LITIGATION SUPPORT TIP OF THE NIGHT

You can download the EDRM Security Questionnaire on this site, http://www.edrm.net/resources/security-audit-questionnaire/ . The questionnaire is an Excel spreadsheet which breaks down questions on key areas of data security on seven different worksheets:

A. General B. Security & Risk Management C. Asset Security D. Communications & Network Security E. Identity & Access Management F. Security Operations G. Software Development Security

The questionnaire grades a security program based on its ISO 27001 and other certifications, whether it has information security policies, the existence of remediation plans, whether or not employees can anonymously report breaches, the management of environment controls, the use of data centers, the regular use of log networking, the use Unified Threat Management for a firewalls, the use of TLS for email encryption, the use of two factor authentication, Active Directory / LDAP integrations, network penetration testing, and many other factors - 74 in all.

The self grader gives a value for his or her organization's level of compliance with different practices suggested by the EDRM on a scale of 10 to 1 - 10 being unacceptable, and 4 being reasonable. The individual grades are aggregated in a total score

Steganography is the practice of hiding secret messages inside other seemingly innocuous messages. The term comes from the ancient practice of disguising messages in other messages, such as craving text onto the wooden base of a wax tablet before covering it with the wax which is inscribed on, or writing something under the postage stamps affixed to an envelope for a letter.

In the digital age, data can be manipulated in a variety of ways to conceal messages. You can also use the OpenPuff software to accomplish the task of hiding one electronic file inside other files. This free program can be downloaded here. You just need to download the linked to OpenPuff zip file, extract the files to a folder, and double-click on 'OpenPuff.exe'.

Click where it says 'Hide', and you will be taken to the Data Hiding window.

You begin by setting three different passwords in the upper left section, and then selecting the file you want to hide in the second step. The passwords must each be at least 8 characters. You will need to select alphanumeric passwords that together are of a sufficient length so the the password check box turns green indicating OpenPuff accepts them.

Then in step 3 you select one or more 'carrier' files, until the total size is enough to conceal the file you are encrypted. The combined carrier files will need to be several times larger than the file you are hiding. The carrier files cannot be in any format. You'll have to use bitmap, JPEG, MPG, or one of a few other common graphic file formats. When you're ready, click 'Hide Data!'

When the recipient receives the encrypted files, she or he needs to also have OpenPuff installed. They will have to click 'UnHide' on the opening screen, and then enter the three passwords in the same order, and also select the carrier files in the same order.

Click Unhide!, and the encrypted file will be exported from the graphic files.

This technique has the advantage over standard methods of encryption in that anyone coming across the files will have every reason to dismiss them as being unimportant.

Cybersecurity Framework of the National Institute of Standards and Technology provides best practices which are widely followed by security professionals. The first principle listed in the Framework Core, is ID.AM-1, "Physical devices and systems within the organization are inventoried". This is analogous to CSC-1 of the Center for Internet Security's Critical Security Controls, entitled, "Inventory of Authorized and Unauthorized Devices". CSC-1 is specifically used as an informative reference for NIST's ID.AM1.

If a company uses IEEE 802.1X as a standard for network access control, it must have such an inventory so it can distinguish between authorized and unauthorized devices. Naturally this type of inventory is a great resource when performing electronic discovery. CSC 1.4 states that, "Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device." You can easily collect the hardware for agreed upon custodians with such an inventory.