Lessons from Microsoft’s ‘Global Criminal Compliance Handbook’

Just finished reading the Microsoft Global Criminal Compliance Handbook, and a few things jump to mind that are beneficial for every business owner, security professional, and innovator…

  • First off – the detail and type of information available is very interesting and demonstrates a very and prudent effort to lock down what can be reliably provided to law enforcement.  I am certain with a bit of effort less reliable data may be uncovered if required, but consider the intense level of technology practices and controls required to unequivocally state these data points are available.
    • Ask yourself this question – what data points/metrics does my business rely upon, and can we currently make such absolute statements with regards to the availability and integrity of such information.  A step further – what information requests does your business receive (within the context of Information Technology / Audit / Security / Risk Management) throughout the year, and how rapidly can this information be presented?  It appears from this document that Microsoft has worked the process into a near real-time response, and that is the new reality and requirement for organizations to be competitive and cooperative with internal and external parties.
  • Secondly – The access to the business financial accounts and the online storage accounts highlights (or simply reinforces) a concern of Cloud computing systems.  Deploying / Using systems that are not “yours” creates a reasonable chance for the true operator to grant access to your data for “appropriate” reasons.  While I encourage businesses to respond to legal requests as required, it is Risk Managers task to consider these situations and ensure operators have SLA in place along with technical assurances that provide proper safeguards.
    • SLA discrepancies between companies and third party providers is a gap that is growing with the usage of SaaS (other iterations) providers, and it is a new risk vector that must be considered, carefully.
  • Thirdly – Information versus Knowledge:  The document goes beyond simply dumping data on the recipient and is designed to help the layman understand the data provided.  The effort to convey knowledge truly is exceptional and not often found within the highly technical and complex system environment that is technology.  Reflection on internal documentation and the conveyance of knowledge should be equal in effort if not more than the actual production of data points.  As technologists are able to interpret complex interactions between multiple routing devices and ACL logs, the team lead / business manager / auditor / CEO need the knowledge of this meaning in order to merge these facts into the greater business risk landscape.

While several articles highlight the privacy and direct implications, I hope this post has provided productive and next step information with this Microsoft document.  The Microsoft document may be downloaded directly here from WikiLeaks.  A ComputerWorld article is available and nicely breaks down the document.

Other perspectives?

James DeLuccia

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s