicable operational, business specific, and information security policies, procedures, forms, checklists, templates, provisioning and hardening documents and other necessary material.
- Overseeing initiative for developing internal Requests for Proposals (RFPs), along with answering RFP’s for services from the organization.
- Assistance in developing annual information technology budget.
- Displaying integrity, honesty, and independence at all times.
- Supporting the Director of Information Technology | Senior Information Security Officer and other members of senior management as necessary.
- Network Engineer | Systems Administrator: Responsibilities include actually implementing the baseline configuration standards for all in-scope system components. This requires obtaining a current and accurate asset inventory of all such systems, assessing their initial posture with the stated baseline, and the undertaking the necessary configurations. Because of the complexities and depth often involved with such activities, numerous personnel designated as Network Engineers | System Administrators are often involved in such activities.Furthermore, these individuals are also responsible for monitoring compliance with the stated baseline configuration standards, reporting to senior management all instances of non-compliance and efforts undertaken to correct such issues. Additionally, due to the fact that these individuals are to undertake the majority of the operational and technical procedures for the organization, it is critical to highlight other relevant duties, such as the following:
- Assessing and analyzing baseline configuration standards for ensuring they meet the intent and rigor for the overall safety and security (both logically and physically) of critical system components.
- Ensuring the asset inventory for all in-scope system components is in fact kept current and accurate.
- Ensuring that network topology documents are also kept current and accurate.
- Facilitating requests for validation of baseline configurations for purposes of regulatory compliance assessments and audits – such as those for PCI compliance, SSAE 16 reporting, HIPAA, FISMA, GLBA, etc.
- Continuous training and certification accreditation for purposes of maintaining an acceptable level of information security expertise necessary for configuration management.
Additional duties of Network Engineers | Systems Administrators include the following:
- Establishing networking environment by designing system configuration; directing system installation; defining, documenting, and enforcing system standards.
- Optimizing network performance by monitoring performance; troubleshooting network problems and outages; scheduling upgrades; collaborating with network architects on network optimization.
- Updating job knowledge by participating in educational opportunities; reading professional publications; maintaining personal networks; participating in professional organizations.
- Securing network system by establishing and enforcing policies; defining and monitoring access.
- Reporting network operational status by gathering, prioritizing information; managing projects.
- Software Developers | Coders: Responsibilities include actually developing secure systems by implementing the required baseline configuration standards into all systems and software development lifecycle activities. Coding for security, not functionality, is a core theme for which all software developers | coders are to adhere to. They are to also identify any other necessary baseline configuration standards when warranted. Ultimately, this requires removing, disabling, and not implementing insecure services, protocols, or ports that – while may be conducive for purposes of ease-of-use – ultimately compromise the applicable systems being developed.Additionally, these personnel are also responsible for following a structured project management framework, one that includes utilizing a documented SDLC process, complete with well-defined change management policies, processes, and procedures. Moreover, these personnel are to support and coordinate all required requests for validation of the baseline configurations within their systems being developed for purposes of regulatory compliance and/or internal audit assessments.Additional duties of Software Developers | Coders include the following:
- Developing software solutions by studying information needs; conferring with users; studying systems flow, data usage, and work processes; investigating problem areas; following the software development lifecycle.
- Determining operational feasibility by evaluating analysis, problem definition, requirements, solution development, and proposed solutions.
- Effective documentation via flowcharts, layouts, diagrams, charts, code comments and clear code.
- Preparing and installing solutions by effectively designing system specifications, standards, and programming.
- Improving operations by conducting systems analysis; recommending changes in policies and procedures.
- Obtaining and licensing software from vendors.
- Change Management | Change Control Personnel: Responsibilities include reviewing, approving, and/or denying all changes to critical system components and specifically for purposes of any changes to the various baseline configuration standards. While changes are often associated with user functionality, many times the issue of vulnerability, patch, and configuration management are brought to light with change requests. In such cases, authorized change management | change control personnel are to extensively analyze and assess these issues for ensuring the safety and security of organizational-wide system components.
- End Users: Responsibilities include adhering to the organization’s information security policies, procedures, practices, and not undertaking any measure to alter such standards on any such Response CRM system components. Additionally, end users are to report instances of non-compliance to senior authorities, specifically those by other users. End users – while undertaking day-to-day operations – may also notice issues that could impede the safety and security of Response CRM system components and are to also report such instance immediately to senior authorities.
- Vendors, Contractors, Other Third-Party Entities: Responsibilities for such individuals and organization are much like those stated for end users: adhering to the organization’s information security policies, procedures, practices, and not undertaking any measure to alter such standards on any such system components.
As for all the tools, devices, and protocols utilized for protecting networks – there’s an endless list – but for purposes of gaining a basic understanding of these appliances, the following list is considered vital when it comes to information security best practices:
- Network Devices: Firewall, routers, switches, load balancers, intrusion detection systems (IDS).
- Malware Solutions: anti-virus and anti-spam software and devices.
- File Integrity Monitoring (FIM) and change detection software, host based intrusion detection and intrusion prevention devices.
- Secure services – those that are operating system (O/S) and application specific to all major operating systems (Windows, UNIX, Linux) and applications (web server applications, database applications, internally developed applications)
- Secure protocols, such as SSL, SSH, VPN, etc.
- Secure ports, such as 443, 22, etc.
- User access principles, such as Role Based Access Controls (RBAC), etc.
- Username and password parameters, such as unique user ID’s, password complexity rules, password aging rules, account lockout thresholds, etc.
- Event monitoring
- Configuration and change monitoring
- Performance and utilization monitoring
- Logging and reporting
- Appropriate incident response measures
Some of the best practices to use for ensuring the CIA triad is upheld at all times is Defense-in-Depth and Layered security – essentially utilizing various resources for helping protect an organization’s information systems landscape. As for Defense-in-Depth, it was initially a military strategy that put forth a “delay rather than prevent” concept, one that advocated yielding various elements to the enemy for purposes of buying extra time. Over time, the National Security Agency (NSA) adopted Defense-in-Depth as an information assurance (IA) concept in which multiple layers of security are used for protecting an organization’s information technology infrastructure. Defense-in-Depth has since become a highly-adopted framework for many organizations around the world for helping ensure the safety and security of critical system components. It’s been praised as a highly effective concept, one that employs effective countermeasure for thwarting attacks on an enterprise’s information systems environment. Defense-in- Depth – for purposes of information security – includes the following layers, which have been loosely adopted and agreed upon by industry leading vendors and other noted organizations:
- Internal Network
- Policies, Procedures, Awareness
Layered security, often mentioned in the context of Defense-in-Depth, is a concept whereby multiple layers of security initiatives are deployed for the purposes of protecting an organization’s critical system components. Specifically, by utilizing a number of security tools, protocols, and features, organizations can effectively put in place layers of security that – in the aggregate – help ensure the confidentiality, integrity, and availability (CIA) of systems. It’s important to note that the main emphasis of layered security is about protection, ultimately making it a subset of Defense-in-Depth, which casts a much wider net on the broader subject of enterprise-wide information security. Furthermore, layered security seeks to put in place measures that compensate for possible weaknesses in other tools, but again – in the aggregate – form a comprehensive security strategy.
Remember, layered security is not about information security redundancy – that is, using tools to achieve the same desired output – such as using an access control card and iris recognition to enter a data center (that’s two forms of the same control – authentication and authorization). As for layered security initiatives, common examples can include the following:
- The use of firewalls, intrusion detection systems, web application firewalls, anti-virus and anti-spam tools, as they each provide specific measures unique to one another for network security protection.
- Having pan-tilt-zoom (PTZ) cameras at a data center, along with comprehensive badge provisioning procedures, whereby an organization implements the use of access control cards and iris recognition at the actual data center facility.
For purposes of information security, all individuals form a cohesive and vital component of an organization’s overall Defense-in-Depth platform – one that utilizes multiples resources for enterprise-wide cyber security protection.
When seeking a technical definition or understanding on a topic relating to information security, individuals often turn to the likes of NIST and Wikipedia. Such is the case for cyber security, for which NIST briefly describes as “The ability to protect or defend the use of cyberspace from cyber-attacks (NIST glossary). As for Wikipedia, they blend cyber security into the broader subject of information technology and information security, failing to provide – understandably so – a clear definition. We all tend to get caught up on technicalities, so for purposes of simplicity, here’s a well-crafted definition of what cyber security can best be looked upon as:
The various measures – such as the enforcement of policies, and the enactment of necessary processes and related procedures – for helping ensure the confidentiality, integrity, and availability (CIA) of information systems from malicious attempts in compromising system security that can ultimately disrupt, disable, destroy, and harm an organization’s system resources.
Simply stated, it’s about putting in place measures for protecting one’s information systems from the ever-growing threats in today’s cyber world we all live in, and there’s a tremendous effort currently underway by organizations all around the world to do just that. Publicly traded companies, local, state, and federal agencies – and many other entities – are hard at work putting in place measures for ensuring the safety and security of their entire information systems landscape. From Defense-in-Depth, to layered security, along with the adoption and implementation of a dizzying array of security standards, the topic of cyber security is alive and well, and you need to know about it!
It’s also critical that employees have a strong understanding of cloud computing, which is an area within information security that contains an almost endless list of definitions and explanations, ranging from the very technical (NIST definition of cloud computing), to the more simpler, and easy-to-understand definition, such as the one provided by Wikipedia. So what is cloud computing? Taking the NIST definition and simplifying it, cloud computing is the following:
A model that allows for scalable, convenient, on-demand services to a shared pool of distributed computing resources, for which many models exist. In essence, one’s computing resources live in the “cloud”, instead of a more traditional model, such as a client-server design, etc.
The phrase has garnered much attention and widespread adoption since the mid 2000’s, but concept isn’t as new as people would think. As for the various cloud models, vendors and others within the information technology arena are abuzz with new and catchy names and phrases, but referring back to NIST is generally a good idea. According to the NIST publication, “The NIST Definition of Cloud Computing” (published September, 2011), cloud computing itself consists of five (5) core characteristics, three (3) service models, and four (4) deployment models. Download the NIST whitepaper, titled “The NIST Definition of Cloud Computing”, to learn more.
What’s also important to note about cloud computing is its rapid expansion and widespread adoption by companies. More and more organizations are either building out cloud computing platforms, offering such services to clients, while companies themselves are moving away from client-server, and traditional computing environments, ultimately to cloud computing. It’s a massive shift, one that will continue into the foreseeable future as cloud computing slowly, but surely, becomes the de facto computing environment for most organizations, regardless of sector, industry, or location. But with this huge leap of information technology faith comes numerous requirements, the most important being that of security. After all, on-demand resources, while being touted as efficient, scalable, and cost-effective – among other things – have large security concerns. If you’re using cloud computing within your organization and want to learn more, here are some helpful resources:
- The Cloud Security Alliance | https://cloudsecurityalliance.org/
- Cloud Industry Forum | http://www.cloudindustryforum.org/
- Wikipedia Overview of Cloud Computing | http://en.wikipedia.org/wiki/Cloud_computing
Response CRM has established the following general guidelines, responsibilities, and acceptable uses for email as described below.
- All email accounts, their respective addresses and the contents of the emails, which are processed, transmitted and stored via Response CRM network resources, are the exclusive property of Response CRM. As such, users utilizing Response CRM email resources have no right to ownership of these very resources and should be aware that emails and any supporting information that is processed, transmitted, and stored may be subject to inspection and/or investigation as warranted, without notice.
- Response CRM reserves the right, without notice, to suspend, temporarily or indefinitely, any email accounts as needed.
- Response CRM reserves the right, without notice, to delete and remove, temporarily or indefinitely, any email accounts as needed.
- Response CRM reserves the right, without notice, to block any emails being sent from Response CRM email accounts as needed.
- Response CRM reserves the right, without notice, to reject any emails from known or unknown third parties as needed.
- Response CRM reserves the right to redirect any emails from known or unknown third parties as needed.
- At any time and without notice, Response CRM reserves the right to inspect any emails being sent to or received from, known or unknown third parties as needed.
- The use of Response CRM email resources are to be conducted with due care and professionalism at all times, which includes not using abusive or questionable language within the body or subject line of the email.
- The use of Response CRM email resources is to be used primarily for official business purposes only. While email is often used to communicate with friends, family members and other non-professional acquaintances, it is advised and encouraged to limit the extent of Response CRM email resources for interaction and communication with these respective parties. Communication with friends, family members and other non-professional acquaintances should be conducted with the use of a personal, non Response CRM email address.
- Users to read, understand, and adhere to the general guidelines and provisions as stated in The CAN-SPAM Act.
- Only approved subscriber lists for receiving third-party emails are allowed. The list of approved subscriber lists is to be determined at the onset of being hired based on an employee’s role and responsibility within the organization.
- Users are to protect the privacy of their email accounts, which includes safeguarding passwords at all times and not allowing passwords to be viewed and copied by any other individual.
- Users are to have their access rights permanently revoked from all computing systems that allow for access to email accounts once they have been terminated. This includes the disabling of email accounts and passwords for any user terminated by Response CRM. Terminated users will not be allowed to have any e-mails forwarded to them once they have been terminated.
The following activities are considered unacceptable by users.
- Any activity resulting from the use of Response CRM email resources that may potentially compromise the organization’s network infrastructure, cause harm to other related systems, cause harm or pose a significant financial, operational, or business threat to the organization because of inappropriate and unacceptable use of email.
- Users are strictly prohibited from utilizing email resources for the purposes of sending or forwarding content relating to profanity, harassment, intimidation, known fraud, explicit sexual content (minor or adult), racism, terroristic threats and any other content deemed unprofessional, unethical or that violates any local, state, or federal law or regulation.
- Users are strictly prohibited from utilizing email resources for the purposes of engaging in any type of activity that violates any local, state, or federal law or regulation.
- Users are strictly prohibited from utilizing Response CRM email resources for the purposes of signing up and registering to personal social media sites and any other non-business specific sites.
- Users are strictly prohibited from utilizing Response CRM email resources for discussing confidential and sensitive company information with unapproved third party entities. This confidential and sensitive information, may include, but is not limited to, the following: trade secrets, patents, financial, operational, or technology data.
- Users are only allowed to access their own respective email accounts and are strictly prohibited from accessing another employee’s email account and sending and receiving emails for that said account. Additionally, modifying or deleting email files regarding another employee’s email account is also strictly prohibited by an employee.
- Users are strictly prohibited from creating, forwarding or soliciting the enrollment of other employees’ regarding viral e-mail chain letters. E-mail chain letters are described as the following: An electronic medium sent to a number of people asking each recipient to send copies with the same request to a specified number of others. The circulation of this electronic medium increases in geometrical progression as long as the instructions are followed by all recipients. Source: Wikepedia: http://en.wikipedia.org/wiki/Chain_letter
- Users are strictly prohibited from creating, forwarding or soliciting the enrollment of other employee’s regarding e-mail spam. E-mail spam is described as the following: E-mail spam, also known as junk e-mail, is a subset of spam that involves nearly identical messages sent to numerous recipients by e-mail. A common synonym for spam is unsolicited bulk e-mail (UBE). Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. “UCE” refers specifically to unsolicited commercial e-mail. Source: Wikepedia: http://en.wikipedia.org/wiki/Email_spam
- Users are strictly prohibited from intentionally modifying or altering any part of an email message, which includes, but is not limited to, the following: content, signature, date, time, source, and destination.
