Top 5 IS Mistakes Committed by Walker John Doe Prosecutors
Late last year, a Wisconsin DOJ report was unsealed relating to the John Doe investigations against the Scott Walker campaign. The details within the report, and carelessness on display, left many IT and risk management officials shaking their heads. Your organization can learn from the mistakes made by investigators. Here are the Top 5 Information Security Mistakes committed by the John Doe prosecutors.
- Management decided on a storage product (i.e. database software by the name of Relativity), but failed to upload all electronic evidence into this database. As a result, there was no centralized location holding all electronic data. This in and of itself is not fatally flawed; however…
- There were no logs kept of whether, when, or how many times data was duplicated as part of the investigation process, nor was there any record kept of who accessed the data. You should be able to determine some of this based on user credentials to the software being utilized, except…
- User credentials appeared to have been shared in numerous instances and across systems. This isn’t ideal but could be managed appropriately as long as (a) there was some other documented, procedural way to log use, and (b) this was done on an internal basis only, but…
- The team decided to bypass the use of state DOA servers/systems and instead shared documents and communications by using Gmail and Dropbox. In other words, the prosecutors passed data back and forth using external, nominally-secured methods of communication. One feature to note regarding these products (Gmail, Dropbox) is that the providers typically cap the amount of data that can be stored per account, which leads to things like…
- A member of the team downloading his email archive (because it had grown too large) to an external hard drive for storage and clearing that data from his Gmail account. If you’ve made it this far in the post, you aren’t going to be shocked to learn that (a) the hard drive wasn’t password-protected or otherwise secured, and (b) OF COURSE they lost it.
This report serves as an important reminder for business owners and/or management to review their own internal practices. Most of the errors identified here can be handled fairly simply through implementing data handling policies and training your employees to consider data to be private unless clearly marked otherwise.