Consult with your legal counsel
to determine legal options and liability in the event of a security
incident.
Consult with your
insurance carrier to determine if
your insurance covers losses from break-ins. Determine if your
insurance covers business interruption during an investigation. Also
determine if you will be required to institute criminal or civil
action to recover on your insurance.
Replace any "welcome" messages with
warnings against unauthorized use.
Put explicit copyright and/or proprietary property notices in code
startup screens and source code. Formally register copyrights on your
locally developed code and databases.
Keep your backups separate from your machine.
Keep written records of your actions when investigating an incident.
Timestamp and initial media, printouts, and other materials as you
proceed.
Develop contingency plans and response plans in advance.
Define, in writing, levels of user access and responsibility. Inform
your users what you may monitor. Have all users
provide a signature noting their understanding of and agreement to
such a statement. Include an explicit statement about the return of
manuals, printouts, and other information upon user departure.
Develop contacts with your local law enforcement personnel.
Do not be unduly hesitant about reporting a computer crime and
involving law enforcement personnel.
If called upon to help in an investigation, request a signed
statement by a judge requesting (or directing) your
"expert" assistance. Recommend a
disinterested third party to act as an expert, if possible.
Expand your professional training and contacts by attending security
training sessions or conferences. Consider joining security-related
organizations.
Be aware of other liability concerns.
Restrict access to cryptographic software from the network.
Restrict or prohibit access to material that could lead to legal
difficulties. This includes copyrighted material, pornographic
material, trade secrets, etc.
Make sure that users understand copyright and license restrictions on
commercial software, images, and sound files.
Make your users aware of the dangers of electronic harassment or
defamation.
Make certain that your legal counsel is consulted before you provide
locally developed software to others outside your organization.