The CAN-SPAM Act, a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out penalties for violations. It covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including email that promotes content on commercial websites. The law makes no exception for business-to-business email.
Each separate email in violation of the CAN-SPAM Act is subject to penalties. Thus, Response CRM employees who utilize email services for the purposes of any type of marketing and solicitation activities are to adhere to the following provisions and are strictly prohibited from engaging in any activity resulting in non-compliance with these provisions:
- Do not use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
- Do not use deceptive subject lines. The subject line must accurately reflect the content of the message.
- Identify the message as an ad if this is the true intended nature of the contents of the e-mail.
- Tell recipients where you are physically located. The message must include your valid physical postal address. This can be your current street address, a post office box that the Response CRM has registered with the U.S. Postal Service, or a private mailbox registered with a commercial mail receiving agency established under Postal Service regulations.
- Tell recipients how to opt out of receiving future email from you. The message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future.
- Craft the notice in a way that is easy for an individual to recognize, read, and understand. Creative use of type size, color, and location can improve clarity.
- Provide a return email address or another easy Internet-based way to allow people to communicate their choice.
- If possible, create a menu to allow a recipient to opt out of certain types of messages, but also include the option to stop all commercial messages from Response CRM. Make sure any type of spam filter doesn’t block these opt-out requests.
- Honor opt-out requests promptly. Any opt-out mechanism that is offered must be able to process opt-out requests for at least 30 days after the message is sent. Honor a recipient’s opt-out request within 10 business days.
- It is strictly prohibited to charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request.
- Once an individual has formally notified Response CRM that they do not wish to receive more messages, Response CRM is strictly prohibited from transferring their email addresses, even in the form of a mailing list.
Response CRM has established the following general guidelines, responsibilities, and acceptable uses for the internet as described below.
- Response CRM reserves the right, without notice, to suspend, temporarily or indefinitely, any Internet resources as needed.
- Response CRM reserves the right, without notice, to delete and remove, temporarily or indefinitely, any Internet resources as needed.
- The use of Response CRM Internet resources is to be conducted with due care and professionalism at all time.
- When connecting to the Internet, users must ensure that they are using approved and secure technologies.
- When downloading content from the Internet, all files must be scanned with appropriate anti-virus software.
- The use of Response CRM Internet resources is to be used primarily for official business purposes only. While the use of the Internet is often used to communicate with friends, family members and other non-professional acquaintances, it is advised and encouraged to limit the extent of Response CRM Internet resources for interaction and communication with these respective parties. Thus, communication with friends, family members and other non-professional acquaintances should be conducted with the use of a personal, non – Response CRM Internet resources, primarily outside of normal business hours.
- Only approved subscriber lists for receiving third-party emails are allowed. The list of approved subscriber lists is to be determined at the onset of being hired based on an employee’s role and responsibility within the organization.
- Response CRM reserves the right, without notice, to monitor all Internet activity as needed.
- Users are to have their access rights permanently revoked from all computing systems that allow for access to Internet resources once they have been terminated. This includes the disabling of all accounts and passwords for any user terminated by Response CRM.
The following activities are considered unacceptable by users.
- Any activity resulting from the use of Response CRM Internet resources that may potentially compromise the organization’s network infrastructure, cause harm to other related systems, cause harm or pose a significant financial, operational, or business threat to the organization because of inappropriate and unacceptable use of Response CRM Internet resources.
- Users are strictly prohibited from utilizing Response CRM Internet resources for the purposes of connecting to and viewing any sites with explicit sexual content (minor or adult), racist content, sites that invoke terroristic material, promote violence, along with any other offensive material and any other content deemed unprofessional, unethical or that violates any local, state, or federal law or regulation.
- Users are strictly prohibited from utilizing Internet resources for the purposes of engaging in any type of illegal activity that violates any local, state, or federal law or regulation.
- Users are strictly prohibited from utilizing Response CRM Internet resources for the purposes of posting any material to any web site deemed unprofessional, unethical or that violates any local, state, or federal law or regulation.
- Users are strictly prohibited from utilizing Response CRM Internet resources for the purposes of signing up and registering to personal social media sites and any other non-business specific sites.
- Users are strictly prohibited from utilizing Response CRM Internet resources for the purposes of commenting on any public or private forum as those of Response CRM viewpoints. Any comments made must be done so as in a manner that explicitly disclaims those views as yours, not Response CRM.
- Users are strictly prohibited from utilizing Response CRM Internet resources for discussing confidential and sensitive company information with unapproved third party entities. This confidential and sensitive information, may include, but is not limited to, the following: copyrighted material, trade secrets, patents, financial, operational, or technology data.
Response CRM has established the following general guidelines, responsibilities, and acceptable uses for network devices as described below.
- All network devices are to be configured and used strictly for business operations.
- All network devices are to be appropriately hardened and secured in accordance with industry standards and for applicable business requirements. Appropriate hardening procedures and guidelines may be obtained from the following industry sources:
- SysAdmin Audit Network Security (SANS) http://www.sans.org
- National Institute of Standards and Technology (NIST) http://www.nist.gov
- Center for Internet Security (CIS) http://www.cisecurity.org
- Additionally, industry leading technology organizations provide alert boards, security forums, white papers, and other additional sources for hardening and securing network devices as needed. Please check with your technology provider in ascertaining this information.
- Any network devices obtained without proof of purchase and licensing rights will not be allowed onto the network.
- All users (primarily system administrative users) must be responsible for the proper use of these devices.
- Any activity that may potentially compromise the organization’s network infrastructure, cause harm to other related systems or pose a significant financial, operational or business threat to the organization because of misuse of these devices will not be tolerated.
- All network system administrative rights and subsequent activities undertaken on network devices are subject to audit and review as needed.
- Users are to have their access rights permanently revoked from all computing systems that allow for access to any network devices once they have been terminated. This includes the disabling of email accounts and passwords for any user terminated by Response CRM. Terminated users will not be allowed to have any e-mails forwarded to them once they have been terminated.
The following activities are considered unacceptable by users.
- Any activity resulting from the use of Response CRM network devices that may potentially compromise the organization’s network infrastructure, cause harm to other related systems, cause harm or pose a significant financial, operational, or business threat to the organization because of inappropriate and unacceptable use of network devices.
- Users are strictly prohibited from utilizing Response CRM network devices for the purposes of connecting to and viewing any sites with explicit sexual content (minor or adult), racist content, sites that invoke terroristic material, promote violence, along with any other offensive material and any other content deemed unprofessional, unethical or that violates any local, state, or federal law or regulation.
- Users are strictly prohibited from utilizing network devices for the purposes of engaging in any type of illegal activity that violates any local, state, or federal law or regulation.
- Users are strictly prohibited from utilizing Response CRM network devices for discussing confidential and sensitive company information with unapproved third party entities. This confidential and sensitive information, may include, but is not limited to, the following: trade secrets, patents, financial, operational, or technology data.
- Users are only allowed to access their own respective network devices they are assigned to and are strictly prohibited from accessing another employee’s network devices. Additionally, modifying network devices regarding system settings without documented approval and business justification is strictly prohibited.
- Network components may not be added, removed or modified unless explicit consent is given by appropriate personnel.
Response CRM has established the following general guidelines, responsibilities, and acceptable uses for social media as described below. Please not that social media is looked upon in two distinct categories: (1). Personal social media resources and forums for which users have setup and established and (2) Response CRM company specific social media resources and forums for which Response CRM has setup and established. Distinctions between the two social media resources and forums regarding general guidelines, responsibilities, and acceptable use will be identified when deemed necessary for purposes of clarification.
Response CRM Company Specific Social Media Resources and Forums
- Currently, Response CRM has established a company specific profile on the following social media forums:
- YouTube: https://www.youtube.com/channel/UCzOY7OZyph6IlrvH40MsI_Q
- Facebook: https://www.facebook.com/ResponseCRM/
- Twitter: https://twitter.com/ResponseCrmLLC
- Pinterest: https://www.pinterest.com/ResponseCRM/
- LinkedIn: https://www.linkedin.com/company/response-crm-llc
- Instagram: https://www.instagram.com/responsecrm/
- Accordingly, Response CRM has established a formal Social Media Risk and Compliance Manager, who will be ultimately responsible for all oversight of Response CRM’social media resources, which includes, but not limited to, the following:
- Formally establishing a profile for Response CRM on all social media sites. The term “profile” includes the relevant username, password, associated email and all administrative content (name, address, contact information for our company) for all social media sites.
- Effectively monitoring all social media resources regarding comments, posts, material or content uploaded to these respective sites, along with any other information deemed necessary for monitoring.
- Educating, training, and informing all users, as needed, on their rights, roles, and responsibilities when interacting with Response CRM social media resources.
- Keeping management of abreast on a regular basis of current social media trends, issues, and concerns that may affect the organization.
- Acting as the principle advocate of the Response CRM Social Media Policy, which includes making changes to the policy as needed and accordingly, distributing the policy to all users.
- At all times, users are expected to act in a mature, professional, and ethical manner when interacting with and posting on Response CRM company specific social media resources. As such, be cognizant of information posted and please strive to use a professional tone and dialect at all times.
- Information posted to any company specific social media resources that contains Response CRM related content must not contain any “sensitive information”. A common list of “sensitive items” can be found under the “Unacceptable Use” section below.
- Additionally, common questions users should ask themselves before posting to or uploading any content to Response CRM company specific social media resources are the following:
- Does the posting or uploading of content disclose any “sensitive information” as discussed under the “Unacceptable Use” section as described below?
- Does the posting or uploading of any content relate to profanity, harassment, intimidation, known fraud, explicit sexual content (minor or adult), racism, terroristic threats and any other content deemed unprofessional, unethical or that violates any local, state, or federal law or regulation?
- Is the posting of content professional in nature, with a positive tone and voice?
- Could any posting or uploading of content be perceived as political in nature, supporting a candidate, advocacy group, or some other formalized political party?
- Could any posting or uploading of content be perceived to be defamatory, slanderous or libel in nature to another known entity (i.e., individual, group of individuals, companies, etc.).
- Have I, as a user, strived to be accurate and truthful in all posting or uploading of content to Response CRM company specific social media resources?
- Have I informed management of Response CRM of any other posting or uploading of content to that may have potentially violated any of the policies within the Social Media Policy?
- At any time, and without notice or declaration of reason, Response CRM reserves the right to monitor, prohibit, restrict, block, suspend, terminate and/or delete a user’s activity on any company specific social media resources and forums.
- At any time, and without notice or declaration of reason, Response CRM reserves the right to disclose a user’s activity on social media resources to any local, state, or federal governmental authority due to requests from these governmental entities or for the purposes of informing them of activity that potentially violates any local, state, or federal law or regulation.
- Violations and penalties for illegal use of social media resources are punishable by fines and imprisonment. The financial amount and imprisonment sentence, if any, will be determined by designated authorities and a court of law.
- At any time, and without notice or declaration of reason, Response CRM reserves the right to reproduce, distribute, publish, and display any user’s social media activities for the purposes of Response CRM.
- Users are to hold Response CRM harmless and not liable for any financial or legal liabilities (damages, losses, claims, settlements and any other liabilities as warranted) as a result of that user’s interaction and posting onto personal or professional social media sites.
- Users are to understand that any claim or dispute arising out of interaction and posting onto social media sites will fall under the provisions of state law in [name of state], resulting in being subjected to the jurisdiction of all applicable laws (local, state, and federal) located in [name of county where your business resides].
- Users are to have their access rights permanently revoked from all Response CRM company specific social media resources once they have been terminated.
The following activities are considered unacceptable by users.
- Any activity resulting from the misuse of Response CRM company specific social media resources that may potentially compromise the organization’s network infrastructure, cause harm to other related systems, cause harm or pose a significant financial, operational, or business threat to the organization because of inappropriate and unacceptable use of network devices.
- Users are strictly prohibited from posting or uploading any content to Response CRM company specific social media resources regarding political lobbying, solicitation, contributions, or endorsements for any political organization (i.e., political party, political action committee, political forum, political advocacy group, individual candidate, etc.).
- Users are strictly prohibited from utilizing Response CRM company specific social media resources for the purposes of posting or uploading any content relating to profanity, harassment, intimidation, known fraud, explicit sexual content (minor or adult), racism, terroristic threats and any other content deemed unprofessional, unethical or that violates any local, state, or federal law or regulation.
- Users are strictly prohibited from utilizing company specific social media resources for engaging in any type of illegal activity that violates any local, state, or federal law or regulation.
- Users are strictly prohibited from posting, uploading or discussing sensitive information on any company specific social media resources. The term “sensitive information” may include, but is not limited, to the following:
- Internal policies and procedures and other Standard Operating Procedure (SOP) documents.
- Company-wide operational and information technology attributes.
- Financial data and accounting data, management meeting minutes, employee personnel files.
- Client provided data and information.
- Client contractual documentation (SOW, SLA, MSA, etc.).
- Any confidential Intellectual Property
- Any information (media and the underlying information assets associated with that media) that supersedes the above information.
Advance in technology, though plentiful with benefits, also leave us vulnerable to malicious individuals. Identity theft, according to United States Federal Trade Commission (ftv.gov) is when someone steals your personal information and uses it without your permission. Three (3) important aspects worth discussion on identify theft are (1). Looking for signs it has actually occurred. (2). Protective measures to undertake. (3). What to do if you’re a victim.
As for watchful signs, consider the following to be possible indicators of identity theft – remember – the earlier it’s caught, the great the chances of minimizing the damages to you and your family:
- The type of mail you are receiving changes or you stop getting certain bills or other items. Many times, fraudsters actually change somebody’s mailing address, forwarding to another location. Additionally, you receive a statement for a credit card or some other type of purchase you never made.
- Money is withdrawn from your bank account for unknown charges.
- You receive calls from debt collection agencies for debts unknown to you.
- You receive bills from medical services performed that you are unaware of. (Health care fraud is rampant).
- Upon examining your credit report, you find unfamiliar accounts.
- You encounter discrepancies with the Internal Revenue Service (IRS) and your annual tax filings. Fraudsters often steal someone’s social security number for purposes of employment – especially is they are illegal – thus recording earned wages on your social security number.
- You’ve been notified that a data breach has occurred and your personal information has been compromised.
Let’s discuss some protective measure to take against identity theft, which consist of the following:
- Always keep sensitive and confidential information physically secure, such as in locked files cabinet, safe, etc. When you have friends, relative, guests over, be sure to put personal documentation away and not viewable by anyone.
- Limit what you carry in your wallet and purse to jus the minimum – credit card or two, driver’s license, important health care information, etc.
- Always ask “why”. More specifically, if somebody asks for your personal information (date of birth, social security number, etc.) always politely ask why they need it, how it will be used, where will it be stored, etc.
- Shred documents such as receipts, financial account statements, along with peeling off labels from prescription bottles before discarding of them.
- Put outgoing mail in secure drop facilities, such as the actual U.S. post office. If you don’t trust your own outgoing mail at your business or residence, then don’t use it.
