Re: Outsourcing Forensics

["Mclaughlin, Kevin L (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

Hi All:
In reference to this statement from Dan's response below:
"- using an external firm helps eliminate the possibility of internal
staff being pressured deliver findings that are not supported by data,"

Dan's comments are right on track but one watch out here is that hiring
an External company does not ensure that you will receive findings
supported by data. Without going into details I have been directly
involved with incidents where the findings of an External provider were
pushed in a certain direction by the CIO who was writing their paycheck.

IMO - it boils down to:  as part of the strategy for your department do
you want to maintain the expense and training of having in-house
forensic expertise or do you want to rely on an outsourcer to provide
you with the data and trust that you are getting good data?  Either way
you have to trust someone, either someone who works directly for you or
someone who works for an external company.
My view is a bit prejudiced based on prior experience as a Special Agent
and I am not comfortable outsourcing this potentially sensitive and
damaging area to a 3rd party when I have the skills in-house to do the
work.

 -Kevin


Kevin L. McLaughlin

CISSP, PMP, ITIL Master Certified

Director, Information Security

University of Cincinnati

513-556-9177 (w)

513-703-3211 (m)


-----Original Message-----
From: Daniel R Jones [mailto:Dan.Jones () COLORADO EDU] 
Sent: Tuesday, August 29, 2006 10:47 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Outsourcing Forensics

As part of our incident response process we require external forensics
if there is an incident involving "private data" (in our data
classification scheme examples would be SSN, card holder information).
There are several reasons for this:

- if something does need to go to court we want the external expert,
- using an external firm helps eliminate the possibility of internal
staff being pressured deliver findings that are not supported by data,
- in the case of card holder information you do not really have the
choice but to use a PCIDSS certified forensics firm.

In addition to making sure your processes define how a potential data
breach would be handled I would also recommend that you have a policy
requiring immediate notice to your equivalent of a security office
whenever there is an incident involving sensitive data.

Dan Jones
Campus IT Security Office
University of Colorado at Boulder
________________________________________
From: Bret R Blackman [mailto:bblackma () MAIL UNOMAHA EDU] 
Sent: Monday, August 28, 2006 1:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Outsourcing Forensics


How many outsource their forensic work to a U.S. firm when there is an
incident involving confidential information on their campuses? 

Bret R. Blackman
University of Nebraska at Omaha
Director of Administrative Information Services
Information Technology Services, EAB 110
bblackma () mail unomaha edu