[unisog] IDS vs. Privacy

Jim Dillon Jim.Dillon at cusys.edu
Tue Feb 3 18:31:28 GMT 2004

Larry and all,

Management (including IT management) has the responsibility to erect and maintain an effective system of internal controls.  To the degree such monitoring is an effective tool in controlling (preventing, reducing, mitigating) adverse events, (or encouraging positive ones) it should be used.  To counter your institution's fears, such controls should be balanced by compensating controls, many of which have also been mentioned already in previous responses.

1. Policy.  Clear policy and communication removes a lot of liability.  The notifications and disclaimers mentioned by several other responders fill this gap.
2. Segregation of duties.  Things like job rotation, cross-training, enforcing vacations/time away helps to ensure that the activities of any individual are compensated for, helping to prevent major ongoing fraudulent or inappropriate activity.  Ensure that no one person has all the keys to the kingdom.
3. Supervision.  Enough said.
4. Background checks.  Jobs with a high standard for sensitivity, privacy, or with high risk can suggest the need for validation of the operator's previous suitability for a position of trust.
5. A strong control environment.  This might include overall institutional policy environments, ethics standards, training, review/audit against standards, etc.  If you demonstrate controls, your liability is likely to be reduced.
6. Appropriate governance and expert/peer association.

Failure to achieve the expected control environment can ultimately result in prosecution, fines, penalties, and even jail time if the lack of control is obvious or egregious.  (e.g. a wanton/purposeful exposure of private information like patient/medical data in defiance of HIPAA standards...)

I think you do have to have your policy side in order.  One of my great hang-ups is whether or not the monitoring of VOIP streams will eventually be treated as a wire-tap.  It sure seems like one, and although the case-law hasn't been established there have been some recent rumblings saying things may go this way.  You will have to control this with policy and demonstrable actions as proof given the mixes of protocols and data elements that will be captured by most monitors.   I don't know any answers here, I just suggest caution and communicated policy that clearly informs those who might object or need to know the limitations of their service and expectations.

Hope this helps the discussion along...

Best regards,


Jim Dillon, CISA
IT Audit Manager
University of Colorado Internal Audit
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737

"There is nothing more difficult to plan, more doubtful
of success, nor more dangerous to manage than the 
creation of a new system, for the initiator has the 
enmity of all who would profit by the preservation of 
the old institution and merely lukewarm defenders 
in those who gain by the new one."  - Machiavelli

-----Original Message-----
From: E. Larry Lidz [mailto:ellidz at uchicago.edu]
Sent: Monday, February 02, 2004 1:33 PM
To: unisog at sans.org
Subject: [unisog] IDS vs. Privacy


I was asked, as moderator, to pose this question to the group from
someone at an institution who wished to remain anonymous. They fear that
if this message was public their institution might be the target of
unwanted attention from the underground.

The institution has about 25,000 machines on their network, and had been
running an IDS system which received a copy of all traffic across the
network's gateway to the Internet/I2. The IDS system had a track record
of being successful -- it detected most of the viruses, worms, port
scans, spam relays, proxies, rogue FTP sites, rogue IRC bots, and so

IT management then changed. The IDS system was shut off with no advance
notice over the concern that it might lead to a compromise of privacy
policies. The new management believes that people having access raw
packets is an unacceptable risk. They felt that technologies that
summarize information (Cisco Flows from a router/switch, mirroring
traffic to an IDS system that has no ability to sniff, etc.) about the
traffic is acceptable, however.

They would like to know: has anyone been in a similar situation? If so,
were you able to bring back your IDS? What arguments were compelling to
management? Are other institutions similarly concerned about the privacy
issues involved? Why or why not?

Any other advice?


More information about the unisog mailing list