- Try and limit providing your home address and strive to use an actual Post Office box address or a mail drop address when possible. The more thieves know about you (such as where you actually live), the greater their chances of striking again.
If you’ve unfortunately become a victim of identity theft, it’s time to act quickly for protecting yourself, which means cancelling credit cards and contacting all financial institutions and alerting them. What’s extremely important is to begin communicating and writing letters to various organizations, such as credit reporting bureaus and businesses, for which the Federal Trade Commission (ftc.gov) provides a number of sample identity theft letters to use.
Many Response CRM employees work from home, which means they store, process, and transmit sensitive and confidential company information over their personal networks, which can pose significant security risks. Let’s take a look at some best practices for securing your home network.
- Use Anti-virus. Whatever computer you are using on your home network, it needs to have current, updated anti-virus on it. This is one of the most fundamentally important – and easy to implement – security safeguards as it protects your computer from malware and other malicious exploits.
- Use strong passwords. Whatever you are doing online, it’s a good idea to use very strong password, those that contain a mixture of letters, numbers, and symbols. This applies to your actual computer for which you’re logging onto. Remember, home means “home”, where children and spouses have access to your items, so protecting them from misuse is important.
- Use a personal firewall. A personal firewall is an extra layer of added protection for helping protect your home network in the following manner:
- Protects the user from unwanted incoming connection attempts, ultimately allowing the user to control which programs can and cannot access the Internet.
- Blocks and/or alerts a user about outgoing connection attempts
- Monitors and regulates all incoming and outgoing Internet users
There are a number of commercially developed software programs you can install to act as a personal firewall, yet you can also use the Windows personal firewalls software from Microsoft, which is highly effective. As for Apple, their Mac books also have a built-in personal firewall option, which should also be used.
- Be cautious online. Remember that working from home means you’re accessing Response CRM information, so be smart about what websites you’re visiting, information you are downloading, etc. Being cautious and having a “security first” mindset is a must at all times.
- Change your WI-FI broadcast. Known technically as an SSID, it’s the wireless (if you are in fact using wireless) network you connect to. Make sure to change the default SSID to something more unique. SSID’s that are left with their default names often are an indicator to hackers that the passwords are also still the same default that was shipped with the devices. Thus, change both the default SSID and the default password. Your router is the bridge to the Internet, so protect it by removing many of the default settings.
- Enable MAC filtering. Additionally, you want to allow wireless access only to trusted laptops, by allowing wireless connections only to known MAC address. MAC (Media Access Control) address is a unique identifier attached to most network adapters – which, in this case – would be the unique identifier of your laptop wireless adapter.
- Change default wireless access to your router. The default password for wireless web access is essentially the same for the specified model of a wireless router assigned by the manufacturer, thus it’s important to change default password of the wireless router web access immediately.
Information Security is also about understanding today’s ever-growing online threats, many of which can result in serious security issues for Response CRM along with identify theft for yourself. We all spend large amounts of time online, for both professional and personal reason – using laptops and portable devices, so it’s important to take note of the following tips:
- Trust, but verify. It essentially means knowing who is requesting or asking for any type of information from you, from highly sensitive and confidential customer information to your own personal information. Social engineering – tactics used to gain access and steal valuable assets – is on the rise, so be watchful and mindful at all times.
- Enable security. This means making sure that you have anti-virus on whatever computer being used to access the Internet, and possibly even using what’s known as a personal firewall, which comes standard with many operating systems, especially the Microsoft Windows operating systems. It also means using a username and password for protecting the contents on your laptop should it ever be lost, stolen, or misplaced.
- Protect your physical assets. This means not leaving your laptop, PDA, tablet, etc. unattended for any time period. Going to the bathroom at the coffee house while leaving your notebook alone is not wise. For company-owned laptops, verify with your I.T. department that the serial number has indeed been recorded. For your own personal laptop, record the serial number also.
- Clear out browser sessions. It’s a good idea to periodically clean out your browser history for ensuring no pre-populated usernames and passwords exist especially on non-company owned desktops, laptops, and workstations. As for usernames and passwords, keep them secure (which is in your head!) and nowhere else. This means a clean desktop work policy, one that does not contain notes lying around with online login information.
- Be mindful on social media sites. You work for Response CRM, which means you represent us in everything you do, both inside and outside the walls of these facilities. As such, be cognizant of information posted and please strive to use a professional tone and dialect at all times, even with your friends, family members, co-workers, and other online participants users you are engaging with. Just remember to ask yourself the following question: “Does the posting or uploading of content to any of my personal social media resources disclose any “sensitive information” related to my company, or does it in any way impact the safety and security of my organization? Remember to think before you post.
- Wireless Access Points. Though they’re free and easy to connect to, wireless access points can be extremely problematic in terms of security issues, so take note of the following precautions:
- Turn off your actual wireless connectivity when not in use.
- Connect only to trusted Wi-Fi “hotspots”, thus if you aren’t sure about a network that’s being broadcasted, ask! If it seems suspicious, then do not connect – most Internet sessions can wait!
- Do not use wireless access points for conducting business activities, unless you have approved VPN and secure, remote access software on your laptop.
- Protect wireless handheld devices. The continued growth and use of small, mobile devices capable of sending, receiving and storing information – though highly efficient – also requires putting in place protective measure, such as the following:
- Use PIN and/or password security parameters for accessing and unlocking your phone, as this is critical if it’s ever lost, stolen or misplaced.
- When disposing of any wireless handheld devices, ensure that all sensitive and confidential data has been removed, such as with a secure wipe program
Shopping online is one of the greatest benefits offered by information technology, as just a click-of-the mouse lets you buy almost anything imaginable. Yet with most luxuries in life, such benefits also have significant risks, and protecting your personal consumer information – and company information – is always a top priority when shopping online. Please take some time to learn about the following safe shopping tips and habits:
- Use only known and trusted merchants. That means staying away from websites that simply don’t look or feel safe – and they may not be – so stick to your known stores, and the ones that everyone uses for purchasing products and services. Remember, when purchasing something online, always look for the “s” in the “https” part of the browser as “s” stands for security! So beware the bargain hunting tactics and the inclination to use unknown sources for online purchases – it’s just not worth it.
- Be mindful of pop-ups, banner advertisements and other solicitations. Often when browsing the Internet and searching for products to buy, you’ll receive annoying ads or possibly even receive suspicious emails for a “must-have” product. While many of these solicitations are legitimate – and legal – some aren’t, so use caution at all time.
- Opt out of communication. Want to greatly reduce email span and junk, then make sure to “opt-out” of any further emails and communications from merchants unless you really feel compelled to receive such information.
- Bad links are everywhere. Be mindful of any links that ask to “click here”, “download now” or any other aggressive tactic as they may be nothing more than malicious software trying to insert dangerous code onto your computer.
- Use a credit card not a DEBIT card. Debit cards are unfortunately tied directly to your personal bank accounts, meaning once a fraudster has your debit card number, it’s only a matter of time before they can literally wipe out your checking account. Use a credit card, which essentially places a limit (usually $50 or lower) that you’re responsible for regarding card theft. Additionally, alternative methods of payment, such as paypal.com, are available whereby consumers don’t provide any confidential credit or debit card information to a merchant. Paypal.com is an excellent payment choice, when it’s available, and many large online retailers are incorporating it into their shopping cart checkout options for paying.
- Trust your instincts. Online shopping is just like any other topic in security awareness – trust your instincts and you should be fine. It the site looks suspicious, it probably is, so stay away from it and move onto to another reputable website.
True information security is also about being aware of the following growing fraudulent schemes being used against both organizations and individuals by malicious persons trying to extort funds along with obtaining highly sensitive and confidential information:
- Social Engineering. Deceptive tactics used by somebody for purposes of obtaining something or gaining access (both physically and logically speaking) to something for which they are unauthorized to do. Social engineering relies heavily on human interaction and building the trust of those for which somebody wants to deceive. For example, a fired employee may try and access his or her previous employment by tricking security guards, receptionists, or other personnel with common socially engineered tactics, such as “I forgot my access badge, can you let me in”, etc. The trust factor is the most important component of what allows social engineering practices to be successful.
- Social engineering tactics are long and varied, including the following practices. 1. Using alcohol. 2. Sex. 3. Piggybacking (following somebody into a building). 4. Phishing (tricking somebody into clicking on a link of what they think is an actual legitimate website). 5. Psychology (Using the power of the mind to trick somebody). Tech Talk (convincing someone to divulge information based on your technology expertise, such as pretending to be an I.T. administrator at a company). 7. Social Network Engineering (finding out information online based on social network interactions with someone). With so many ways to “trick” and deceive people, it’s important to be on the lookout for some of these examples, so if something looks suspicious, report it. Remember also to never give out sensitive and confidential information to anyone unless there’s a legitimate reason – trust, but verify.
- Victim Relief Scams. We as a society liked to be perceived as caring, giving, and helpful individuals – people willing to open their hearts and wallets to those in need. Every time a major environmental disaster or unfortunate terror act happens, we’re there, ready and willing to help. Unfortunately, so are the scammers, who deploy numerous tactics with today’s endless list of technology platforms. From phony websites to fraudulent mailings, the world is full of scam artists working hard to take your money. With so many excellent volunteer organizations and non-profit agencies around, your money can find a good place, just not with the scammers. When receiving emails asking for donations, banner advertisements soliciting funds, do a little due diligence for making sure the organization is legitimate – there’s nothing wrong with being giving, just don’t be a victim. Remember these helpful tips:
- Do not respond to unsolicited incoming email or their associated links.
- Be skeptical of people claiming to be victims or their relatives. After Katrina, dozens of individuals were indicted for falsely collecting donations.
- Go to trusted websites to make donations.
- Verify the legitimacy of organization requesting funds – do a little homework.
- Make contributions directly to known organizations rather than going through third parties
- Be careful about giving out your personal or financial information to anyone soliciting contributions.
- Pyramid Schemes. Pyramid schemes are marketing and investment frauds in which an individual is offered a distributorship or franchise to market a particular product. Because the goal in a pyramid scheme is to sell the distributorship or franchise, and not the actual product, it creates an unattainable business model where no sales efforts or strategies have been given to a product (if there ever was one). The end result is a glut of investors, and the scheme unfolds. Investors are told, however, that they can recoup their initial investment and generate additional revenue streams for themselves by bringing in new members. The pyramid scheme is simply not mathematically feasible for any viable business model.
- Ponzi Schemes. A Ponzi scheme is a fraudulent investment operation that pays returns to separate investors from their own money or money paid by subsequent investors, rather than from any actual profit earned. The Ponzi scheme usually entices new investors by offering returns other investments cannot guarantee in the form of short-term returns that are either abnormally high or unusually consistent. The perpetuation of the returns that a Ponzi scheme advertises and pays requires an ever-increasing flow of investors’ money to keep the scheme going. This type of scheme is named after Charles Ponzi, who operated an attractive investment ploy in which he guaranteed investors a significant return on their investment in postal coupons. The ruse dissolved when he was unable to pay investors who entered the scheme later.
- Letter of Credit Fraud. Letter of Credit frauds are often attempted against banks by providing false documentation to document the shipment of goods when, in fact, no goods or inferior goods were shipped. Additional Letter of Credit frauds occur when fraudsters offer a “letter of credit” or “bank guarantee” as an investment, whereby an investor is promised significant interest rates.
- Health Insurance Fraud. The health insurance industry is a large, complex and ever-growing sector of any nation’s economy. Fraud in this specific industry is rampant, with all participants ranging from primary care physicians to large medical insurance providers being affected. Common health insurance fraud schemes include, but are not limited to the following:
- Medicare and Medicaid billing fraud
- Healthcare prescription fraud
- Invoice and billing schemes, geared primarily toward small and medium healthcare practitioners
- Medical equipment fraud
- Personal healthcare identity fraud, such as fraudsters stealing and using individuals’ healthcare information for personal gain
- Fictitious health insurance providers selling policies with no intent to ever pay
- Credit Card Fraud. Credit card fraud is one of the fastest growing crimes today. Almost everyone, at some point in their lives, will become a victim of it. Credit card fraud involves a variety of schemes, ranging from stealing the actual card numbers from any number of sources (trash, computer databases, etc.) to opening fraudulent card accounts with somebody’s information. Credit card fraud has recently made national news with breaches in large organizations that resulted in the theft of tens of millions of accounts. The Payment Card Industry Security Standards Council is one of the many associations that helps secure cardholder data with a series of assessment requirements.
- Occupational Fraud. A serious fraud threat, occupational fraud involves using one’s occupation for enrichment through the deliberate misuse or misapplication of a company’s resources and/or assets. This type of fraud involves a number of common schemes such as skimming, cash larceny, bribery, conflicts of interest and fraudulent financial reporting. When most organizations speak of fraud, they are specifically referring to occupational fraud.
- Invoice and Billing Fraud. Another common fraudulent act that has victimized numerous businesses is invoice and billing fraud. In these schemes, a fraudster develops a fictitious entity, produces invoices for that entity, then sends out the invoices either electronically or by mail to individuals and/or organizations within a specified geographic area. The amount invoiced is trivial; thus the scheme depends on a high number of victims making the desired payments. These schemes can range from any number of products or services—such as office supplies, books and study aid material—to donations, and even to fictitious charities. Many times, however, this type of fraudulent activity begins within an organization, as a dishonest employee may collude with another party or simply run the entire scheme by his or herself.
- Identity Fraud. Identity fraud and theft, commonly known as identity theft, is defined as the unlawful change of identity. This form of fraud is characterized by the illicit use of another’s identity—existing or not—as a target or principal tool, typically for personal or financial gain.Unfortunately, this is one of the most common fraudulent acts being committed today. As we move toward a more transparent society that is increasingly dependent on technology and ease-of-use, one’s personal identification can be exposed through many channels. It is almost impossible to fully protect your personal identity, due in large part to the wide variety of data rich sources available to fraudsters.
- Telemarketing Fraud. Telemarketing fraud is a fraudulent activity consisting of selling or promoting a pseudo-product over the telephone. Common examples of telemarketing fraud include, but are limited to the following:
- Advance fee fraud (claiming that the victim will receive some sort of prize)
- Pyramid schemes and other misrepresented investments or business opportunities
- Overpayment fraud
- Charity fraud
- Financial Correspondence Fraud (Nigeria) and Advanced Fee Fraud (AFF). Nigerian letter fraud is essentially an Advanced Fee Fraud (AFF) scheme whereby a fraudster will communicate from the country of Nigeria (via mail or email) to another overseas individual and will offer that individual an opportunity to participate in the sharing of a large sum of money. The individual in Nigeria will request personal data such as banking and other financial information along with sending actual money to the fraudster. It may seem like a farfetched scheme to many individuals, but surprisingly, it continues to be a growing problem. The ploy has been dubbed “419 Fraud,” named after Section 419 of the Nigerian Criminal Code. Advanced Fee Fraud (AFF) is not just limited to Nigeria, as a number of other fraudsters around the world have also employed these schemes. As such, AFF can be best defined as the following: when a victim is persuaded to advance sums of money in the hope of realizing a significantly larger gain.
- Bid Rigging. Bid rigging is a form of fraud in which a contract is promised to one party even though numerous other parties have also presented a bid. There are also additional components to bid rigging, such as bid suppression and bid rotation. They all involve an element of collusion and are illegal in most countries.
