Re: Advice re network compromise and "law enforcement" (PCI certification)

[Keith Stokes <keiths () neilltech com>]

What advice does your QSA have regarding writing the policy?

There are generic templates available to write your company security policy. That policy doesn’t necessarily constitute 
legal definitions or requirements for any sort of breach, which may vary by locale and provider. I’m assuming EDUs will 
have their own set of rules as may non-profits.

At best you will want to pass legal responsibility out of technical hands into C-Level/management hands to make 
decisions about whom is notified, what legal actions and third parties are called in. Your security policy can define 
when the buck is passed and left to a given committee.

On Jan 11, 2017, at 9:23 AM, Matt Freitag <mlfreita () mtu edu<mailto:mlfreita () mtu edu>> wrote:

Adding to what Rich said, it's very easy for advice on this to cross into
advice on legal matters.

It's also usually very illegal for non-attorneys or non-licensed attorneys
to offer advice on legal matters.

I recommend finding a lawyer with expertise in this area and who has
specific knowledge of your operation.

Matt Freitag
Network Engineer I
Information Technology
Michigan Technological University
(906) 487-3696 <%28906%29%20487-3696>
https://www.mtu.edu/
https://www.it.mtu.edu/

On Wed, Jan 11, 2017 at 10:19 AM, Rich Kulawiec <rsk () gsp org> wrote:

On Wed, Jan 11, 2017 at 09:37:19AM -0500, David H wrote:
Anyone have pointers/advice on what you came up with for a reasonable
definition of events that warrant involving law enforcement, and then
what
agency/agencies would be contacted?

This question is best answered by an attorney with expertise in this area
and with specific knowledge of your operation.

---rsk



---

Keith Stokes