- Phishing is the process of acquiring or attempting to acquire sensitive information by masquerading as a trustworthy entity in an electronic communication in order to deceive Internet users into disclosing their bank and financial account information or other personal data such as usernames and passwords. The “phishers” then take that information and use it for criminal purposes such as identity theft and fraud.
- Cashier’s Check Fraud. There are many variations of cashier’s check fraud, ranging from falsified cashier’s checks to schemes from foreign entities requiring you to wire them money on the difference between the amount on a cashier’s check and the item sold.
- Debt Elimination Fraud. There are scores of companies promoting debt elimination and consolidation services to consumers and businesses alike. The problem is that they are using techniques that do not work, are illegal, or cause your credit and financial situation to deteriorate. Many consumers have been victims of the bogus schemes, losing thousands of dollars and gaining nothing in return.
- Work-at-Home Employment Schemes. From envelope stuffing to multi-level marketing, the work-at-home scams are plentiful indeed. What is ironic about many of them is that they are simply an extension of the scammers themselves. That is, you may potentially be colluding with one of them. Most work-at-home schemes try to sell you “starter” packages to begin a business, ask you to call a 900-number to request more information, or engage in some other type of questionable activity. Learn more about these scams here.
- Tax Fraud. An all-too-common fraud scheme is tax fraud, which comes in the form of tax avoidance, tax evasion and falsifying tax filings, just to name a few. Tax fraud is a growing problem that can be difficult to detect and prevent, and unfortunately, the burden is divided amongst those who do not commit this serious crime. Common fraudulent tax schemes include the following:
- Claiming false deductions
- Concealing income and not reporting (underreporting) it on one’s tax returns
- Over-reporting the amount of one’s deductions
- Engaging in foreign and/or offshore tax schemes
- Securities Fraud. Securities fraud, also known as stock fraud and investment fraud, is a practice that induces investors to make purchase or sale decisions on the basis of false information. This form of fraud is in violation of the securities laws, and it frequently results in financial losses. Securities fraud consists of deceptive practices in the stock and commodity markets, and it occurs when investors are enticed to part with their money based on untrue statements. Securities fraud includes outright theft from investors and misstatements on a public company’s financial reports. The term also encompasses a wide range of other actions such as insider trading and other illegal acts of a stock or commodity exchange. According to the FBI, securities fraud includes entering false information on a company’s financial statement and Securities and Exchange Commission (SEC) filings, lying to corporate auditors, insider trading, various stock schemes and embezzlement.
- You are a Constant Target. It’s unfortunate, but true – you are a constant target and will forever one in today’s world of growing cyber security threats, social engineering tactics, and many other malicious practices. While information technology has afforded society with many great benefits, along with it comes risks, pitfalls, and challenges – most centering around trying to protect highly sensitive and confidential information. It’s a never-ending battle, one that requires constant vigilance and a watchful eye from you, when at work and outside the office. From logging onto your computer each to buying lunch with your credit card, be alert, aware, and be on the lookout for suspicious practices. Security for the company is everyone’s responsibility – security for you is your responsibility, so let’s do it together!
The examples above are some of the most common fraudulent schemes that employees of Response CRM should be aware of. Unfortunately, this is just a small sample of a larger and ever-growing problem facing businesses today.
Listed below are numerous resources for helping employees gain a stronger understanding of the broader topic of information security, such as initiatives ranging from simple explanations of how computers work to helpful resources relating to fraud and other important safety considerations for today’s information technology world. Security awareness is broad, in-depth, complex, and constantly evolving – requiring a true commitment from all individuals for helping protect critical organizational assets along with their own personal assets.
The National Check Card Fraud Center (http://www.ckfraud.org)
According to their mission statement, the National Check Fraud Center is “a private organization that provides nationwide, updated multi-source information and intelligence to support local law enforcement, federal agencies, financial and retail communities in the detection, investigation and the prosecution of known check fraud and white collar crimes.”
If you have been a victim of white collar fraud or are aware of possible fraudulent schemes and activities, you may contact them at 843-571-2143.
USA.gov is a comprehensive source developed by the United States government that offers information to citizens, businesses, government employees and visitors to the United States. Included on this site is information specifically related to fraud, theft, scams and other malicious and illegal activities. Simply access the Consumer Guides section from the homepage, and an abundance of information is readily available. Many of the resources and links provided in this website comprise a number of the agencies and bureaus listed within this document. It’s an extremely helpful and resource-rich site for anyone interested in fraud and other related topics. Some of the more notable topics and resources found on USA.gov include the following:
- how to report complaints and fraud relating to any number of issues
- information regarding common scams and fraudulent activities
- how to report tax fraud scams
Internal Revenue Service (www.irs.gov)
The Internal Revenue Service (IRS) provides helpful information on fraud and scams such as those of abusive tax preparation, abusive tax schemes, how to recognize fraudulent tax scams and other useful information. You can learn more by visiting this page.
This website is specifically designed to allow consumers to file online complaints concerning foreign companies using a submittable virtual form. There is also a “News & Resources” tab where you can learn about the latest fraudulent scams, complete with feature stories on them.
This is a financial services website provided by the United States Department of the Treasury that offers financial information and research for Treasury securities. They also have incorporated information concerning fraud and scams under the “States & Regulations” tab.
United States GAO (www.gao.gov)
The U.S. Government Accountability Office (GAO) is the investigative arm of Congress, and it is generally considered the “congressional watchdog.” They have a “FraudNet/Reporting Fraud” resource, which can be found by visiting this page. Contact information is given to individuals who want to report fraud perpetrated by small businesses, federal fraud and even internal fraud at the GAO.
The Federal Bureau of Investigation (www.fbi.gov)
The FBI has an excellent resource page that discusses common fraud schemes along with preventative measures one can take. You can also sign up to be alerted to new fraud schemes via email from the FBI. The FBI webpage highlights the following common fraud schemes:
- Telemarketing Fraud
- Nigerian Letter (419) Fraud
- Impersonation/Identity Fraud
- Advanced Fee Schemes
- Health Insurance Fraud
- Redemption | Strawman | Bond Fraud
- Letter of Credit Fraud
- Ponzi Schemes and Pyramid Schemes
Additionally, you can visit the FBI’s “Be Crime Smart” page where you will find additional advice on protecting yourself and Response CRM from fraudulent activities.
Securities and Exchange Commission (www.sec.gov)
The Securities and Exchange Commission (SEC) is an independent agency of the U.S. government whose primary responsibility is enforcing the numerous federal securities laws and regulating the securities industry, the nation’s stock and options exchanges and other securities markets. Any individual can file a complaint concerning any fraudulent financial activity at the SEC’s website or via email at email@example.com.
The United States Department of Labor | Occupational Safety and Health Administration (www.osha.gov)
If you work for a publicly traded company and you have been fired, demoted, suspended, threatened, harassed, or discriminated against for reporting possible shareholder fraud to a supervisor, federal regulator, or member of Congress, you have the right to contact the federal government as mandated by OSHA’s Whistleblower Protection Program. OSHA is the federal agency that investigates and handles “whistleblower” complaints. You can learn more at www.osha.gov.
The United States Department of Health and Human Services (www.hhs.gov)
The Department of Health and Human Services (HHS) is the United States government’s primary agency for protecting the health of all Americans by way of making available essential healthcare services.
As mentioned before, a growing problem in the United States is healthcare fraud, especially with Medicare and Medicaid. HHS has thus provided detailed information regarding all aspects of Medicare and Medicaid fraud such as how to report fraud, common fraudulent schemes involving Medicare and Medicaid and a link to the Department of Health and Human Services Center for Medicare and Medicaid Services (CMS) that can be accessed by clicking here.
United States Postal Inspection Service (www.postalinspectors.uspis.gov)
The Unites States Postal Inspection Service (USPIS) provides a number of resources for helping individuals understand the various elements of fraud and common fraudulent schemes currently being used. At the USPIS site, individuals can view fraud prevention videos and learn about current fraudulent schemes and what rights you have should you become a victim of fraud.
The Federal Trade Commission (www.ftc.gov)
The Federal Trade Commission (FTC) is the nation’s consumer protection agency that includes the Bureau of Consumer Protection, which works on behalf of consumers to prevent fraud, deception and unfair business practices in the marketplace. The Bureau also collects complaints concerning consumer fraud and identity theft, and it makes them available to law enforcement agencies across the country. You can learn more by clicking here.
The United States Secret Service (www.secretservice.gov)
The Secret Service Financial Crimes Division investigates crimes associated with financial institutions, which include bank fraud, access device fraud involving credit and debit cards, telecommunications and computer crimes, fraudulent identification, fraudulent government and commercial securities and electronic funds transfer fraud. You can learn more about the Financial Crimes Division at the Secret Service by clicking here.
The United States Department of Justice (www.justice.gov)
The United States Department of Justice (USDOJ) employs a Fraud Section that is described as a rapid response team that investigates and prosecutes white collar crimes in the United States. The Fraud Section, which you can learn more about by clicking here, provides valuable resources and information related to the following:
- Helpful tips and other information pertaining to consumer fraud
- Identity Theft
- Telemarketing Fraud
- Discussion of “Working Groups” relating to securities and commodities fraud
- Listing of policies relating to prosecutorial issues for business organizations
Additionally, you can visit the Computer Crime & Intellectual Property Section of the United States Department of Justice. At this site you can find a wealth of information relating to criminal and fraudulent schemes, as well as details on how to report a crime.
Internet Crime Complaint Center (www.ic3.gov)
The Internet Crime Complaint Center (IC3) is a partnership between the FBI, the National White Collar Crime Center (NW3C) and the Bureau of Justice Assistance (BJA). As stated on its site, the IC3 has a virtual portal for accepting crime complaints from either the alleged victim of fraud or from a third party to the complainant. Additionally, the IC3 furnishes individuals with useful information such as crime prevention tips, updates on current scams and downloadable posters and flyers.
The Federal Communications Commission (www.fcc.gov)
The Federal Communications Commission (FCC) is an independent agency of the U.S. government that was established by the Communications Act of 1934. The FCC is primarily responsible for regulating interstate and international communications by radio, television, wire, satellite and cable. The FCC’s Consumer Alerts and Facts Sheets section consists of publications that alert consumers to a wide variety of issues, including fraudulent schemes.
The Better Business Bureau (www.bbb.org)
The Better Business Bureau (BBB) is an organization that promotes a marketplace governed by ethical standards where buyers and sellers can trust each other. For both businesses and consumers, the BBB has a large amount of useful information concerning fraud. You can easily use their “search” box and type in any topic related to fraud, or you can benefit from the many other resources available at the site.
National Consumers League Fraud Center (www.fraud.org)
The National Consumers League Fraud Center (NCL) provides a wealth of information relating to fraud schemes, and their website enables online filing of fraud complaints. NCL’s fraud center resources include the following areas found on their website:
- Frequently Asked Questions
- Telemarketing Fraud
- Internet Fraud
- Scams against Businesses
- Scams against the Elderly
- Counterfeit Drugs
- Fraud News
National White Collar Crime Center (www.nw3c.org)
The National White Collar Crime Center (NW3C) provides training, investigative support and research to agencies and other entities involved in the prevention, investigation and prosecution of economic and high-tech crimes.
The NW3C is a nonprofit membership organization dedicated to supporting law enforcement, yet it has no investigative authority itself. Its primary mission is to assist law enforcement agencies in better understanding and using a wide variety of tools to combat crime. The NW3C provides training (classroom courses), research and partnership opportunities with other entities.
Consume Fraud Reporting (www.consumerfraudreporting.org)
Consumer Fraud Reporting is a free online service that warns consumers about specific types of fraud and other scams via the Internet, and it provides a mechanism for reporting fraudulent activity and financial scams. The website is extremely informative, providing an abundance of information on how to detect and prevent scams, what government agencies are involved in combating fraud, how to report a scam or fraudulent activity and resources to free publications on fraud itself.
National Association of Attorneys General (NAAG) (www.naag.org)
The National Association of Attorneys General (NAAC), founded in 1907, fosters interstate cooperation on legal and law enforcement issues, and it conducts policy research and analysis of issues, as well as other essential activities, between the states’ chief legal officers and all levels of government. At the NAAG website, a listing of all current Attorneys General for each respective state and territory is listed. This is an invaluable resource primarily because each of the state’s AG website provides valuable information concerning fraud such as how to report it, how to file a complaint and other resources that may be helpful in gaining a greater awareness and understanding of fraud.
While I.T. professionals are busying updating and applying critical security patches to Response CRM system components, it’s important that all employees also do the same for many of their devices, particularly applications used on a daily basis. Security is the first and foremost reason for applying security updates, but there are other benefits also, such as new and enhanced features, improved performance and stability. Additionally, security updates are almost always free – so there’s another compelling reason! Along with ensuring that a current and stable version of anti-virus is being used, the following are to be updated accordingly:
- Internet browsers: Updating browsers (Internet Explorer, Mozilla, Google Chrome) is extremely important for ensuring all web pages display correctly, security holes are not still present, and all performance features are maximized. j
- Microsoft Windows Operating Systems: Simply automating the “Windows Update” service is all that really needs to be done, so visit your “Control Panel” and enable this feature, which may likely be on anyway.
- Portable Document Format (PDF) | Adobe: Hackers can create malicious files and other executable that can exploit Portable Document Format (PDF) protocol software, therefore it’s important to click “yes” when Adobe software asks if you want to make security updates.
- Other essential applications: There’s an almost endless list of applications being used today, so keep a list handy of what’s on your computer, making sure to perform security updates as required for not only safety, but performance and software stability.
Protecting your workstation area – specifically your desktop computer and other supporting devices – is an important duty all employees should take very seriously. While many of the workstation security best practices mentioned below are also discussed in other areas of the security awareness training program, you’ll find additional requirements, tips, and suggestions considered important. Employees spend long hours at their workstations, so it’s critical to implement the following best practices:
- It’s your workstation. That means only you should be using it, and primarily for business purposes only. Sure, it’s fine to conduct personal activities also, such as checking your email, logging into online banking, even accessing a few of the accepted social media platforms, such as Facebook and LinkedIn. Allowing other employees to use your workstation is strictly prohibited, so be aware of this. Imagine another employee using your workstation, accessing the Internet and possibly downloading unsuspected malware, sending an unprofessional email, or any other action? It happens all the time and you don’t want to be blamed for something you didn’t do, so don’t share your workstation rights.
- Use strong passwords. While most passwords will be enforced by group policy settings from I.T. personnel, it’ still important to make them unique, never using information pertaining to your favorites sports team, home address, middle name, etc. With password complexity requirements in place often requiring the use of symbols and numbers and other mandates, it’s also a good idea to adopt the same policies to other systems and websites that you personally have administrative password access right to, such as online banking, social media accounts, or any business accounts that are not group policy enforced by I.T. personnel.
- Security updates. Make sure your workstation computer has all the required security updates for the operating system and all other applications running. This also means having anti-virus running at all times and conducting periodic scans. Additionally, the use of anti-spyware may also be required as it provides additional layers of protection, especially during Internet usage. While most of the security updates are “pushed” out and managed by I.T. personnel, at times you’ll still need to accept these updates.
- Don’t alter security settings. Your workstation has been configured for maximum security along with performance, so do not attempt to disable or modify configuration settings to the operating system or any other applications. Doing so may increase security vulnerabilities that would ultimately allow malicious files and other harmful scripts to reside on the workstation.
- Don’t install any unapproved software. Your workstation has also been configured for providing you the necessary tools in performing daily roles and responsibilities, which means no additional software is needed. Do not download or install into any of the drives or ports additional software that has not been approved as it may contain malicious files, could consume additional resources, or is simply not professionally suitable for the work environment.
- Removable storage devices. They’re easy-to-use, inexpensive, and a great way for transferring information, yet they’re also incredibly dangerous when the wrong information is on them and in the wrong hands. With that said, USB ports, such as thumb drives, external hard drives, and other removal storage and memory devices are never to contain highly sensitive and confidential information, such as Personally Identifiable Information (PII), or any other data deemed privileged. Such information should be transferred over the network using approved protocols and residing on company servers only.
- Use caution with email. Be careful when opening emails from unknown parties, especially attachments. If it looks suspicious, do not open the email under any circumstances. Additionally, avoid clicking on links or banner advertisements sent to you as these often containing spyware, malware, etc.
- Be mindful of Instant Messaging. Instant messaging is considered fun, informal, and an easy and affordable way to communicate – all of which are true. Just be very careful as to the types of information you’re sending and receiving via instant messaging, which ultimately means not transmitting any type of highly sensitive, confidential, or privilege information. This includes what’s commonly known as Personally Identifiable Information (PII) – unique identifiers for any individual, such as social security numbers, dates of birth, medical accounts, etc. If you’re not sure as to the sensitivity of the information, don’t send it over IM.
- Handle privileged information with care. From emails containing sensitive information to hard copy documents for contracts, trade secrets, or any other type of confidential data, treat it with the utmost care and professionalism, making every effort to protect its confidentiality and integrity. Don’t divulge such information to unintended parties and never leave items (both hard copy and electronic media) unattended in public at any time (i.e., coffee shops, training seminars, conferences, etc.).
- Report security issues immediately. Remember, if you see something, say something – and immediately. You have a responsibility for helping protect the organization, which means being aware of your surroundings and reporting suspicious activity to authorized personnel – immediately. From seeing a door ajar that shouldn’t be to finding sensitive documents lying in a commons area, you need take action.
- Shut down and protect your workstation. When leaving your workstation area at the end of each day, make sure to completely shut down and turn off all computers and related devices. Additionally, pickup and store any documents, electronic media, or any business and/or professional items that should not be left unattended. Use your judgment by asking yourself the following simple question – “what risk or security danger is there for leaving something not securely locked up and put away?”
Securing your laptop at all times is extremely critical, and it requires comprehensive measures regarding its physical security, while also protecting all electronic data residing on it. From travelling for meetings to connecting to open public wireless access points, your laptop is a constant source of target, so beware. Take the following precautions for securing what’s arguably one of your most important possessions:
- Use Encryption. The use of full-disk encryption ensures that safety and security of data (i.e., user files, swap files, system files, hidden files, etc.) residing on your laptop, especially if it’s stolen, lost, or misplaced.
- Use Anti-virus. It’s one of the most fundamentally important – and often not used – security software, so make sure your laptop has anti-virus running at all times, along with its scanning at regular intervals for viruses, and that the software is current.
- Turn on your firewall. Blocking suspicious traffic is essential for laptop security, so turn on and “enable” your default personal firewall or an approved personal firewall software appliance, for which there are many available.
- Use strong passwords. When turning on your laptop, your initial password should be extremely strong, with a combination of letters, numbers, and symbols used. Once your initial password is compromised, the contents of your entire laptop (especially if you’re not using full-disk encryption) can be compromised. Don’t use terms and phrases for which somebody might find an association with you, such as favorite football team, home address, middle name, etc.
- It’s your laptop. Therefore, don’t let other individuals use it, especially if it’s somebody you don’t know. When situations arise that require it to be used by someone other than you, create a guest account for their use.
- Secure it physically. A good investment is a security cable with a lock for securing your laptop at a workstation or any other location that requires such. They’re relatively inexpensive and a great deterrent to any thief.
- Keep a watchful eye. Don’t ever leave your laptop unattended in any public venue or location not considered safe. That means not using the coffee house phrase “can you watch my laptop for a minute as I go to the restroom”, or any other similar thought process. Being vigilant and watchful at all times is a must for the safety and security of your laptop, so remember – do not leave it unattended – plain and simple. If you have to leave in your hotel room or some other location, then remove it from sight and place under a pillow, in a closet, or some other location. The best safety measure is to carry it with you at all times.
- Place your contact information somewhere visible. Because most people are honest and trustworthy, should your laptop be stolen, misplaced or lost – and then subsequently found by a good Samaritan – you’ll clearly want your name, phone number, address, and/or email visible on it. Put a sticker on the cover or back of your laptop with all your relevant contact information.
- And if your laptop is stolen. Laptops unfortunately do get stolen, so think and act quickly, which means reporting the theft to local authorities along with informing management (and the I.T. department) immediately.
It’s also important to understand the company’s general policy on software usage, which includes numerous responsibilities that all employees need to be aware of. Software is used by all of us, each and every day, as it’s vital to performing daily tasks for one’s job function. With that said, please be mindful of the following issues:
- Use only approved software. Only software approved and purchased from the company may be installed and used on any company-wide system components. This includes your workstation and any other device provided to you from the company. Unapproved software that has not been fully vetted by authorized I.T. personnel and can often contain dangerous or malicious code that’s extremely harmful to computers. Simply stated, only load and use legally approved software on computers.
- Do not duplicate software. The licensing rights for software are strict and extremely rigid, allowing only a predetermined number of installations for a given data set. This means you are not allowed to copy or duplicate any company approved and purchased software – no exceptions. U.S copyright laws – and other regulations throughout the world – often place strict guidelines on software usage, so please keep this in mind.
- Use caution on your own devices. When using your own personal workstation, laptop, or other device, please consider and be mindful of the software you install, especially when such computing systems are used for potentially accessing the corporate network. While the guidelines on software for your personal computers are less restrictive, we still ask that you use extreme caution when loading any type of application onto your devices.
- Accept updates. For software to function efficiently and safely, security and patch updates have to be applied on a regular basis, so make sure to accept such updates when pushed out and also take time to update any software on your personal computers that do not rely on updates pushed out by I.T. personal.
- Downloading from the Internet. Any software obtained from the Internet is to be considered copyright protected, which means accepting any copyright agreements, and also comprehensively scanning the software for ensuring no dangerous or malicious code exists. The Internet can be an extremely dangerous forum when it comes to software as many products seem harmless, only to contain viruses that can wreak havoc on computers. Think before you start downloading any software online.
- Software audits. As an employee of the company, we have the right to conduct random software compliance audits on workstations, including laptops issued to you, or your own personal laptops. The audits are for ensuring compliance with software licensing rules, while also ensuring your computers are free of any potentially dangerous applications. If you’re not sure what constitutes approved software, then simply ask somebody.
- Penalties and fines. Did you know that we as a company and you as an employee can actually be levied fines for improper software use? Yes, it’s that serious and it’s why we’re taking the time to discuss this important issue with you. According to the U.S. Copyright Act, illegal reproduction of software is subject to civil damages up to $150,000 (Section 504(c)(1) Title 17) per title infringed, and criminal penalties, including fines of as much as $250,000 per title infringed and imprisonment of up to ten (Section 2319 (b) (2) Title 18) years.
Often the greatest enemy for any organization is its very own employees that undertake malicious acts that cause severe damage in terms of security. From stealing files to accessing privileged and sensitive information, insider threats are unfortunately on the rise. Yet it’s more than just deliberate and fraudulent activities that create so many security challenges for businesses, it’s also unintentional acts, such as opening virus infected attachments, visiting websites that result in executables infecting computers, and other unfortunate practices by employees. Not knowing is just as bad as the deliberate acts, at least in terms of consequences for the organization, so keep that in mind. What’s interesting to note about insider threats are the following:
- A negative event in the workplace triggered such an event.
- The malicious individual had planned the event in advance, but had also been given prior disciplinary action for some other incident.
- The vast majority of events used simple tools, commands, etc., and not elevated system administrative privileges.
- A statistically significant amount took place using remote access protocols from outside of the organization’s network, such as from their home.
A list of recent and notable insider incidents that caused severe damage to organizations consist of the following:
- Theft of highly sensitive and confidential documents with the use of USB hard drives, which are easy to obtain, conceal, and use.
- Obtaining company trade secrets by accessing privileged folders in a cloud computing environment by a vendor who had supposedly been removed from access.
- Hundreds of checks forged for various amounts, ranging from $50 to $25,000, all from a company checkbook that was thrown into a garbage dispenser outside of the company’s headquarters.
This list goes on and on, from deliberate acts to dangerous, unintended mishaps and actions, internal threats are everywhere. All employees have a responsibility to live and act by the motto, “if you see something, say something” – and immediately. With that said, be alert and on the lookout for the following suspicious activities by others:
- Mood swings, violent and/or aggressive actions.
- Sudden change in behavior, work ethic, morals, etc.
- Discussion of suicide, harming others, general negativity, etc.
- Combative, argumentative, etc.
- Appearing intoxicated or using illegal substances.
- Verbal and/or email threats towards others.
- Unexplained absence and tardiness at work.
- Disregard for company rules and regulations.
- Not being a “team player”, etc.
It’s about being alert and watchful, yet not paranoid as accusing somebody of a crime or incident they did not commit also has ramifications for the organization, and for you, so think first. Also be watchful of things that just don’t seem right, such as a door ajar for no apparent reason, confidential documents placed in a public area, smoke or other environmental factors you may be suspicious of. In summary, try and use your natural intuition in helping protect the organization from a growing list of serious internal threats.
Keeping your desk free of clutter and unnecessary items helps in promoting a professional work environment, while also ensuring the safety and security of sensitive documents and assets. Because employees all leave their workstations throughout the day for any number of reasons, make sure to turn off your computers or at the very minimum, enable the password protected screensaver. Additionally, remove any sensitive hard-copy documentation and electronic media (USB drives, disks, etc.) and store in a secure location, such as a locked file drawer or cabinet nearby. For any documents no longer needed for work, make sure to shred or place in a secure bin such material, regardless of sensitivity, never placing such documents in any public trash can, such as those immediately in your workspace. Never use Post-it notes or other forms of notes and reminders in your workstation that contain sensitive and confidential information, such as passwords, account information, etc. Furthermore, if you have visitors at your workstation, please put away all sensitive and confidential information. If you incur an extended absence from work, such as holidays, vacation, etc. – please clear your desk of all items considered sensitive and confidential. Lastly, do a brief check before leaving your workstation for the day, securing all appropriate items.
As for data security breaches, it’s technically defined as the intentional or unintentional release of secure information into an untrusted environment. Simply stated, it’s about letting highly sensitive and confidential information fall into the wrong hands – and unfortunately – it happens every day, causing enormous problems and challenges for organizations. Many of the most well-known data security breaches are a direct result of carelessness by individuals along with failing to update critical security measures. From using antiquated encryption techniques to leaving laptops in hotels, stories abound of such simple, yet highly costly mistakes made by individuals. As for the results, they can be catastrophic in many ways, many times putting such severe financial and public relations burdens on companies that they never fully recover. Numerous laws, regulations, and industry specific mandates requires organizations to not only put in place comprehensive measures for mitigating data security breaches, but also requirements for notifying individuals of such breaches.
These are costly and expensive measures, something a company never wants to encounter – all the more reason for employees to have a sound understanding of critical security awareness topics for helping to protect the safety and security of critical organizational-wide system resources. From using simple and easy-to-guess passwords to leaving hard-copy records in public areas, data breaches can and do happen. As an employee of Response CRM, you’ll ultimately come across information deemed highly sensitive and confidential, so remember to ask yourself some basic questions, such as “Do I have the right to access this information, is the information being stored securely from unauthorized parties”, and many other basic security questions. It’s also important to note the different types of data security breaches, which – according to privacyrights.org – generally consist of the following:
- Unintended disclosure – Sensitive information posted publicly on a website, mishandled or sent to the wrong party via email or any other type of end-user messaging technology.
- Hacking or malware – Electronic entry by an outside party, malware and spyware.
- Payment Card Fraud – Fraud involving debit and credit cards that is not accomplished via hacking. For example, skimming devices at point-of-service terminals.
- Insider – Someone with legitimate access intentionally breaches information – such as an employee or contractor.
- Physical loss – Lost, discarded or stolen non-electronic records, such as paper documents
- Portable device – Lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc.
- Stationary device – Lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility.
- Unknown – Anything outside of the above listed categories.
Our reliance on information technology – though plentiful with benefits – also brings large risk and even larger responsibilities by employees for being aware of any perceived or actual instances of intentional or unintentional release of secure information into an untrusted environment. Data security breaches are costly, extremely damaging, with long-lasting negative effects. Again, if you see something, say something – immediately!
Data and information being stored, processed, and/or transmitted on system components that are owned, operated, maintained and controlled by Response CRM are to have appropriate classification levels in place that consist of the following:
- Unclassified | Public Information: This type of data and information, and the underlying information assets associated with it, is generally designed to be used by anonymous individuals or systems that have a credible interest in communicating with Response CRM. As such, this type of data and information is disclosed freely to the general public.
- Proprietary: This type of data and information, and the underlying information assets associated with it, is generally designed to be used by internal employees only, thus it is prohibited from being circulated outside of the organization.
- Confidential: This type of data and information, and the underlying information assets associated with it, is intended to be viewed and/or utilized by select employees only.
- Company Confidential: This type of data and information must be protected from unauthorized access at all times, but with a focus on the data and information being that of internal, corporate issues.
- Client Confidential: This type of data and information must be protected from unauthorized access at all times, but with a focus on the data and information being that of the customers.
- Sensitive: This type of data and information, and the underlying information assets associated with it, is intended to be viewed and/or utilized by very select employees only. Furthermore, it requires an extremely high level of protection from unauthorized parties for ensuring its confidentiality, integrity, and availability (CIA).
- Trade Secret: This type of data and information, and the underlying information assets associated with it, is also intended to be viewed and/or utilized by very select employees only. Furthermore, it too requires an extremely high level of protection from unauthorized parties for ensuring its confidentiality, integrity, and availability (CIA).
- Top Secret: This type of data and information, and the underlying information assets associated with it, is intended to be viewed and/or utilized by an extremely select number of employees only. Furthermore, it requires the highest levels of protection from unauthorized parties for ensuring its confidentiality, integrity, and availability (CIA).
Additionally, effective data and information management measures also require Response CRM to define the following:
- Access rights
- Usage rights (i.e., copying, printing, sending, storing, an sharing)
- Physical Security
- Environmental Security
- Network Security
- Secure Transmission
- Disposal and Sanitization
- Security Categorization
All system components owned, operated, maintained and controlled by Response CRM are to have in place effective measures for ensuring their confidentiality, integrity, and availability (CIA). Specifically, “Confidentiality” in that information is protected from access and disclosure to unauthorized parties. “Integrity” in that information is authentic, has not been altered (i.e. modified, destroyed, deleted, removed, etc.) and cannot be modified undetectably. And “Availability” in that information is available to all authorized parties in a timely and consistent manner.
As such, all Response CRM system components are to be hardened accordingly for ensuring the objectives of CIA are maintained at all times, while also being assigned a security category in accordance with the United States Federal Information Processing Standards Publication 199 (FIPS PUB 199), “Standards for Security Categorization of Federal Information and Information Systems”. This standard, which is officially issued by the National Institute of Standards and Technology (NIST), details the following three (3) security categories (i.e. “potential impact”) that correspond to each one of the respective CIA objectives (confidentiality, integrity, and availability):
- Category | Impact: LOW-The unauthorized disclosure, modification, destruction, deletion, and removal of information along with the disruption of access to information results in a LIMITED adverse effect on the organization.
- Category | Impact: MODERATE- The unauthorized disclosure, modification, destruction, deletion, and removal of information along with the disruption of access to information results in a SERIOUS adverse effect on the organization.
- Category | Impact: HIGH- The unauthorized disclosure, modification, destruction, deletion, and removal of information along with the disruption of access to information results in a SEVERE | CATASTROPHIC adverse effect on the organization.
The success of one’s overall information security initiatives is highly dependent on identifying all relevant system components, which ultimately entails having a comprehensive asset inventory list in place. As such, Response CRM is to identify all applicable unique identifiers and necessary data elements for successfully tracking and managing such inventory. At a minimum, the following elements are to be used for asset inventory, when applicable:
- Type of system resource – Network devices (firewalls, routers, switches, load balancers, etc.)
- Type of system resource – Servers (physical and or/logical, and the underlying operating systems and applications residing on such servers).
- Version number or application type
- Primary function
- Physical element: A stand-alone product, or a virtual element, such as an instance, etc.
- Internal hostname
- Name of product or solution (such as the vendor purchased from)
- Serial number some other type of non-hostname identification element
- Relevant IP or routing information (if applicable)
- Physical location
- Logical location
- Party or parties responsible for system administration
- End users of system (if applicable)
- Detailed listing of any regulatory compliance mandates, such as those for PCI compliance, SSAE 16 reporting, HIPAA, FISMA, GLBA, etc.
- Detailed listing of any solutions configured onto or supporting the system resource – if applicable, such as the following:
- Audit trails and logging
- File Integrity Monitoring (FIM) | Change Detection Software (CDS)
The ability to successful ensure the safety and security of PII for Response CRM is highly dependent upon understanding what PII is – specifically – what are common examples of this type of information. PII, regardless of industry or business sector, generally consists of the following:
- Full name, with all middle names (especially if the name is not common).
- Any part of an individual’s name that is stored or displayed in conjunction with any of the subsequent listings of data and information deemed PII.
- National Identification information, such as passports, visas, permanent residence cards, voting information, social security number (United States), or any other type of unique identifier used on a national level.
- Local and/or state, provincial, etc. information, such as drivers licenses, vehicle registration and permit documents, or any other type of unique identifier used on a local and/or state, provincial level.
- Digital Identifiers, such as IP addresses, usernames, passwords, etc.
- Facial, fingerprint, iris and all other associated biometric information.
- Date of Birth
- Place of Birth
- Any other information deemed PII, but not listed above
In summary, PII consists of both the data and information that is unique to an individual and the source of the applicable data and information. For example, a social security number is the “data and information” of PII and the social security card or anywhere the number is found, imprinted, stored, or kept is the “source” of PII.
Appropriate security measures are to be implemented, which includes all necessary physical security controls, such as those related to the safety and security of Response CRM system components. This requires the use of a computer room or other designated area (facility) that is secured and monitored at all times and whereby only authorized personnel have physical access to the specified system components. Thus, “secured” and “monitored” implies that the facility has in place the following physical security and environmental security controls:
- Constructed in a manner allowing for adequate protection of all system components.
- Security alarms that are active during non-business hours, with alarm notifications directly answered by a third-party security service or local police force.
- The use of cages, cabinets, or other designated, secured areas for securing the specified system components.
- Access control mechanisms consisting of traditional lock and key, and/or electronic access control systems (ACS), such as badge readers and biometric recognition (i.e. iris, palm, fingerprint scanners/readers). Furthermore, all electronic access control mechanisms are to record all activity and produce log reports that are retained for a minimum of [x] days.
- Adequate closed-circuit monitoring, video surveillance as needed, both internally and externally, with all video kept for a minimum of [x] days for purposes of meeting security best practices and various regulatory requirements.
- Appropriate fire detection and suppression elements, along with fire extinguishers placed in mission critical areas.
- Appropriate power protection devices for ensuring a continued, balanced load of power to the specified system resource, thus mitigating power surges and spikes.
The phrases “authorized personnel” and “authorized individuals” are used throughout this policy and procedure document, and in doing so, Response CRM mandates that employees responsible for general provisioning, maintenance and security of system components are those deemed to be professional, well-skilled, and competent individuals. Not only must they be capable of implementing procedures necessary for ensuring the confidentiality, integrity and availability (CIA) of the specified system components, they must willingly continue to enhance their applicable skill-sets and subject matter knowledge relating to such devices. Hardware and software solutions provided by vendors are only as good as the individual who deploy their services, thus Response CRM I.T. employees are to strive at all times to continue to enhance their knowledge base with the following measures:
- Attending security and technology conferences and seminars, both online and at physical locations.
- Subscribing to alert forums, messaging boards and other online organizations and associations.
- Subscribing to hard-copy magazine and newsletter publications.
- Undertaking Continuing Professional Education (CPE) courses and related activities.
- Willingness to attain additional certifications within the Information Technology field as a whole.
Employees who undertake such measures are placing a high priority on the overall security and availability of [company name’s] network, and in doing so, are promoting best practices for the organization, while also continuing to advance themselves professionally.
All employees within Response CRM are to undergo annual security awareness training initiatives for ensuring they stay abreast of significant security issues that pose a credible threat to the organization as a whole, including, but not limited to, [company name’s] network infrastructure and all supporting system resources. While the goal of the program is to have in place a comprehensive framework that effectively addresses the core components of Awareness, Training and Education, the program must also provide subject matter directly related to the safety and security of specific system components. Specifically, all users (both end-users and administrators) having access rights to various Response CRM I.T. resources must have adequate knowledge in understanding the threats associated to these specified system components, along with the necessary response and resolution measures to undertake.
As such, the security awareness training program is to provide both general, enterprise wide training measures along with subject matter specifically related to specific system components. As previously stated, the program is to implement the core components of Awareness, Training and Education. “Awareness” in that numerous measures are initiated and implemented for keeping all employees knowledgeable about the threats, responses and solutions to security issues affecting Response CRM. “Training” in that material is researched, developed and subsequently utilized for educating employees on all aspects of security awareness. And “Education” in that measures are undertaken for ensuring continuing education on security awareness is provided to all employees on a routine basis, rather than just a once-per year calendar activity. It must be stressed that security awareness training is dynamic in nature, changing as needed to meet the growing threats facing Response CRM.
All Response CRM system components are to be properly provisioned, hardened, secured, and locked-down for ensuring their confidentiality, integrity, and availability (CIA). Improperly or poorly provisioned systems can often result in network exploitation by hackers, malicious individuals, and numerous other external, and internal threats. Therefore, the following provisioning and hardening procedures are to be applied as necessary when deploying system components onto [company name’s] network:
- Vendor-supplied default settings are changed.
- All unnecessary accounts are eliminated.
- Only necessary and secure services, protocols and other essential services are enabled as needed for functionality.
- All unnecessary functionality is effectively removed.
- All system security parameters are appropriately configured.
- Documented system configuration standards are applied via documented provisioning and hardening checklists.
Provisioning and hardening all Response CRM system components greatly increases its overall security in that insecure services that were effectively removed and/or disabled now cannot be used to attack and ultimately compromise such I.T. resources. Additionally, the fewer the number of services and protocols in use, the greater the chances of interoperability and compatibility with other system resources, both internally and externally. Furthermore, one’s ability to comprehensively review and detect issues or concerns from system components log reports is much greater when only necessary services or protocols are enabled, rather than a myriad of settings that produces voluminous audit trails, which can be challenging to monitor.
Regarding provisioning and hardening, this critical and time-consuming process is to be undertaken by authorized personnel only; a select number of individuals who have the authority and applicable skill-sets to conduct these activities.
Along with the stated policies, procedures, and supporting provisioning and hardening checklists consist of additional reference material that’s widely available on the internet from a number of trusted sources. I.T. personnel are to actively research and utilize such documentation as necessary. Windows, Linux, UNUX, and dozens of other vendor specific and open source products come complete with administrator and hardening guides, thus using them is a strict requirement.
Correct, accurate and consistent time on all Response CRM system components entails procedures for properly acquiring, distributing and storing time from industry accepted external sources; those which are based on Coordinated Universal Time (UTC), which is essentially based on International Atomic Time (TAI). And while there are several protocols to synchronize computer clocks, Network Time Protocol (NTP) is highly favored by Response CRM as it requires a reference clock for defining true and accurate time, is fault-tolerant, highly-scalable, and uses trusted external sources (such as UTC). Moreover, NTP’s hierarchical structure of clocks, where each level is termed a “stratum”, has proven to be a trusted and reliable source for time synchronization. And because the Windows Time Service is not considered to be an accurate measurement of time, other time synchronization technologies are to be implemented.
Access rights to Response CRM system components are limited to authorized personnel only, with all end-users being properly provisioned in accordance with stated access rights policies and procedures. This includes using all applicable provisioning and de-provisioning forms as necessary along with ensuring users’ access rights incorporate Role Based Access Control (RBAC) protocols or similar access control initiatives.
Additionally, users with elevated and/or super user privileges, such as system administrators, I.T. engineers and other applicable personnel, are responsible for ensuring access rights for all users (both end users and users with elevated and/or super user privileges) are commensurate with one’s roles and responsibilities within Response CRM.
Thus, the concepts of “separation of rights” and “least privileges” are to be adhered to at all times by Response CRM regarding access rights to system components. Specifically, “separation of rights” implies that both the “functions” within a specified system component, for which there are many, should be separated along with the roles granted to end-users and administrators of these very system resources. “Functions” pertains to the actions a system component and its supporting components (i.e., the OS and applications residing on the server) can perform and the associated personnel who have authority over these functions. Thus, when permissible, functions (such as read, write, edit, etc.) should never be grouped together and end-users and administrators should not be granted access to multiple functions.
By effectively separating access rights to system components whereby only authorized individuals have access to the minimum rights needed to perform their respective duties, Response CRM is adhering to the concept of “least privileges”, a well-known and best practices rule within information technology.
Furthermore, passwords used by all users must meet or exceed all stated Response CRM policies for password complexity requirements. Along with ensuring strong passwords, additional password parameters regarding account lockout policies and password resets are also to be enforced with appropriate system settings. Furthermore, only authorized personnel are allowed to make any changes to the password complexity rules and lockout policies to system components.
Authentication to Response CRM system components are to be enacted by utilizing one of or a combination thereof the following three (3) stated factors:
(1). Something a user knows: This method of authentication generally includes passwords, passphrases, numerical PINS or some other type of knowledge that is known by a user.
(2). Something a user has: This method of authentication generally includes some type of physical attribute provisioned to a user, such as a swipe card, badge reader, key fob, smart card, dynamically generated unique identifier or any other type of utility owned by the user.
(3). Something a user is: This method of authentication generally includes a unique physical attribute of the user, commonly known as biometrics. Many devices will read a user’s biometrics for purposes of authentication, which may include, but is not limited to, the following:
- Iris Scanners
- Palm Scanners
- Fingerprint Readers
- Facial Recognition Utilities
- Voice Recognition Devices
- User password parameters are set to require users to change passwords at least every ninety (90) days.
- Password parameters are set to require passwords to be at least seven (7) characters long.
- Password parameters are set to require passwords to contain both numeric and alphabetic characters.
- Password parameters are set to require that new passwords cannot be the same as the previous four (4) passwords used.
- Authentication parameters are set to require that a user’s account is locked out upon the sixth (6th) invalid logon attempt.
- Password parameters are set to require that once a user’s account is locked out, it remains locked for a minimum of thirty (30) minutes or until a system administrator resets the account.
- System configuration settings are set to require that system/session idle time out features have been set to and period of fifteen (15) minutes or less.
- For a user requesting a password reset that is not in the physical presence of appropriate and designated IT personnel, they must undergo a verification process, which consists of one of the following activities: (1). Verbal confirmation of vital statistical information to intended party who may reset their password. This verbal confirmation may consist of a date of birth, Social Security Number or some other unique identifier. (2). Verbal confirmation of employment data, such as length of employment, annual salary, etc. (3). Verbal confirmation of some other unique identifier developed by Response CRM.
- First-time passwords for new users, and reset passwords for existing users, are set to a unique value and changed after each use.
The user De-provisioning | Off-boarding is a critical component of the user identity, provisioning, & access rights lifecycle, and as such, comprehensive measures are to be implemented for ensuring that all terminated users are appropriately removed from having access to any system components to Response CRM. Failure to enact these measures could potentially result in a breach of security for Response CRM as terminated users may still be able to gain authorized access to company-wide system components. The following procedures are to be undertaken include the following:
- Completing a User De-provisioning | Off-boarding form and contacting via email, telephone or in person, all appropriate personnel responsible for terminating users from all company-wide system components.
- Additionally, obtaining signatures on the applicable form from all individuals directly involved in the actual de-provisioning | off-boarding procedures for the terminated users.
- Confirming that system access to all company-wide system components for terminated users has been effectively removed, which includes undertaking the following procedures:
- Inspecting all system components and supporting utilities for which authentication and authorization rights were initially established for terminated users.
- Obtaining appropriate evidence (i.e. system screenshots and other system settings as necessary) from these system components that terminated users were effectively removed from access and attaching the applicable documentation to a specified user de-provisioning form.
Critical accounts for De-provisioned | Off-boarded users are to be appropriately maintained by authorized personnel for ensuring that correspondence, such as emails, voicemails, and other forms of communication are addressed in a timely manner by Response CRM. As such, the following critical accounts are to be monitored following the de-provisioning | off-boarding process for terminated users:
- Email Accounts
- Voice Mail | PBX
- Cellular Devices, Pages, Personal Digital Assistants (PDA)
- Any other forms of communication
All access to Response CRM system components initiated outside the organization’s trusted network infrastructure is to be considered “remote access”, and as such, only approved protocols are to be used for ensuring that a trusted connection is initiated, established and maintained. Specifically, all users are to utilize approved technologies, such as IPSec and/or SSL Virtual Private Networks (VPN) for remote access, along with additional supporting measures, such as Secure Shell (SSH), while also employing two-factor authentication. The concept of two-factor authentication (i.e., something you know, something you have, something you are) along with strong password policies creates yet another layer of security relating to access rights for all authorized users granted remote access into [company name’s] network.
Additionally, all workstations (both company and employee-owned) are to have current, up-to-date anti-virus software installed, while also utilizing any other malware utilities as needed for protecting the workstations and the information traversing to and from the remote access connection. This may also include the use of personal firewall software, along with enhanced operating system settings on the applicable workstations.
Initially implementing a WLAN requires adherence to the following stated guidelines for ensuring the safety and security of the wireless platform itself, along with ensuring the confidentiality, integrity, and availability (CIA) of Response CRM’s overall information systems landscape:
- Secure Deployment: All WLAN devices and supporting resources, such as wireless access points, and other network devices, are to be positioned in a manner for ensuring unauthorized physical access and modification. Additionally, they are to be secured with approved fixtures and other necessary apparatuses for mitigating any unnecessary movement. Additionally, the WLAN platform itself is to be logically | physically segregated from the corporate | internal wired network, which can be achieved by utilizing firewalls and other access control methods.
- Asset Inventory: Once all WLAN devices are safely secured, a complete asset inventory is to be taken, documenting all necessary information, such as physical location, and corresponding unique identifiers (i.e., hostnames, serial numbers, etc.).
- Configuration of Wireless Access Points: The following measures are to be undertaken regarding WLAN platforms:
- Change default administrator settings, such as username and password, along with implementing strong, unique administrative passwords (i.e., alphanumeric, case sensitive, etc.) for all wireless access points.
- Change any default IP addresses also.
- Configure SNMP and NTP accordingly.
- Configure wireless modes to support only the one (1) primary – and industry approved – wireless networking standard.
- Change vendor default settings for Service Set Identifier (SSID) to a completely new network name, but also one that does not openly identify or provide any critical [company] name information. Specifically, the SSID character string is not to reflect company name.
- Use a “closed network” concept, whereby the SSID is actually not broadcasted (if allowable), rather, it must be entered into the client application.
- If the SSID must be broadcasted, create a healthy balance of allowing all authorized users to receive such signals, but not the point where unauthorized parties can potentially view such information.
- Remove all unnecessary and insecure services and protocols from all WLAN devices, such as the wireless access points and any all other associated wired network devices.
- For all remaining services and protocols, implement the concept of “least privileges”.
- Implement MAC Address filtering and wireless access points.
- Use the strongest encryption algorithm currently available (WPA2), and use other forms of encryption as needed, such as VPN, SSL | TLS, etc.
- Protect all sensitive wireless access points information, such as administrator passwords, SSID password, keys, etc. with approved security measures, such as encryption itself.
- Enable logging features and ensure that all logs and audit trails are sent to a remote logging server and retained as necessary (i.e., regulatory compliance laws, etc.). Information captured should include, but not limited to, the following: source\destination IP addresses, MAC addresses, user logon information (i.e., time, username, etc.), user logoff information
- Enable usage parameters, such as time-out sessions.
- Disable wireless access points during non-business hours, such as nights, weekends, holidays, etc.
Malicious software (malware) poses a critical security threat to Response CRM system components, thus effective measures are to be in place for ensuring protection against viruses, worms, spyware, adware, rootkits, Trojan horses, and many other forms of harmful code and scripts. As such, Response CRM is to have anti-virus (AV) solutions deployed on all applicable system components, with the respective AV being the most current version available from the vendor, enabled for automatic updates and configured for conducting periodic scans as necessary. Because strong and comprehensive malware measures are not just limited to the use of AV, additional tools are to be employed as necessary for eliminating all other associated threats, such as those discussed above. The seriousness of malware and its growing frequency of attacks within organizations require that all I.T. personnel within Response CRM stay abreast of useful tools and programs that are beneficial in combating harmful code and scripts. Common examples of malware include the following:
- Computer Virus: A computer program that has the ability to replicate itself and spread from one computer to another. Common viruses include, but are limited to, the following: polymorphic virus, boot virus, macro virus, multipartite virus, web scripting virus, etc.
- Malware: software created and/or used for the purposes of harming and damaging various systems, such as computer code, files, applications, and other relevant information technology platforms and utilities.
- Antivirus: Software used for purposes of preventing, detecting, and removing malicious software (i.e., malware).
- Worms: A standalone, independent program that has the ability to replicate itself and spread to other computers, ultimately infiltrating programs and destroying data.
- Trojan Horse: A harmful piece of malware that facilitates unauthorized access on a computer system by way of social engineering tactics and strategies.
- Key loggers: Unauthorized capturing of a user’s keystrokes on a computer system. Note: It is considered malware when it is “unauthorized” as there are legitimate uses of key logging software.
- Rootkits: Software that enables unauthorized access to a computer system and that is also hidden from detection. Rootkits can conceal the altering of files, data, etc. and are a serious form of malware.
- Spyware: Software that collects vital information from a computer system regarding data on such system and the associated user activities. Note: It is considered malware when it is “unauthorized” as there are legitimate uses of spyware.
- Adware: Programs that facilitate delivery of advertising content and related material to a user through their browser while on the Internet, or through some other type of interface. Note: It is considered malware when it is “unauthorized” as there are legitimate uses of adware.
- Logic Bomb: Code that is intentionally inserted into a software system that initiates a malicious function when specified conditions are met.
Changes made to Response CRM system components require authorized users to initiate an incident and/or change request, which includes completing all applicable forms as necessary. Furthermore, the request must be thoroughly documented, which includes providing the following essential information: (1). An assigned I.D. or change tracking number. (2). Representation of all critical dates relating to the requested change itself, such as when the change was originally submitted and approved, as well as when it was migrated to various stages for testing and final deployment to production, if applicable. (3). Default fields for categorizing (i.e., normal change or emergency change, etc.) and prioritizing (i.e., critical to routine maintenance) the requested change itself. (4). Documented notation, communication and correspondence throughout the life of the requested change itself is to include, but is not limited to, the following: (a). Documentation of impact. (b). Management signoff. (c). Operational functionality. (d). Back-out procedures.
Additionally, change control measures include changes undertaken for any of the following four (4) environments for which system components reside in:
- Change Control | Internally Developed Systems and Applications
- Changes Control | Enterprise Wide
- Change Control | Customer Facing Environments
- Emergency Change Management | All Environments
The Software Development Life Cycle (SDLC) for Response CRM is to encompasses a number of phases, each concluding with a major milestone. Assessments are conducted after each phase to determine if objectives have been satisfied. Skilled software engineers are to be utilized throughout all phases, which results in a thorough and uninterrupted process from beginning to end. Specifically, SDLC activities for internally-developed systems/applications consist of the following procedures and phases:
- New System/Application and Feature Development. New system/application and feature development is the implementation of a new service or addition of new features and functions to the current product. The same processes are also involved when adding major enhancements to existing functionality.
- Request for New System/Application or Features. The process begins with the request for a new system/application, feature or tool. Authorized personnel will initiate the request. All requests are to be appropriately logged in [ticketing system and/or some other type of tool].
- Feasibility Study. Once a request for a new system/application, feature or tool is received, Response CRM analyzes it and evaluates its market opportunity and/or operational impact. Once the benefits are identified, Response CRM conducts a feasibility study with the assistance of the development team. Based on the requirements, if the feature requested can be done in a reasonable fashion, a work estimate to implement the new system, application, feature or tool is prepared. For complete new systems and applications, Response CRM estimates the market size and develops a business case.
- Estimate and HW/SW Requirements. Along with estimating the effort and time required to implement the new system/application, feature or tool, an estimate of hardware and software required for development and final deployment is conducted. These estimates are passed on to management for final approval.
- Management Decision. After reviewing the business rationale for the new system/application, feature or tool, Response CRM decides whether the cost/benefits and strategic direction warrant the development to proceed. A review of the business rationale for a completely new project includes studying market opportunity and conducting a competitive analysis. Response CRM can opt not to proceed with the development or even to table it for a period of time. As soon as the project receives approval, the process progresses to the development and deployment phases.
- Requirement Analysis. During this phase, a detailed requirements analysis of the new system/application, feature or tool is conducted and documented in the form of a requirements specification. Documents and activities for this phase include obtaining copies of documents used during this phase and interviewing personnel for major activities during this phase.
- Desig In this phase, various technical personnel collaborate to develop a detailed design of the various activities involved. The design and development team reviews the design, and the final version is documented in the form of a design specifications document. If the feature or tool is to be a part of an existing system/application or functionality, the existing design document may be modified in lieu of creating a new document. Test plans and procedures for system tests are also developed.
- Implementation. Once the design is finalized, the actual implementation of the system/application, feature or tool begins with a test in a development environment. After all errors found during the testing stage are corrected, the application code is released to a test server.
- Quality Assurance and Testing. Once all the modules are moved to a test server and integrated in the test environment, any necessary test database tables and stored procedures are also created on the test server(s). The test environment is configured as a replica of the production environment or a specific client environment; however, there may be external interfaces which, at times, may not be duplicated, and approximations may be used. Testers then assess the new modules in this test environment. Test cases and scripts are written and documented as required. Any discrepancies are resolved with the development team, and any other additional testing is conducted. Customers and/or third-party users may be involved at different levels in this phase of project cycle, based on a mutual understanding of verification requirements. Test results are documented and reviewed with development personnel and management for final approval.
- Release for Production. Once the system/application, feature or tool is successful in the test environment, Response CRM approves the release for production. Modules are moved to the production servers where functionality is tested after all modules are updated.
All necessary system patches and system updates to Response CRM system components (those defined as critical from a security perspective) are to be obtained and deployed in a timely manner as designated by the following software vendor and/or other trusted third-parties: (1). Vendor websites and email alerts. (2). Vendor mailing lists, newsletters and additional support channels for patches and security. (3). Third-party websites and email alerts. (4). Third-party mailing lists. (5). Approved online forums and discussion panels. Effective patch management and system updates help ensure the confidentiality, integrity, and availability (CIA) of systems from new exploits, vulnerabilities and other security threats.
Additionally, all patch management initiatives are to be documented accordingly, which shall include information relating to the personnel responsible for conducting patching, list of sources used for obtaining patches and related security information, the procedures for establishing a risk ranking for patches, and the overall procedures for obtaining, deploying, distributing, and implementing patches specifically related to Response CRM system components.
Various external security sources and resources are to be utilized for ensuring that Response CRM maintains awareness of security threats, vulnerabilities and what respective patches, security upgrades and protocols are available. Authorized I.T. personnel are to subscribe to the following types of security sources and resources for ensuring retrieval of security patches in a timely manner:
- Vendor websites and email alerts, such as those for Microsoft, UNIX, Linux, Cisco, HP, etc.
- Vendor mailing lists, newsletters and additional support channels for patches and security
- Approved third-party websites, email alerts, and mailing lists
- Approved online information security forums and discussion panels
- Information security conferences, seminars and trade shows
- Community driven platforms relating to vulnerability management of information system, such as the following MITRE websites, and many others:
- Open Source Vulnerability Database (OSVDB)
- Common Configuration Enumeration (CCE)
- Common Vulnerabilities and Exposures (CVE)
- Common Platform Enumeration (CPE)
- Common Weakness Enumeration (CWE)
- Malware (MAEC)
- Cyber Observables (CyboX)
- Structured Threat Information Expression (STIX)
- Trusted Automated Exchange of Indicator Information (TAXII)
- Making Security Measurable (MSM)
- Open Vulnerability and Assessment Language (OVAL)
- Common Attack Pattern Enumeration and Classification (CAPEC)
An essential component of any vulnerability management program is to comprehensively identify and define the security posture of the organization as a whole. Increasing cyber security threats, regulatory compliance mandates, the implementation of best practices, and other important operational and security considerations are to be identified when defining such a posture. Ultimately, a well-conceived vulnerability management program for Response CRM is one that ensures the confidentiality, integrity, and availability (CIA) of the organization’s information systems landscape, which includes all critical system resources. Vulnerability management programs – often confined to only conducting internal and external scans , along with penetration testing, and remediating such issues – is to also include identifying and detecting, classifying and prioritizing, remediating, validating, and continuously monitoring vulnerabilities relating to the following:
- User Access Rights: Ensuring users have access rights commensurate to one’s roles and responsibilities within the organization is a constant challenge, given the continuous user provisioning and de-provisioning processes undertaken, the numerous systems requiring access for such users, along with requests for changes and modifications in access rights.
- Configuration Standards: Provisioning, hardening, securing and locking-down all critical system resources within Response CRM is crucial for ensuring a baseline of information security, one that can be built upon over time by continuous monitoring and updating of such systems with security patches.
- Network Architecture and Topology: Insecure network topologies and weak security architectures – even if the systems themselves are properly secured and hardened – can result in significant vulnerabilities for the organization.
- Network Vulnerabilities: The use of internal and external vulnerability scanning procedures, along with network layer and application layer penetration tests are a critical component of Response CRM’s vulnerability management program.
Ultimately, an important component of developing a comprehensive vulnerability management program requires Response CRM to adequately address the following major issues and constraints:
- Vulnerabilities: Software flaws or a misconfiguration that may potentially result in the weakness in the security of a system within the organization’s system resources.
- Remediation: The three (3) primary methods of remediation are (1) installation of a software patch, (2) adjustment of a configuration setting and (3) removal of affected software.
- Threats: Threats are capabilities or methods of attack developed by malicious entities to exploit vulnerabilities and potentially cause harm to a computer system or network.
Because configuration management and its overall application often vary throughout industries and business sectors, for scope purposes, Response CRM defines such practices as those utilized for implementing, establishing, maintaining, recording, and effectively monitoring secure configurations to the organization’s overall information system’s landscape. Specifically, this includes all network devices, operating systems, applications, internally developed software and systems, and other relevant hardware and software platforms. If any specific systems, because of size or complexity challenges, ultimately require their own independent configuration management program, they are to be developed accordingly by authorized personnel, and must abide by the practices as stated herein. Additional provisions for configuration management also include the following:
- Appropriate roles and responsibilities are to be developed and subsequently assigned to authorized personnel within Response CRM regarding configuration management practices.
- All employees and relevant users of Response CRM system resources are to receive the required and necessary training for undertaking their roles and responsibilities for configuration management. Training varies by personnel, but is to include all measures for ensuring employees and users stay abreast of significant issues affecting configuration management.
- Authorized personnel are to identify, assess, and select specific software tools and related utilities for aiding and facilitating all aspects of Response CRM’s configuration management plan. This entails extensive research into all possible configuration management tools for ensuring interoperability and compatibility with all in-scope system resources, while also ensuring such tools have appropriate end-user technical and operational support at all times.
- Authorized I.T. personnel are to determine a variety of factors, most importantly the following: The minimum agreed upon security settings for ensuring a risk level as low as possible, yet one that still allows the organization to function in an efficient and effective manner, from an operational perspective.
- Authorized I.T. personnel are to identify baseline configuration standards for system resources and the, which is available from a number of well-known benchmarks, frameworks, associations, along with vendor specific guides.
- For all in-scope system components, insecure services, ports, and protocols are to be readily identified by authorized I.T. personnel, which means having a strong technical understanding of all relevant network devices (firewalls, routers, switches, load balancers, etc.), operation systems (Windows, UNIX, Linux), and applications (web server applications, database applications).
When using the services of various third-party outsourcing entities, a certain element of risk arises as responsibilities for critical initiatives are now in the hands of another organization. It’s important to understand these risks, what they are, and how Response CRM can readily identify any issues, concerns, or constraints pertaining to these risks. Failure to mitigate and prevent these risks can result in significant financial loss, legal issues, and public opinion misconceptions, ultimately damaging the organization. As such, the following risks are to be thoroughly understood and assessed in regards to business and contractual relationships entered into with various third-parties:
- Compliance Risk: These are risks arising from violations of applicable laws, rules, regulatory mandates, and along with other issues, such as non-compliance of internal operational, business specific, and information security policies, procedures, and processes.
- Reputation Risk: These are risks arising from negative public perception and opinion of a third-party outsourcing entity for almost any imaginable reason, such as unethical business practices, data breaches resulting in loss of sensitive and confidential consumer information (i.e., Personally Identifiable Information – PII), investigations from regulators into questionable business practices, etc.
- Strategic Risk: These are risks arising from third-parties failing to implement business initiatives that align with the overall goals and ideas of Response CRM, such as not offering services that provide an acceptable return on investment, both short term and long term.
- Operational Risk: These are risks arising from a failed system of operational internal controls relating to personal and the relevant policies, procedures, processes, and practices.
- Transaction Risk: These are risks arising from a third-party failing to deliver as promised, such as product delivery, operational efficiency – or worse – unauthorized transactions and theft of information due to a weak system of operational and information security internal controls.
- Credit Risk: These are risks arising from the financial condition of the third-party, such as any “going concern” issues – a business that functions without the threat of liquidation for the foreseeable future, usually regarded as at least within 12 months.
- Country Risk: These are risks arriving from the politic, economic, and social landscape – and other relevant events – within a foreign country that can impact the services being provided by the third – party, ultimately affecting operations for Response CRM.
- Information Technology Risk: These are risks arising from any number of information technology and information security issues, such as inadequate I.T. resources (hardware and software) along with lack of manpower.
Data backup and storage procedures for Response CRM system components are to be initiated by authorized I.T. personnel consisting of documented processes and procedures that include the following initiatives: (1). The type of backup performed (i.e., full, incremental, and differential backups). (2). The date(s) and time(s) for the designated backup processes to commence. (3). The appropriate reporting procedures and related output for confirmation of backups (i.e., log reports, email notification, etc.). (4). Incident response measures in place for backup failures and/or exceptions. (5). Retention periods for all data backups as required by management, customers, and all necessary regulatory compliance mandates. Additionally, when data has been compromised due to any number of reasons, appropriate restore procedures are to be enacted that allow for complete, accurate, and timely restoration of the data itself.
When necessary and applicable, appropriate encryption measures are to be invoked for ensuring the confidentiality, integrity, and availability (CIA) of Response CRM system components and any sensitive data associated with them. Additionally, any passwords used for accessing and/or authentication to the specified system component are to be encrypted at all times, as passwords transmitting via clear text are vulnerable to external threats. As such, approved encryption technologies, such as Secure Sockets Layer (SSL) | Transport Layer Security (TLS), Secure Shell (SSH), and many other secure data encryption protocols are to be utilized when accessing the specified system component. Additional encryption measures for Response CRM are to also include the following best practices for all applicable devices that have the ability to store sensitive and confidential information:
- Servers – Depending on the type of server and the underlying applications, a large range of encryption measures can be adopted. The first measure is identifying the type of information residing on such servers and the necessary encryption protocols to apply. Additionally, servers are to be provisioned and hardened accordingly, with anti-virus also installed.
- Desktop Computers – Any desktop computer storing sensitive and confidential information are to utilize encryption for the actual hard drives. Additionally, access rights are to be limited to authorized personnel at all times. Non – [company owned] desktops, such as those physically located at an employee’s home, are to never contain sensitive and confidential information under any circumstances. If such data needs to be accessed for performing remote duties, then a secure connection must be made to the Response CRM network for accessing all relevant information. Additionally, desktop computers are to be provisioned and hardened accordingly, with anti-virus also installed.
- Laptops, Mobile Computing Devices, Smart Devices – Such devices are to have approved encryption installed and enabled prior to their use, which requires Response CRM authorized I.T. personnel to configure appropriate encryption programs. Specifically, full disk encryption, or other approved methods, such as file level encryption are to be used, and these devices are not to be used for long-term storage of sensitive and confidential information. The phrase “long term” is discretionary in nature, but consists of any data residing on laptops, mobile computing devices, and smart devices longer than thirty (30) calendar days. Non – [company owned] laptops, mobile computing devices, and smart devices, are to never contain sensitive and confidential information under any circumstances. If such data needs to be accessed for performing remote duties, then a secure connection must be made to the Response CRM network for accessing all relevant information. Additionally, laptops, mobile computing devices, and smart devices are to be provisioned and hardened accordingly, with anti-virus also installed.
- Removable Storage Devices – USB enabled devices, such as memory sticks, external hard drives, network attached storage devices are strictly prohibited. Though there may be circumstances that require storing of sensitive and confidential information onto these utilities, it must be approved in writing, and such data is never to reside on these devices for long-term storage measures.
- Unknown Devices – The phrase “unknown devices” is given to such items as kiosks, hourly computing stations for rent, friends and family members computers, or any other types of device for which Response CRM has little to no knowledge regarding its safety and security. These devices are never to be used for storing, processing or transmitting sensitive and confidential information due to the lack of knowledge of their respective encryption practices, which many times are none at all.
Comprehensive auditing & monitoring initiatives for Response CRM system components are to be implemented that effectively identify and capture the following events: (1). All authentication and authorization activities by all users and their associated accounts, such as log on attempts (both successful and unsuccessful). (2). Any creation, modification or deletion of various types of events and objects (i.e., operating system files, data files opened and closed and specific actions, such as reading, editing, deleting, printing). (3). All actions undertaken by system administrators who have elevated privileges and access rights.
Additionally, for each event described above, the following attributes are to be captured: (1). The type of event that occurred and on what system level and/or application level did it occur on. (2). The date and time of the event. (3). The identity of the user, such as the log-on ID. (4). The origination of the event. (5). The outcome of the event, such as the success or failure of the event. (6). The name of the affected system.
Furthermore, the use of specialized software, such as File Integrity Monitoring (FIM), Host based Intrusion Detection Systems (HIDS), and/or change detection software programs are to be implemented for monitoring Response CRM system components as they provide the necessary capabilities for assisting in the capture of all the above-stated, required events. Additionally, configuration change monitoring tools are to be used to detect any file changes made within a specified system component, ranging from changes to commonly accessed files and folders, to more granular based data, such as configuration files, executables, rules, and permissions. Changes made are to result in immediate alerts being generated with appropriate personnel being notified. Moreover, these tools effectively aid in capturing and forwarding all events in real-time, thus mitigating issues relating to native logging protocols, which can be accessed by users with elevated privileges on various system components themselves, resulting in the disabling and modification of its services and the resulted output.
Additional measures are to be employed for ensuring that Response CRM system components – such as servers – are actively being monitored for all necessary performance and utilization measures, such as the following:
- CPU Utilization-Identifies current, real-time capacity of the CPU, and provides alerting and notification measures regarding capacity limits along with underutilization metrics.
- Memory Utilization-Identifies current, real-time memory usage and provides alerting and notification measures if memory usage is high and/or if memory availability is low.
- Disk Utilization-Identifies current, real-time disk space and provides alerting and notification measures if disk space is low.
- Process Monitoring-Monitors all critical processes and provides alerting and notification measures when processes fail.
- Windows Service Monitoring-Monitors all critical windows services and provides alerting and notification measures as needed.
- Network Interface Monitoring-Monitors the overall health and status of the network interface.
Authorized personnel are to appropriately configure all Win2K3 servers for ensuring the aforementioned measures are in place via tools that provide agent-based monitoring, the use of native agents on the specified system resource itself, along with agentless monitoring, if applicable.
Along with capturing all necessary events as described in “Event Monitoring”, effective protocols and supporting measures are to be implemented for ensuring all required events and their associated attributes are logged, recorded, and reviewed as necessary. Additionally, all applicable elevated permissions (those for administrators) along with general access rights permissions (those for end-users) to Response CRM system components are to be reviewed on a [monthly/quarterly/bi-annual/annual] basis by an authority that is independent from all known users (i.e., end-users, administrator, etc.) and who also has the ability to understand, interpret, and ultimately identify any issues or concerns from the related output (i.e., log reports, and other supporting data). The specified authority reviewing the logs is to determine what constitutes any “issues or concerns”, and to report them immediately to appropriate personnel.
Moreover, protocols such as syslog and other capturing and forwarding protocols and, or technology, such as specialized software applications, are to be used as necessary, along with employing security measures that protect the confidentiality, integrity, and availability (CIA) of the audit trails and their respective log reports (i.e., audit records) that are produced. Additionally, all audit records are to be stored on an external log server (i.e., centralized syslog server or similar platform) that is physically separated from the original data source, along with employing effective backup and archival procedures for the log server itself. These measures allow Response CRM to secure the audit records as required for various legal and regulatory compliance mandates, along with conducting forensic investigative procedures if necessary.
It is company policy to limit data storage amount and retention time to that which is required for legal, regulatory and business requirements. Furthermore, processes are to be in place for secure disposal of data when no longer needed for legal, regulatory and business requirements. This in turn mandates retention requirements be in place and documented accordingly for all legal, regulatory and business requirements. Additionally an automatic or manually executed process is to be in place for identifying and securely removing data that exceeds the defined legal, regulatory and business requirements. As for disposing of data, the following methods are to be utilized for both hard copy and electronic data:
- Purging and deleting data from all system components. This can be done by utilizing a secure wipe program in accordance with industry-accepted standards for secure deletion (i.e., degaussing).
- Destroying (cross-shredding) any cardholder data that is in a hardcopy format.
For electronic media stored on system components that are no longer in use, data is to be disposed of through any one of the following procedures:
- Shredding (disk grinding device)
- Incineration by a licensed incinerator
Response CRM is to have in place documented incident response initiatives, which includes provisions for effectively preparing, detecting, responding, and recovering from an incident, along with initiating post-incident activities and awareness. Thus, these five (5) provisions are to also consist of the following measures for incidents relating to Response CRM system components
- “Preparing” in that employees and all other applicable parties should be aware of security threats and computer incidents and undertake all necessary and required training.
- “Detecting” in that procedures are in place that allow for timely detection of all threats, such as the use of specific software tools and other monitoring and detection elements.
- “Responding” in that procedures are in place that allow for rapid and swift response measures, which is highly necessary for containing and quarantining any given incident.
- “Recovering” in that procedures are in place that allow for full recovery of the affected systems, such as the use of backup media and the ability to rebuild, reconfigure and redeploy as necessary.
- “Post Incident Activities and Awareness” in that a formal and documented Incident Response Report (IRR) is to be developed, reviewed by appropriate parties, resulting in “Lessons Learned” from the incident and what initiatives can be implemented for hopefully eliminating the likelihood of future incidents.
These measures form a critical component of ensuring the protection of the organization’s network infrastructure, and as such, are to be immediately implemented when an incident arises that may affect the security of Response CRM system components
All applicable Response CRM system components are to undergo annual vulnerability assessments along with penetration testing for ensuring their safety and security from the large and ever-growing external and internal security threats being faced with today. Vulnerability assessments, which entails scanning a specified set of network devices, hosts, and their corresponding Internet Protocol (IP) addresses, helps identify security weaknesses within [company name’s] network architecture, along with those related to specific system components. Additionally, penetration testing services, which are designed to actually compromise the organization’s network and application layers, also assists in finding security flaws that require immediate remediation. Moreover, contractual requirements along with regulatory compliance laws and legislation often mandate organizations perform such services, at a minimum, annually (for penetration tests), and often on a periodic and/or quarterly basis (for vulnerability assessments). As such, Response CRM will adhere to these stated requirements and will perform the necessary services on all applicable system components.
Careful planning and consideration of what systems are to be included when performing vulnerability assessments and, particularly penetration testing, is a critical factor, as all environments (i.e., development, production, etc.) must be safeguarded from any accidental or unintended exploits caused by the tester.
Additionally, if Response CRM has internally developed, proprietary applications (i.e., software), appropriate code reviews are to be conducted for ensuring the software itself has been coded and developed with the appropriate security measures. Poorly coded software, specifically software used for web facing platforms, can be compromised through numerous harmful tactics, such as Cross-site scripting (XSS), injection flaws (SQL, etc.) and other damaging methods.
Documented Business Continuity and Disaster Recovery Planning (BCDRP) are vital to protecting all Response CRM assets along with ensuring rapid resumption of critical services in a timely manner. Because disasters and business interruptions are extremely difficult to predict, it is the responsibility of authorized Response CRM personnel to have in place a fully functioning BCDRP process, and one that also includes specific policies, procedures, and supporting initiatives relating to all system resources, including Win2K3 servers.
Authorization Form for User Access | Vendors
ACKNOWLEDGMENT: As a user employed by or representing [name of vendor], I understand that access to Response CRM system resources is a privilege. I hereby acknowledge that all passwords and usernames are to be kept confidential at all times. I also will use strong passwords, protect my workstation(s) at all times and will never leave any systems unattended for any reason. By requesting access to Response CRM system resources, I acknowledge that I will install or already have installed virus protection software on my remote (this includes business, home or laptop) system. I understand that failure to do so may result in loss of access rights to system resources. I understand that access to system resources provides users with confidential company and client data, which I am to safeguard at all times, with all resources available. I am never to disclose any type of confidential company or client data at any time to any unknown or untrusted parties with whom I may come into contact while allowed access to Response CRM system resources.
I hereby accept the responsibility for the information to which I am granted access. I will not exceed my authorized level of system access. I also understand that my use of any system components and other essential IT resources may be monitored at any time, with or without notice. Additionally, I will report all suspicious threats and vulnerabilities to the appropriate organization. Furthermore, I understand that violation of this stated policy is grounds for being reprimanded, suspended or terminated from the entity for which I am employed by or representing. Furthermore, I will never be allowed access to Response CRM system resources, subsequent to violating this stated policy.
Authorization Form for User Access | Guests
ACKNOWLEDGMENT: As a guest user, I understand that access to Response CRM system resources is a privilege. I hereby acknowledge that all passwords and usernames are to be kept confidential at all times. I also will use strong passwords, protect my workstation(s) at all times and will never leave any systems unattended for any reason. By requesting access to Response CRM system resources, I acknowledge that I will install or already have installed virus protection software on my remote (this includes business, home or laptop) system. I understand that failure to do so may result in loss of access rights to system resources. I understand that access to system resources provides users with confidential company and client data, which I am to safeguard at all times, with all resources available. I am never to disclose any type of confidential company or client data at any time to any unknown or untrusted parties with whom I may come into contact while allowed access to Response CRM system resources.
I hereby accept the responsibility for the information to which I am granted access. I will not exceed my authorized level of system access. I also understand that my use of any system components and other essential IT resources may be monitored at any time, with or without notice. Additionally, I will report all suspicious threats and vulnerabilities to the appropriate organization. Furthermore, I understand that violation of this stated policy is grounds for being reprimanded, suspended or terminated from the entity for which I am employed by or representing. Furthermore, I will never be allowed access to Response CRM system resources, subsequent to violating this stated policy.
User De-provisioning | Off-boarding Form | All Users (Employee, Guest, Vendor, Other)